Bugtraq mailing list archives
RE: Authentication flaw in microsoft SMB protocol
From: "Jesper Johansson" <jesperjo () microsoft com>
Date: Mon, 21 Apr 2003 14:41:49 -0700
-----Original Message----- From: Dave Aitel [mailto:dave () immunitysec com]
Also found and demonstrated by dildog at defcon 3 years ago. So don't hold your breath waiting for that patch.
You don't need to wait. This is prevented with NTLM v.2, which shipped with Windows NT 4.0 SP4 in October 1998. This type of attack is also foiled with Kerberos, which is negotiated by default in a Windows 2000 or higher domain. To learn more about using NTLM v.2 and Kerberos, refer to the Windows 2000 Security Hardening Guide: http://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG.asp downloadable at: http://www.microsoft.com/downloads/details.aspx?FamilyID=15E83186-A2C8-4 C8F-A9D0-A0201F639A56&DisplayLang=en
When a logged-in user requests for a network share on theserver, Windowsautomatically sends the encrypted hashed password of the logged-in username to the target SMB server before prompting for password.
This is not correct. Window sends a response to a server challenge. The response is computed from the users hash and the challenge sent by the server. Passwords, hashed, encrypted or otherwise, are never sent on the wire during a connection. Jesper M. Johansson Security Program Manager Microsoft Corporation
Current thread:
- Authentication flaw in microsoft SMB protocol seclab (Apr 19)
- Re: Authentication flaw in microsoft SMB protocol Dave Aitel (Apr 19)
- <Possible follow-ups>
- RE: Authentication flaw in microsoft SMB protocol Jesper Johansson (Apr 22)
- Re[2]: Authentication flaw in microsoft SMB protocol 3APA3A (Apr 23)
- Re: Authentication flaw in microsoft SMB protocol Chris Wysopal (Apr 22)