RE: Authentication flaw in microsoft SMB protocol
From: Jesper Johansson (email@example.com)
Date: Mon, 21 Apr 2003 14:41:49 -0700 From: "Jesper Johansson" <firstname.lastname@example.org> To: <email@example.com>
> -----Original Message-----
> From: Dave Aitel [mailto:firstname.lastname@example.org]
> Also found and demonstrated by dildog at defcon 3 years ago. So don't
> hold your breath waiting for that patch.
You don't need to wait. This is prevented with NTLM v.2, which shipped
with Windows NT 4.0 SP4 in October 1998. This type of attack is also
foiled with Kerberos, which is negotiated by default in a Windows 2000
or higher domain.
To learn more about using NTLM v.2 and Kerberos, refer to the Windows
2000 Security Hardening Guide:
> > When
> > a logged-in user requests for a network share on the
> server, Windows
> > automatically sends the encrypted hashed password of the logged-in
> > username to the target SMB server before prompting for password.
This is not correct. Window sends a response to a server challenge. The
response is computed from the users hash and the challenge sent by the
server. Passwords, hashed, encrypted or otherwise, are never sent on the
wire during a connection.
Jesper M. Johansson
Security Program Manager