Does samba provide a fuzzer mode that uses deterministic NTLMSSP_Challenge, or how can I bypass the authentication stage?

fouzhe 862006904 at qq.com
Mon Jan 9 07:45:16 UTC 2023


Hi,


Recently I want to fuzz samba systematically (instead of functional fuzzing like OSS-Fuzz/samba). However, the fuzzer acts like smbclient and needs to establish a connection with the samba server via NTLM authentication. The NTLMSSP_Challenge sent by the server is not deterministic, which can render the fuzzing based on previously captured traffic futile. Does samba provide a fuzzer mode that uses deterministic NTLMSSP_Challenge, just like boringssl does (https://boringssl.googlesource.com/boringssl/+/HEAD/FUZZING.md#fuzzer-mode)?


The another way I think is to directly bypass the authentication stage. I tried this but it didn't work. First, I started the samba with the following config to disable authentication.
```
[global]
   Map to guest = Bad User
   ntlm auth = disabled


[sharedir]
   path = /mount/
   browsable = yes
   read only = no
   guest ok = yes
   write list = all

```
Then, I used smbclient to connect the server via `smbclient //172.17.0.1/sharedir -N` and captured the traffic. However, the auth stage was not passed as shown in the captured traffic. 


What is the reason and how can I achieve the goal?


Thanks for your time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2F2F653E at 98282663.0CC6BB63.jpg.jpg
Type: image/jpeg
Size: 182498 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20230109/219cf3bf/2F2F653E98282663.0CC6BB63.jpg-0001.jpg>


More information about the samba-technical mailing list