DATE: COMMAND SOURCE: AUTHOR: CIFS SYSTEMS AFFECTED Win NT PROBLEM Paul Ashton <ashtonp@GB.SWISSBANK.COM> in response to an article entitled "Windows NT authentication weakness" regarding SMB/CIFS problems with the weak challenge response system used by windows nt (see CIFS #1 ont this page). Set up Samba on a Unix machine together with libdes for DES encryption. Write a 20 line program that takes /usr/dict/words or other similar word list, computes the MD4 hash of each word and then use that to encrypt an eight byte fixed challenge (i.e. all zeroes). Make a one line change to the challenge generation code to always generate this fixed value. Start Samba and give it a suitably interesting name, such as "Public picture archive". Wait for someone to attempt to connect to your server, send the fixed challenge, receive the fixed challenge encrypted by the users hashed password. Instantaneously look up the hash in the precomputed database. If it is not a dictionary word, stuff it into a history file and run a modified crack on it later. EXPLOIT SOLUTION A good job that NT's C2 configuration tool disables the network... Anyway, if you are thinking about fixing this, think about 'mission impossible' (not a movie).