samba - Nov 2017 - how safe is "net use" in a batch file? plus some encryption questions

A customer asked me if someone would be able to sniff (wireshark or 
something like that) a password if plugging into the same switch as 
their samba server.

They use a desktop icon pointing at a plain old bat-file containing a 
"net use" command with the password right in there.

I *assume* that the "net use" authenticates via encrypted
communication?
could someone confirm that?

-

Unfortunately we can't use domain context there because of the special 
structure there: the thin clients are members in a AD domain separate 
from our protected standalone samba server (and these worlds have to be 
kept separated).

*and* I have to keep NTLMv1 etc activated to support old Windows XP VMs 
... as far as I remember there are ways to activate safer protocols for 
XP as well, correct? (they insist on XP because of a specific software ...)

-

They also ask for encryption. I think I could encrypt the underlying 
layer via encfs or something, but that means that somebody has to 
provide a passphrase at boot/mount-time. I want to avoid a 
single-person-of-failure-scenario here: even if I am not available they 
have to be able to get that server up and running again in case of some 
reboot or so.

Is it recommended to just place a container like Truecrypt or Veracrypt 
inside a Samba-share? Any thoughts or recommendations here, best 
practices ... ?

have a nice weekend,
Stefan

On Sat, 11 Nov 2017 11:02:31 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
> A customer asked me if someone would be able to sniff (wireshark or 
> something like that) a password if plugging into the same switch as 
> their samba server.
> 
> They use a desktop icon pointing at a plain old bat-file containing a 
> "net use" command with the password right in there.
> 
> I *assume* that the "net use" authenticates via encrypted
> communication? could someone confirm that?
As far as I am aware, 'net use' sends the password unencrypted, so if
someone is trying to 'sniff' the password, they will get it, but then
if the password is stored in the bat file unencrypted and anybody can
read the bat file, they wont need to 'sniff' the password.
> 
> -
> 
> Unfortunately we can't use domain context there because of the
> special structure there: the thin clients are members in a AD domain
> separate from our protected standalone samba server (and these worlds
> have to be kept separated).
> 
> *and* I have to keep NTLMv1 etc activated to support old Windows XP
> VMs ... as far as I remember there are ways to activate safer
> protocols for XP as well, correct? (they insist on XP because of a
> specific software ...)
You can make XP use NTLMv2, see here:

https://www.imss.caltech.edu/node/396

I don't know who your customer is, but they really should find a more
up to date way of doing things.
> 
> -
> 
> They also ask for encryption. I think I could encrypt the underlying 
> layer via encfs or something, but that means that somebody has to 
> provide a passphrase at boot/mount-time. I want to avoid a 
> single-person-of-failure-scenario here: even if I am not available
> they have to be able to get that server up and running again in case
> of some reboot or so.
> 
> Is it recommended to just place a container like Truecrypt or
> Veracrypt inside a Samba-share? Any thoughts or recommendations here,
> best practices ... ? 
Cannot help you with encryption, I don't use it. However I feel that I
should point out that the rest of the system seems to be so insecure,
that if a badhat does get in, they will problem get the encryption keys
as well.

Rowland

Am 2017-11-11 um 13:36 schrieb Rowland Penny:
> As far as I am aware, 'net use' sends the password unencrypted, so
if
> someone is trying to 'sniff' the password, they will get it, but
then
> if the password is stored in the bat file unencrypted and anybody can
> read the bat file, they wont need to 'sniff' the password.
Yes, we know ;-)

The thin client with the batch file is physically far away from the
server which is in a protected rack inside a closed basement.

I think I will try to wireshark such a session. Just to learn.
> You can make XP use NTLMv2, see here:
> 
> https://www.imss.caltech.edu/node/396
Great, I will test that on monday. thanks.
> I don't know who your customer is, but they really should find a more
> up to date way of doing things.
That's why we talk and discuss these issues.
> Cannot help you with encryption, I don't use it. However I feel that I
> should point out that the rest of the system seems to be so insecure,
> that if a badhat does get in, they will problem get the encryption keys
> as well.
oh, come on, it's not that bad ;-)
greets, Stefan