Understanding the Windows SMB NTLM Weak Nonce vulnerability
- Type
- Slides
- Tags
- NTLM, Windows
- Authors
- Agustin Azubel, Hernan Ochoa
- Event
- Black Hat USA 2010
- Indexed on
- Mar 27, 2013
- URL
- https://media.blackhat.com/bh-us-10/presentations/Ochoa_Azubel/BlackHat-USA-2010-Ochoa-Azubel-NTLM-Weak-Nonce-slides.pdf
- File name
- BlackHat-USA-2010-Ochoa-Azubel-NTLM-Weak-Nonce-slides.pdf
- File size
- 2.8 MB
- MD5
- 0c1040495cffe14585e4800ad3ff058f
- SHA1
- 2a5b5d50fdccd685923280fa6766bcd075256b5f
In February 2010, we found a vulnerability in the SMB NTLM Windows Authentication mechanism that have been present in Windows systems for at least 14 years (from Windows NT 4 to Windows Server 2008). You probably haven't heard about this vulnerability, but basically the authentication mechanism used by all Windows systems to access remote resources using SMB was flawed, allowing attackers to get read/write access to remote resources and remote code execution without credentials, using different techniques such as passive replay attacks, active collection of duplicate challenges/responses, and prediction of challenges. This vulnerability is also a good example of flaws found in challenge-response authentication mechanisms. This presentation will describe the vulnerability in detail, including its scope and severity, explain different techniques to exploit the flaws found and demo fully functional exploit code.
About us
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Statistics
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.
Contribute
To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.
