none
Detail questions about NTLM and SMB RRS feed

  • Question

  • These questions concerns Windows in general, not only Windows 10.

    What combinations of auth (LM, Net-NTLMv1, Net-NTLMv2, Kerberos) and SMB (1,2,3) are possible? All?
    Are all available authentication-mechanisms listed in my question or is there any missing method?

    Regarding SMB encryption and signing:

    1. Which parts of the communication are signed when SMB signing is used? How does it prevent MITM (e.g. using ARP spoofing) and how does the key exchange work? I would expect that the Domain Controller is used as a CA for a PKI, is that true? How does this work if no domain is present (and thereby no trust-anchor)?

    2. When does SMBv3 start to encrypt a transfer (if agreed upon)? At Auth already, starting with the requests or only the payload (e.g. files)?

    3. Are signatures always evaluated, or is it possible that a SMB-server signs and a SMB-Client does not check/verify signatures? If possible, when does this happen?

    Regarding Net-NTLM v1 and v2:

    1. Is the SID included in Net-NTLMv1 and v2 authentications or only domain name and user name? Can a server be asked for the SID that corresponds to a user name?

    2. NTLMv1 does "usually include LMHash and NTHash" - but under which circumstances are which hashes included and are which hashes checked? If there is no LMHash (Vista and newer) is NTLMv1 not usable? Is it possible to obtain a LMHash by asking for Net-NTLMv1 in domain-Levels > 2013 ?

    3. What is the client challenge in Net-NTLMv2 good for? I guess it is for optional server authentication, but how can the client verify? Or does the server track the client challenges in order to not allow the same client challenge again (replay prevention)?

    Thank you very much.

    Thursday, March 21, 2019 4:40 PM

All replies

  • There is no PKI used in the SMB signing and sealing.  There are session keys generated via Kerberos and NTLM, that are used.

    With SMB3, the payload is encrypted and auth protected.  You can see the auth. With weak passwords, one can brute forest the auth you see on the wire, offline. 

    Clients and servers have their own signing settings.  One side could choose to not check sigs, but can't be forced if it is set to check them. No downgrades.  This assume MS client and server.  Other implementations may suck 

    NTLMv 1 and 2 pass the username, not SID.

    No version of NTLM sends the hash.  A challenge response occurs. This is math that proves you know the hash. IN all cases, with a weak password the ch/resp can be brute forced offline. for NTLM v1 , that is overnight. 

    NTLM v1 and 2 both have challenges. They both let the client and server provide half of the challenge. This is to keep a bad actor from pre-computing all answers for a given challenge and sending it. 

    Friday, March 22, 2019 5:52 PM
  • Hi,

    Check if the links below are helpful:

    Network security: LAN Manager authentication level

    https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level

    No more ARP : Another MiTm Attacks

    https://www.slideshare.net/KhajorncholPuwarang/no-more-arp-another-mitm-attacks

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 22, 2019 6:29 PM
    Moderator
  • Thank you Mark Gamache,

    "There is no PKI used in the SMB signing and sealing.  There are session keys generated via Kerberos and NTLM, that are used."
    How do these ensure authenticity? There needs to be some "ingredient" that makes sure that the session key was not generated wgile communicating to an adversary...

    "With SMB3, the payload is encrypted and auth protected.  You can see the auth. With weak passwords, one can brute forest the auth you see on the wire, offline."
    But SMB3 is not always encrypted, is it? - Your post reads to me like SMB3 was always encrypted?!

    "Clients and servers have their own signing settings.  One side could choose to not check sigs, but can't be forced if it is set to check them. No downgrades.  This assume MS client and server.  Other implementations may suck"
    So SMB signing for DCs nice and well, the clients can be configured to ignore signing and thereby accept unsigned or wrongly signed packets?!

    "No version of NTLM sends the hash.  A challenge response occurs. This is math that proves you know the hash. IN all cases, with a weak password the ch/resp can be brute forced offline."
    Sure, Net-NTLM-v1 "Hashes" are in fact responses, I know that. But I read that those response can be based on NTHashes and/or LMHashes and I wonder about the circumstances.

    For a better overview, unanswered questions are:

    a) When does a client not verify SMB signing?
    b) Can a server be asked for the SID that corresponds to a user name?
    c) Is it possible to obtain a LMHash by asking for Net-NTLMv1 in domain-Levels > 2013 ?
    Monday, March 25, 2019 12:30 PM