[cifs-protocol] [REG:118100419158690] sharing network traces and password hashes

Edgar Olougouna edgaro at microsoft.com
Thu Oct 4 16:11:46 UTC 2018

Thanks for reaching out for this interesting question. What protocol family are you investigating? 


-----Original Message-----
From: Jeff McCashland 
Sent: Thursday, October 4, 2018 8:26 AM
To: Aurélien Aptel <aaptel at suse.com>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: [REG:118100419158690] sharing network traces and password hashes

[DocHelp to BCC, casemail on CC, SR ID on Subject]

Hello Aurélien,

Thank you for your question. We have created SR 118100419158690 to track this issue. One of our engineers will respond soon to assist you.

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=02%7C01%7Cedgaro%40microsoft.com%7C54cf8b1a92c444cb285b08d629fd0078%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636742563943276521&sdata=CTJVqWPe9rUr%2B0UpQ7Ur5w74OHyOXZ8jnva2iU2m3a8%3D&reserved=0 | Extension 1138300 We value your feedback.  My manager is Rama Ganesan (ramagane), +1 (425) 703-8712

-----Original Message-----
From: Aurélien Aptel <aaptel at suse.com>
Sent: Thursday, October 04, 2018 1:00 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: sharing network traces and password hashes


There is something I've often wondered and I would like to have a definitive answer to.

When doing a network trace of a client connecting to a SMB server (smb1 or above), can the trace be shared publicly without leaking enough password information to make it crackable?

I know:
- the username and domain are pretty much in clear text (not
  confidential info, so ok I think)
- password is hashed in various ways depending on the security mechanism.
- some mechanism have known vulnerabilities that makes the password
  crackable in a reasonable amount of time.

So I guess the question really is which mechanism are known to be safe as of today?

And as a side question, which field could just be zero'd out in the trace (while keeping the req/resp packet) prior to publishing it in order to specifically not leak password data?


Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3 SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

More information about the cifs-protocol mailing list