lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAH2r5muZDKC1uZM-q2AGe1f50WtxCHZEPS0oHTBQtROJCZ0QJw@mail.gmail.com>
Date:   Sat, 22 May 2021 21:36:06 -0500
From:   Steve French <smfrench@...il.com>
To:     Aurélien Aptel <aaptel@...e.com>
Cc:     Hyunchul Lee <hyc.lee@...il.com>, Steve French <sfrench@...ba.org>,
        David Howells <dhowells@...hat.com>,
        CIFS <linux-cifs@...r.kernel.org>,
        samba-technical <samba-technical@...ts.samba.org>,
        LKML <linux-kernel@...r.kernel.org>, kernel-team@....com,
        Namjae Jeon <linkinjeon@...nel.org>
Subject: Re: [PATCH v2] cifs: decoding negTokenInit with generic ASN1 decoder

On Fri, May 21, 2021 at 3:44 AM Aurélien Aptel via samba-technical
<samba-technical@...ts.samba.org> wrote:
>
> Hi Hyunchul,
>
> The existence of multiple ASN1 decoder has been a regular complaint,
> this looks nice. Have you tested it against any servers?
>
> I think we need to make sure it works with Windows Server (including
> increased ones with the increased security flag, Steve do you remember
> the name of that flag?) and Samba at least.

Are you thinking about the authentication problem to Windows when a
stricter registry setting is chosen for server name hardening?

This involves populating the ntlmv2 response area of an NTLMSSP blob
with the  "Target Name" attribute ie missing MsvAvTargetNamefield and
maybe also
MsvAvTimestamp and NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE in
MsvAvFlags.   These (the target name field in particular) are required
when Windows servers set the registry parm SmbServerNameHardeningLevel
to 2

See e.g. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level

> There is the SDC EMEA plugfest coming up, might be a good time to try it
> out against other vendors as well.

Yes - definitely need to try with various cases (krb5 and ntlmssp in
SPNEGO) to various servers (Macs, NetApp, Windows, Azure, Samba,ksmbd
etc)


-- 
Thanks,

Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ