Microsoft SMB clients brute-forces SMB servers
epl at unimelb.edu.au
Thu Nov 1 22:00:09 GMT 2001
I've posted regarding this problem in the Samba mailing list without
response. After some encouragement, I'm posting to Samba-technical.
I've found some odd behaviour in Windows SMB clients (Win95, Win98,
WinNT, Win2K) which hits Win2K the worst. The problem relates to the
number of authentication attempts the Windows SMB clients makes when
typing the share name via the "Start|Run..." dialog box or via Windows
Explorer. This problem does NOT show up if a shortcut or Network
Neighbourhood is used.
Steps to reproduce
1) Setup a tcpdump session in promiscuous mode between the SMB server
and SMB client, ready to run. With tcpdump-3.6.2-7 (from Red Hat 7),
root at eve# tcpdump -vlf -i eth0 'port 137 or 138 or 139 ' > tcpdump.log
Be careful that the meaning of the switches have changed between
versions of tcpdump.
2) Open the "Start|Run..." dialog box.
3) Start the TCP dump.
4) Enter "\\servername" and press enter.
5) When a dialog box appears asking for your password, stop tcpdump.
6) The Windows client will send multiple "SMBsesssetupX (REQUEST)" as
recorded within tcpdump.log
Win95/98SE makes approximately 3 attempts.
WindowsNT makes approximately 8 attempts.
Windows 2000 makes at least 9 attempts.
That's one bug, but with Win2K, it gets worse. Not only that, the
following brain-dead behaviour seems to be by design, not a bug.
If you repeat the above experiment with Win2K, but type
A) "\\servername\", there will be approx 12 authentication attempts.
B) "\\servername\a\", there will be approx 21 authentication attempts.
C) "\\servername\a\", then delete the last backslash resulting in
"\\servername\a", there will be approx 30 authentication attempts.
Basically, the first backslash after the servername incurs an approx
2 attempts-penalty -- dynamically as you type. Thereafter, every
backslash added or deleted incurs an approx 9 attempt-penalty. After
you've finish typing into the dialog box and press enter (or click OK),
you incur another approx 9 attempts-penalty.
Now, why is this a problem? In most cases it isn't and I suspect
that is why most people have not observed this behaviour. However, I've
been working on a Tru64 Enhanced Security patch for Samba. One aspect
of Tru64 Enhanced Security is that too many contiguous authentication
attempts will lock an account (by default 5). This is an attempt to
prevent a brute-force attack on a user's account. As a result, Win2K
clients will lock the user's account before they even get a chance to
type in the correct password.
I'd like someone else to verify this behaviour and make sure I
haven't missed anything. Once this behaviour is verified, Andrew
Bartlett suggested that Samba keeps a list of last failed passwords in
the last 30 seconds or so.
More information about the samba-technical