Date: Sun, 9 Nov 1997 14:36:59 -0800 (PST) From: Julian Elischer <julian@whistle.com> To: perlsta@cs.sunyit.edu, hackers@freebsd.org Subject: Re: Lanmanger Hole! (fwd) Message-ID: <Pine.BSF.3.95.971109143447.5516A-100000@current1.whistle.com>
next in thread | raw e-mail | index | archive | help
Here is the response from one of the prime autors of SAMBA.. (he's in the next cube) ---------- Forwarded message ---------- Date: Sun, 9 Nov 1997 12:46:20 -0800 From: Jeremy Allison <jeremy@netcom.com> To: julian@whistle.com Subject: Re: Lanmanger Hole! (fwd) > Could you send me a little 2 prargraph status report > re: this sort of thing,that I can forward to the FreeBSD Lists Julian, please forward this : Jeremy. ---------------------------------------------------------------- Lanman passwords are insecure. There's no getting around this. When designing the Lanman password hash Microsoft made some very poor decisions. They uppercase the password (which drasticly reduces the search time for a brute force search), used DES in ecb mode, and finally didn't use salt. This means that it is very easy to brute force lanman passwords. A further problem is that in the CIFS/SMB protocols password hashes are plaintext equivalent. This means that just knowing the hash is enough for me to make a network drive connection - there is no need to know the plaintext password (this is true for NT passwords also). When used in encrypted password mode Samba treats the lanman and NT passwords like a shadow password file and keeps the file owned by root and with no read access to any other user. Changing to NT security model doesn't buy you anything as NT keeps the Lanman passwords around and by default will accept either the Lanman or NT password, and also using NT passwords only prohibits Windows 95 machines from being used on your network. Samba could easily be changed to only accept NT passwords, but as mentioned above this means *no* DOS, Win3.1, or Win95. Also the NT password hash, although better than the Lanman one, has no salt and is vulnerable to brute force - although much better than the Lanman hash (it is plain MD4 on the unicode password). There is a freeware Lanman/NT password cracker at the L0ft site (can't remember the URL - do a search). Hope this helps, Jeremy Allison Samba Team.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.971109143447.5516A-100000>