[jcifs] NTLMv2 Confirmation

[Christopher R. Hertel]

Michael B Allen wrote:
> 
> > Greetings
> >
> > I need a confirmation that jCifs can do NTLMv2.
> > Before im allowed to use it in my company.
> 
> No. JCIFS does not do NTLMv2. For details see the
> jcifs.smb.lmCompatibility property on the API
> overview page.

Frederik,

NTLMv2 has been implemented in Samba, so it's now a known quantity (well,
the Samba-TNG folks had it a long time, but there wasn't much call so it was
only ported to Samba recently).  There's a description of how NTLMv2 works
here:

  http://ubiqx.org/cifs/SMB.html#SMB.8

Scroll down to section 2.8.5.

I'm not sure that there's any reason to make it a priority for jCIFS.  Not
many people use it.  Those who have moved along to Active Directory are
using Kerberos, and the encryption schemes used with that.

Basically, NTLMv2 offers some improvements in security over NTLM, but they
are minor unless you are also doing Message Authentication Code signing. 
The most important thing to do (after making sure that you are not passing
plaintext passwords--jCIFS won't by default) is to ensure that the old-style
LM response is not being sent.  The LM response is crackable, and many
Windows systems send it by default.

I guess that the biggest win in NTLMv2 is the inclusion of the client
challenge, which makes certain kinds of attacks more difficult.  Running
those attacks requires access to packet captures showing the Session Setup
exchange.  If someone can get that data, then I'd be more worried that they
would be able to see file content (which is generally sent in the clear by
SMB).

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org