SMB Protocol Analysis

By going over the CIFS protocol manuals I have discovered a number of
potential attack areas and am checking to see which of these are actually
workable against an NT V4 SP3 server.

The attack code consists of an edited Samba package which allows
multiple password attempts (unlimited, really), which marks that
it has "canonicalized" pathnames but in fact does not do so, which
tells the server to use E permission instead of R permission to
check access permission, and which allows external setting of
GID, TID, MID, and UID.

..\.. type attacks do not work

Access using Username ANONYMOUS does work and with some NT settings
will list even hidden share names, though it will not allow them to
be opened from smbclient.

Other "well known" usernames require passwords.

Attempts to get into a server where a valid privileged session
exists, by using the same UID etc. that the server's privileged
session is using fail, but they also cause the privileged session
to be reset and ended.

Dictionary attacks are not tried yet.

The exhaustion of login attempt limits can be easily seen;
password validation goes from taking a second or so to being
instantaneous.

Use of the E instead of R permission not tried yet, though the packets
have been validated to have the right bit.

Construction of a SMB session hijack is in progress.