Does samba provide a fuzzer mode that uses deterministic NTLMSSP_Challenge, or how can I bypass the authentication stage?
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Tue Jan 10 22:36:39 UTC 2023
hi Fouzhe
> Recently I want to fuzz samba systematically (instead of functional fuzzing like OSS-Fuzz/samba). However, the fuzzer acts like smbclient and needs to establish a connection with the samba server via NTLM authentication. The NTLMSSP_Challenge sent by the server is not deterministic, which can render the fuzzing based on previously captured traffic futile. Does samba provide a fuzzer mode that uses deterministic NTLMSSP_Challenge, just like boringssl does (https://boringssl.googlesource.com/boringssl/+/HEAD/FUZZING.md#fuzzer-mode)?
The short answer is no, we don't have anything like that. It would be an
interesting addition.
As mentioned on the other list, I think most or all of the randomness will be
provided by gnutls. Perhaps it all comes though the functions in
lib/util/genrand.c, but perhaps not. I am not very familiar with the NTLMSSP code.
I am also not aware of what smb.conf options might achieve this:
> The another way I think is to directly bypass the authentication stage. I tried this but it didn't work. First, I started the samba with the following config to disable authentication.
> ```
> [global]
> Map to guest = Bad User
> ntlm auth = disabled
>
>
> [sharedir]
> path = /mount/
> browsable = yes
> read only = no
> guest ok = yes
> write list = all
>
> ```
> Then, I used smbclient to connect the server via `smbclient //172.17.0.1/sharedir -N` and captured the traffic. However, the auth stage was not passed as shown in the captured traffic.
>
>
> What is the reason and how can I achieve the goal?
It strikes me that the client is the one with the NTLMSSP_NEGOTIATE and user
'root'; maybe you need more client side options or a client smb.conf.
Also, it looks less like the fuzzer "needs to establish a connection with the
samba server via NTLM authentication", and more like you just want it to get
past this somehow. Is that right?
And having directed you here for the fuzzing mode question, you might have
better luck on the Samba list for smb.conf/operational questions.
cheers,
Douglas
More information about the samba-technical
mailing list