[cifs-protocol] sharing network traces and password hashes

Aurélien Aptel aaptel at suse.com
Thu Oct 4 08:00:24 UTC 2018


There is something I've often wondered and I would like to have a
definitive answer to.

When doing a network trace of a client connecting to a SMB server (smb1
or above), can the trace be shared publicly without leaking enough
password information to make it crackable?

I know:
- the username and domain are pretty much in clear text (not
  confidential info, so ok I think)
- password is hashed in various ways depending on the security mechanism.
- some mechanism have known vulnerabilities that makes the password
  crackable in a reasonable amount of time.

So I guess the question really is which mechanism are known to be safe
as of today?

And as a side question, which field could just be zero'd out in the
trace (while keeping the req/resp packet) prior to publishing it in
order to specifically not leak password data?


Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

More information about the cifs-protocol mailing list