Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging

• Previous message: Agricola: "Re: How Outlook 2002 can still execute JavaScript in an HTML email message"
• In reply to: Brown, Keith: "Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
• Next in thread: Justin Moebus: "Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 22 Mar 2002 12:42:20 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Dear Brown, Keith,

--Thursday, March 21, 2002, 9:51:21 PM, you wrote to NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM:

BK> NTLM does in fact offer integrity and confidentiality protection of
BK> messages after the initial handshake. The session key is a function of
BK> the OWF(password) and the challenge. In the case of pass-through
BK> authentication, the session key is passed from the authority to the
BK> server over a secure channel.

It's only true for secure channel, then encryption is used. And it's
only true for NTLMv2. NTLMv2 can only be used inside domain tree. For
NTLMv1 there is no mutual authentication and m-i-t-m can impersonate
server. If encryption is not used session may be intercepted by m-i-t-m
in any time after initial authentication for both NTLMv1 and NTLMv2.

IM doesn't use secure channel.

NTLM authentication should never be used to access servers outside
domain because it can lead to compromisation of domain account. An
example of such attack is given in SECURITY.NNOV paper on NTLM
authentication in Outlook Express,
http://www.security.nnov.ru/advisories/oespa.asp

--
~/ZARAZA
Ну а теперь, Уильям, хорошенько поразмыслите над данным письмом. (Твен)

• Previous message: Agricola: "Re: How Outlook 2002 can still execute JavaScript in an HTML email message"
• In reply to: Brown, Keith: "Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
• Next in thread: Justin Moebus: "Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: ADS Password Storage Protection ... In Windows it is LM or NT (sometimes called NTLM) hashes. ... NTLMv2 refers to the authenication protocol that exchanges the hash ... between the client and server authentication database. ... (Security-Basics) Re: NTLM queries ... If there is a fallback it will be to ntlmv2, ntlm, or lm. ... ntlm [send ntlmv2 response only, ... "Windows 2000 lan manager authentication level" or download the free Windows ... (comp.os.ms-windows.nt.admin.security) Re: NTLM queries ... If there is a fallback it will be to ntlmv2, ntlm, or lm. ... ntlm [send ntlmv2 response only, ... "Windows 2000 lan manager authentication level" or download the free Windows ... (microsoft.public.win2000.security) RE: Kerberos & NTLM Auth in IIS6 ... what Authentication Providers do you have set? ... NTLM and Kerberos? ... though currently we are not using NTLMv2 authentication for RPC ... Edit the registry and set the appropriate keys. ... (Focus-Microsoft) Re: Integrated Windows Authentication Timeout? ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ... (microsoft.public.dotnet.framework.aspnet.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint