Can samba mitigate the vulnerability of NT hashes?

Dewayne Geraghty dewayne.geraghty at heuristicsystems.com.au
Wed Jan 9 15:51:57 MST 2013 

> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org 
> [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of 
> David Collier-Brown
> Sent: Thursday, 10 January 2013 1:34 AM
> To: samba-technical
> Subject: Can samba mitigate the vulnerability of NT hashes?
> 
> Slashdot was all a-twitter about Mark Gamache's tutorial on 
> breaking NTLM hashes (see
> http://markgamache.blogspot.com/2013/01/ntlm-challenge-respons
> e-is-100-broken.html)
> 
> I know we have long supported NTLMv2, but does the protocol 
> allow a Samba server to convince a client to *only* use 
> NTLMv2, the version that is not susceptible to this particular attack?
> 
> If so that would be A Kind Thing to do for the community...
> 
> --dave
> -- 
> David Collier-Brown,         | Always do right. This will gratify
> System Programmer and Author | some people and astonish the rest
> davecb at spamcop.net           |                      -- Mark Twain
> (416) 223-8968

Dave, 

We use the following registry settings to improve NT-based systems (from a windows command prompt):

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /v ntlmminclientsec /t REG_DWORD /d 0x20080000 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /v ntlmminserversec /t REG_DWORD /d 0x20080000 /f
rem lmcompatibilitylevel=5 send/accept ntlmv2 only
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel /t REG_DWORD /d 5 /f

These are used on XP, Windows7, WinServer 2003/2008.  
If the client isn't forced to use your protocol of choice it will try, and hence be vulnerable, when it tries others.

On the samba 3.6.X PDC side, these complete the setup:
 lanman auth = no
 lm announce = no
 ntlm auth = no

And when you use smbclient, we use:
 client use spnego = yes
 client ntlmv2 auth = Yes
 client lanman auth = No
 client plaintext auth = No

If you want better "security", samba4 uses Kerberos with rc4-md5. 
I haven't had time to work out if/how to force use of cipher aes256-sha(?)

Regards, Dewayne.

More information about the samba-technical mailing list