Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?)

Jeremy Allison jra at samba.org
Tue Dec 15 04:53:23 UTC 2015


On Tue, Dec 15, 2015 at 03:38:19PM +1300, Andrew Bartlett wrote:
> On Mon, 2015-12-14 at 17:34 -0800, Jeremy Allison wrote:
> > On Mon, Dec 14, 2015 at 05:17:59PM -0800, Jeremy Allison wrote:
> > > Interesting post here:
> > > 
> > > http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerbero
> > > s-attacks/
> > > 
> > > Still reading it myself to try and understand
> > > if it's a real issue of not, but thought the
> > > list would be interested.
> > 
> > Hmmm. Doesn't look real as far as I can see
> > (the article is full of hyperbole).
> > 
> > It's got lots of phrases like:
> > 
> > "So, if we have an access to the key.."
> > 
> > "if we’re able to steal those tickets and somehow
> > insert them into our own system"
> > 
> > "It’s just an account in domain controller
> > database, so your obviously need access to DC or it’s data."
> > 
> > So looks like a "if we can break the security
> > then we've broken the security" article :-).
> > 
> > Move along, nothing to see here, sorry for
> > the noise.
> 
> More of a worry is that per one of the talks at KiwiCon, cracking an
> NTLM (not NTLMv2) response is down to $100 and 8 hours on a cloud
> computing provider.  That gives you the NT hash, which you can of
> course use to get a krb5 ticket, or just do NTLM logins. 
> 
> I think we should disable NTLM (when not NTLMv2) for 4.4 by default,
> possibly with an optional exception for MSCHAPv2.

+1 from me. NTLM has gone the way of DES now....



More information about the samba-technical mailing list