Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?)

Andrew Bartlett abartlet at samba.org
Tue Dec 15 02:38:19 UTC 2015


On Mon, 2015-12-14 at 17:34 -0800, Jeremy Allison wrote:
> On Mon, Dec 14, 2015 at 05:17:59PM -0800, Jeremy Allison wrote:
> > Interesting post here:
> > 
> > http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerbero
> > s-attacks/
> > 
> > Still reading it myself to try and understand
> > if it's a real issue of not, but thought the
> > list would be interested.
> 
> Hmmm. Doesn't look real as far as I can see
> (the article is full of hyperbole).
> 
> It's got lots of phrases like:
> 
> "So, if we have an access to the key.."
> 
> "if we’re able to steal those tickets and somehow
> insert them into our own system"
> 
> "It’s just an account in domain controller
> database, so your obviously need access to DC or it’s data."
> 
> So looks like a "if we can break the security
> then we've broken the security" article :-).
> 
> Move along, nothing to see here, sorry for
> the noise.

More of a worry is that per one of the talks at KiwiCon, cracking an
NTLM (not NTLMv2) response is down to $100 and 8 hours on a cloud
computing provider.  That gives you the NT hash, which you can of
course use to get a krb5 ticket, or just do NTLM logins. 

I think we should disable NTLM (when not NTLMv2) for 4.4 by default,
possibly with an optional exception for MSCHAPv2.

(The MSCHAPv2 story is so, so sad, because we save our worst crypto for
our VPN connections...). 

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba









More information about the samba-technical mailing list