[jcifs] So how does JCIFS get the username

Giampaolo Tomassoni Giampaolo at Tomassoni.biz
Thu Apr 23 13:26:41 GMT 2009 

> From: Bill Comer
> Sent: Thursday, April 23, 2009 1:58 PM
> 
> I was wonderring how JCIFS gets the username on a Windows PC that it then
uses to authenticate,

You're probably speaking about the NtlmHttpFilter.

It is the client (IE, in example) which sends authentication data in behalf
of the user, not jcifs. The latter eventually routes them to an
authentication server, but it doesn't (almost) know what that data contain.


> and then possible follow up question...
> 
>  is it possible to hack this ?

Not to my knowledge. The windows NT authentication stack seems quite robust
to me. Probably it is a bit too rich of feature and different authentication
means, which increases the risk of security breaches, but it seems to me
that Microsoft designed the NT series with network-based authentication from
the very first stages.

You may probably remind that some years ago Microsoft was stressing a lot
about the robustness, safety and security of its Domain-based design and,
after all the security troubles they had with the 95 and 98 series, it
probably did approach the security problem first in the NT series (of
course, I'm not speaking of the NT 3.x).

That said, you may eventually try to hack an NT server somehow using jCifs,
since you have easy access to most of the network layers from there, and you
may even succeed. Who knows?

If you mean instead that the server running a jCifs' NtlmHttpFilter may be
hacked by (in example) a man-in-the-middle attack (a PC you control "taking
over" the communication with the real authentication server) you may easily
succeed, since the NtlmHttpFilter is quite unaware of the identity of the
server it is contacting: it never really "joins" an NT Domain, thereby it
doesn't have any verifiable identity token of the authenticating server.

Please note, however, that the man-in-the-middle attack is one of the most
expensive (in effort) and dangerous (in the extent of prosecution by law)
because you must in most cases have direct access to the network hosting the
Domain and possibly be an "insider" of the org hosting the server you hack.

Too complex.

Giampaolo


> Thanks,
> Bill

More information about the jcifs mailing list