MS08-067 Authentication against NTLMv2

[one.miguel at gmail.com (Juan Miguel Paredes)]

Sorry, just a quick update.  It turns out it was NOT the NTLMv2, it was the
following settings (set by GPO or baseline):

Disabled Computer Browser Service
In gpedit.msc: Computer Config/Windows Settings/Security Settings/Local
Policies/Security Options
   Setting: Network Access: Named Pipes that can be accessed anonymously
(remove "browser")

Thanks and sorry for the confusion.

On Mon, Nov 10, 2008 at 10:23 AM, Juan Miguel Paredes
<one.miguel at gmail.com>wrote:

> Hi,
>
> We are testing the MS08-067 module in our environment and found that it
> does not work against production systems which are forcing NTLMv2
> authentication.  I've tested against a system where the authentication has
> not been forced and it works against that.  Looking at the packets and the
> responses, after the NULL authentication attempt, I get "ACCESS_DENIED".  Is
> there a way to enable NTLMv2 authentication in the module?  I've confirmed
> that I can manually connect to the production system with a NULL session
> outside of the framework (using net use).
>
> Alternatively, can the framework use an existing connection (i.e. net use
> \\10.0.0.1\ipc$ "" /U:"") and just send the 'sploit code that way?
>
> Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081110/fef17656/attachment.htm>