[cifs-protocol] [REG:118100419158690] sharing network traces and password hashes

Edgar Olougouna edgaro at microsoft.com
Tue Oct 9 21:39:31 UTC 2018 

With perspective, I am assuming if you are publishing a trace, it must have been taken from a test system with test user credentials. Perhaps that’s not the case.
It is true that some security mechanisms have known vulnerabilities. Examples are NTLM using LM or NTLMv1 which are more prone to pass the hash attack. It’s also well recommended to avoid DES with Kerberos. 
Even if you zero out specific fields, the question is what is the zeroing scope, and how does it impact the trace data needed for troubleshooting? 
In theory, you could zero out the whole security token, but again it takes away valuable troubleshooting information. One additional inconvenience is that it will result in malformed packets, due to checksum or integrity errors and other length and payload parsing issues. 
With all that perspective, you can try to obfuscate the whole security token as encapsulated by any of the mechanisms GSSAPI, Spnego, NTLM, Kerberos, PKU2U, HTTPS or TLS handshakes (when WebDav is used as transport). 
Take an example of NTLM (MS-NLMP), to make dictionary attacks difficult for someone reading the network trace, you may consider manipulating these fields directly involved in the computation of NTLMv2 SessionKey: 
In the NTLM CHALLENGE_MESSAGE:
ServerChallenge, TargetNameString, several AvPairs contain target name and the domain name.
In the NTLM AUTHENTICATE MESSAGE:
LmChallengeResponse, NtChallengeResponse,
DomainName, UserName, Workstation,
EncryptedRandomSessionKey,
Version, Time, ClientChallenge, ServerName, Several AvPairs contain server name and the domain name.

Thanks,
Edgar

-----Original Message-----
From: Aurélien Aptel <aaptel at suse.com> 
Sent: Friday, October 5, 2018 1:19 AM
To: Edgar Olougouna <edgaro at microsoft.com>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [REG:118100419158690] sharing network traces and password hashes

Edgar Olougouna <edgaro at microsoft.com> writes:
> What transport protocols are you focusing on? 
> Is it only TCP, NBT, or it could be something else?

I mostly deal with SMB over TCP over IP over Ethernet.

--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3 SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

More information about the cifs-protocol mailing list