DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  CIFS


SYSTEMS AFFECTED

  Win NT

  

PROBLEM


    Paul  Ashton  <ashtonp@GB.SWISSBANK.COM>  in  response  to an

    article entitled  "Windows NT  authentication weakness"  regarding

    SMB/CIFS problems with the weak challenge response system used  by

    windows nt (see CIFS #1 ont this page).



    Set  up  Samba  on  a  Unix  machine  together with libdes for DES

    encryption.  Write  a 20 line  program that takes  /usr/dict/words

    or other  similar word  list, computes  the MD4  hash of each word

    and then use that to  encrypt an eight byte fixed  challenge (i.e.

    all zeroes).



    Make a one line change to the challenge generation code to  always

    generate this fixed value.



    Start  Samba  and  give  it  a  suitably interesting name, such as

    "Public picture archive".



    Wait for someone  to attempt to  connect to your  server, send the

    fixed  challenge,  receive  the  fixed  challenge encrypted by the

    users hashed  password. Instantaneously  look up  the hash  in the

    precomputed database.



    If it is not a dictionary  word, stuff it into a history  file and

    run a modified crack on it later.





EXPLOIT

  

SOLUTION


    A good job that NT's C2 configuration tool disables the network...

    Anyway,  if  you  are  thinking  about  fixing  this,  think about

    'mission impossible' (not a movie).