From owner-freebsd-hackers Sun Nov 9 14:40:27 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA10715 for hackers-outgoing; Sun, 9 Nov 1997 14:40:27 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA10707 for ; Sun, 9 Nov 1997 14:40:23 -0800 (PST) (envelope-from julian@whistle.com) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id OAA25158; Sun, 9 Nov 1997 14:38:56 -0800 (PST) Received: from UNKNOWN(), claiming to be "current1.whistle.com" via SMTP by alpo.whistle.com, id smtpd025154; Sun Nov 9 14:38:50 1997 Date: Sun, 9 Nov 1997 14:36:59 -0800 (PST) From: Julian Elischer To: perlsta@cs.sunyit.edu, hackers@freebsd.org Subject: Re: Lanmanger Hole! (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Here is the response from one of the prime autors of SAMBA.. (he's in the next cube) ---------- Forwarded message ---------- Date: Sun, 9 Nov 1997 12:46:20 -0800 From: Jeremy Allison To: julian@whistle.com Subject: Re: Lanmanger Hole! (fwd) > Could you send me a little 2 prargraph status report > re: this sort of thing,that I can forward to the FreeBSD Lists Julian, please forward this : Jeremy. ---------------------------------------------------------------- Lanman passwords are insecure. There's no getting around this. When designing the Lanman password hash Microsoft made some very poor decisions. They uppercase the password (which drasticly reduces the search time for a brute force search), used DES in ecb mode, and finally didn't use salt. This means that it is very easy to brute force lanman passwords. A further problem is that in the CIFS/SMB protocols password hashes are plaintext equivalent. This means that just knowing the hash is enough for me to make a network drive connection - there is no need to know the plaintext password (this is true for NT passwords also). When used in encrypted password mode Samba treats the lanman and NT passwords like a shadow password file and keeps the file owned by root and with no read access to any other user. Changing to NT security model doesn't buy you anything as NT keeps the Lanman passwords around and by default will accept either the Lanman or NT password, and also using NT passwords only prohibits Windows 95 machines from being used on your network. Samba could easily be changed to only accept NT passwords, but as mentioned above this means *no* DOS, Win3.1, or Win95. Also the NT password hash, although better than the Lanman one, has no salt and is vulnerable to brute force - although much better than the Lanman hash (it is plain MD4 on the unicode password). There is a freeware Lanman/NT password cracker at the L0ft site (can't remember the URL - do a search). Hope this helps, Jeremy Allison Samba Team.