Type packetstorm
Reporter weld
Modified 1999-08-17T00:00:00


L0pht Security Advisory  
Advisory released Jan. 5, 1999  
Application: Windows 95/98 Network File Sharing  
Severity: Sniffed authentications can be used  
to impersonate network users  
Author: weld@l0pht.com  
Overview :  
Windows 95/98 network file sharing reuses the cryptographic challenges  
used in SMB challenge/response authentication. The reuse of the  
challenge enables an attacker, who has captured a legitimate  
network authentication, to replay the authentication and establish  
a connection impersonating a valid user.  
Description :  
During testing of the L0phtCrack 2.5 SMB packet capture tool to capture  
SMB challenge/response authentication, it became apparent to the   
L0phtCrack development team that Windows 95/98 issues the exact same  
challenge for each authentication for a period of approximately 15  
minutes. During this time an attacker can connect to a network share  
as the user whose authentication was captured.  
The attacker can connect to the Win95/98 share as that user because the  
user name is transmitted in the clear as well as the challenge.   
Although the attacker does not know the user's password and therefore  
cannot generate the encrypted password hash from it, the attacker does  
not have to. She merely replays the encrypted hash that she captured.   
It will be correct because the challenge hasn't changed and she is  
impersonating that particular user.  
Reusing a challenge is a classic cryptographic mistake. If the  
challenge was simply incremented this attack would not be possible.  
Details :  
The following captures are in L0phtCrack 2.5 capture format specified  
DOMAIN\username:3:challenge:encrypted LANMAN hash:encrypted NTLM hash  
The following 2 captures show an NT machine connecting to another NT  
machine. The challenge is different, as it should be, for each  
The following 2 captures show an NT machine connecting to a Win98  
machine. Notice that the same challenge is issued each time.  
This capture is another NT machine connecting to the same Win98  
machine used above. Notice this is the same challenge as in the  
previous 2 authentications.  
As you can see from the last 3 captures, if the username and challenge  
are the same then the encrypted hashes sent are the same.  
Implementation :  
An attacker could modify the unix Samba client to alter the way it  
issues encrypted password hashes. It could be modified to send  
a fixed encrypted password hash as entered by the attacker instead  
of generating it based on a password and the challenge. In this way  
the attacker could feed the output of an SMB packet capture into  
a modified Samba client to make Win95/98 file share connections from  
her machine.   
Once these connections are made, interesting files could be read from  
or written to the Win95/98 machines. Files that could be written   
include those in the Windows Startup folder which would enable  
programs to install themselves to automatically execute on system  
Conclusion :  
This vulnerability comes at a time when many in the security  
community are waking up to the fact that a Win95/98/NT specific virus  
could spread rapidily by taking advantage of flaws in network   
authentication. The recent "Remote Explorer" virus did not take  
advantage in flaws in network authentication. It took advantage  
of poor Domain Administrator practice.  
Some day a virus will take advantage of flaws such as the   
aforementioned Win95/98 network impersonation or perhaps the cracking  
of network authentication that L0phtCrack 2.5 performs so   
effortlessly. Weak network security implementation and weak passwords  
will be the culprits. L0phtCrack is designed to help defeat the  
For more L0pht (that's L - zero - P - H - T) advisories check out: