Does samba provide a fuzzer mode that uses deterministic NTLMSSP_Challenge, or how can I bypass the authentication stage?

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Tue Jan 10 22:36:39 UTC 2023 

hi Fouzhe

> Recently I want to fuzz samba systematically (instead of functional fuzzing like OSS-Fuzz/samba). However, the fuzzer acts like smbclient and needs to establish a connection with the samba server via NTLM authentication. The NTLMSSP_Challenge sent by the server is not deterministic, which can render the fuzzing based on previously captured traffic futile. Does samba provide a fuzzer mode that uses deterministic NTLMSSP_Challenge, just like boringssl does (https://boringssl.googlesource.com/boringssl/+/HEAD/FUZZING.md#fuzzer-mode)?
The short answer is no, we don't have anything like that. It would be an 
interesting addition.

As mentioned on the other list, I think most or all of the randomness will be 
provided by gnutls. Perhaps it all comes though the functions in 
lib/util/genrand.c, but perhaps not. I am not very familiar with the NTLMSSP code.

I am also not aware of what smb.conf options might achieve this:

> The another way I think is to directly bypass the authentication stage. I tried this but it didn't work. First, I started the samba with the following config to disable authentication.
> ```
> [global]
>    Map to guest = Bad User
>    ntlm auth = disabled
> 
> 
> [sharedir]
>    path = /mount/
>    browsable = yes
>    read only = no
>    guest ok = yes
>    write list = all
> 
> ```
> Then, I used smbclient to connect the server via `smbclient //172.17.0.1/sharedir -N` and captured the traffic. However, the auth stage was not passed as shown in the captured traffic. 
> 
> 
> What is the reason and how can I achieve the goal?

It strikes me that the client is the one with the NTLMSSP_NEGOTIATE and user 
'root'; maybe you need more client side options or a client smb.conf.

Also, it looks less like the fuzzer "needs to establish a connection with the 
samba server via NTLM authentication", and more like you just want it to get 
past this somehow. Is that right?

And having directed you here for the fuzzing mode question, you might have 
better luck on the Samba list for smb.conf/operational questions.

cheers,
Douglas

More information about the samba-technical mailing list