NTLMSSP in SMB

Brad Hards bradh at frogmouth.net
Sat Jul 25 23:05:34 UTC 2015 

On Sat, 25 Jul 2015 12:25:29 PM Sarat G wrote:
> Hi,
> Few months back, as a part of my project I have been into SMB and Samba
> Code. In my scenario I'm using NTLMV2 for authentication. I read in
> microsoft specs and everywhere that NTLM hashed are strong enough. Being a
> post graduate in Information Security, it's easy for me to understand that.
> So, here my question is like suppose if I want suggest some things to NTLM,
> whom should I have to contact.
I think the first question is "should you contact someone?" Does this make 
sense in a larger context?

> Because I have few things in mind that, why can't they negotiate hash
> algorithms also in NTLMSSP if they much about the use of week MD4 in
> NTLMSSP.
As pointed out by Richard, NTLM is a legacy protocol, retained for 
interoperability. In general, there are older systems aren't getting any 
updates (perhaps even end-of-life for support). If you make a change like 
negotiating algorithms, then every client and server would need to support it. 
That would be a breaking change, which is contrary to the point of legacy 
interoperability.

For the specific case of negotiating hash algorithms, you'd also need to deal 
with the possibility of a downgrade attack, where a MITM negotiates back to 
something weak anyway.

> I have been worked on this for a month, and come up with my suggestions to
> make NTLM much secure.
It would depend on who you ask, but  guess the Microsoft suggestion would be 
"disable it and use Kerberos". See (for example) 
https://technet.microsoft.com/en-us/library/jj865680%28v=ws.10%29.aspx

> Can some let me the know point of contact for these kind of things, if
> Samba team like to here more from I'm happy to share my thoughts.
I'm not a member of the Samba team (or Microsoft), and don't speak for them.

You could always publish a new NTLM-like protocol (e.g. IETF), and depending 
on what the changes were, people might pick up on it. It would probably need 
to be measurably better than what is already out there to be successful 
though.

Sorry if this isn't what you hoped to hear, and remember its just my opinion, 
not anything authoritative, so free to ignore it if you think I've got it 
wrong.

Brad

More information about the samba-technical mailing list