DATE: COMMAND SOURCE: AUTHOR: SMB SYSTEMS AFFECTED Win NT 3.5, 3.51, 4.0 PROBLEM Dominique Brezinski <dominique.brezinski@CyberSafe.COM> once said this on NT security mailing list: The problem is that almost ALL net aware microsoft apps will prompt the user for their password if initial authentication fails (in the case of downlevel servers this will always happen if the resource is protected) and send it in the clear! I just verified this by connecting to a Samba server (this is a perfect example of a downlevel server) and attempting to connect to a share from winfile.exe and explorer while sniffing the session with Network Monitor. The application pops up a dialog box asking for a username and password and proceeds to send this information in the clear to the server. So, no NT does not have access to the user's plaintext password after logon (the GINA will have access to the password from the logon dialog box and then will pass it to LSA in the clear. LSA will pass it in the clear to any password change notify and filter DLLs registered with LSA and then to the authentication and subauthentication packages which will actually hash it and test it against the OWF stored by SAM), but all the applications will try and get the plaintext password from the user at the drop of a dime. EXPLOIT SOLUTION It is not to difficult to trick a client into doing this, and the only way to stop it is inform your users to NEVER enter their password except at logon. If they have problems connecting to a service and are prompted for their password, they should be told to call the network administrator before entering it.