I have a second site setup to grab usernames/password hashes via NTLM over
HTTP. IE 3.02 is STILL NOT IMMUNE TO THIS. (Paul Ashton's Bug)
>
> I'm still downloading SP3, but after a look at the readme it looked me that
> SP3 could empower a administrator to fix such bug by enabling the SMB
> signing feature; it would not fix it at installation.
Not True, Take a look at
ftp://ftp.microsoft.com/developr/drg/CIFS/CIFS-Auth.doc
Even Message Signing does NOT help in this case. The client still sends
the password before message signing starts. This is because the Password
is the "Key" used for message signing! Rogue servers can still grab
password hashes the same old way!
> And with or without SP3, filtering routers blocking 135/137/138/139 ports
> make this exploit and similar ones limited to Intranets.
Even if you block ports 135/137/138/139, NTLM of HTTP is STILL VULNERABLE
because it is over port 80! (the HTTP port)
> Hasn't one exploit code been released to SAMBA-DIGEST ? It captures the
> password hashes, which someone could pass to l0phtcrack and similar
> crackers.
It might be. I have not read it yet. Although one important thing to note
that in order to use l0phtcrack or NTcrack or Crack50-NT, one needs to
modify the code because the password grabbed from NTML over HTTP or the
password grabbed from SMB (CIFS) is DOUBLY encrypted. Although I have
written a cracker which I suspect is similiar to Crack50-NT's speed because
I have some speedups of having to do only one Crypt and then a table lookup
to break most of the doubly encrypted LM hash.
> Other exploits such as real-time password cracking hasn't been released,
> but I'm not sure if such release would make Microsoft go faster.
I do have one, but I am not going to post the URL, or my web server will be
overloaded. If anyone is interested in this, send me email and I will
give you the URL.
> I think that's why BugTraq exists.
>
> Rubens Kuhl Jr.
What would we do without BugTraq?
Thanks,
- Aaron
-- Aaron Spangler EE Unix System Administrator Electrical Engineering FT-10 pokee@ee.washington.edu University of Washington Phone (206) 543-8984 Box 352500 or (206) 543-2523 Seattle, WA 98195-2500 Fax (206) 543-3842