> -----Original Message----- > From: Dave Aitel [mailto:dave@immunitysec.com] > Also found and demonstrated by dildog at defcon 3 years ago. So don't > hold your breath waiting for that patch. You don't need to wait. This is prevented with NTLM v.2, which shipped with Windows NT 4.0 SP4 in October 1998. This type of attack is also foiled with Kerberos, which is negotiated by default in a Windows 2000 or higher domain. To learn more about using NTLM v.2 and Kerberos, refer to the Windows 2000 Security Hardening Guide: http://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG.asp downloadable at: http://www.microsoft.com/downloads/details.aspx?FamilyID=15E83186-A2C8-4 C8F-A9D0-A0201F639A56&DisplayLang=en > > When > > a logged-in user requests for a network share on the > server, Windows > > automatically sends the encrypted hashed password of the logged-in > > username to the target SMB server before prompting for password. This is not correct. Window sends a response to a server challenge. The response is computed from the users hash and the challenge sent by the server. Passwords, hashed, encrypted or otherwise, are never sent on the wire during a connection. Jesper M. Johansson Security Program Manager Microsoft Corporation
