samba - Nov 2017 - how safe is "net use" in a batch file? plus some encryption questions

Am 2017-11-11 um 13:36 schrieb Rowland Penny:
> As far as I am aware, 'net use' sends the password unencrypted, so
if
> someone is trying to 'sniff' the password, they will get it, but
then
> if the password is stored in the bat file unencrypted and anybody can
> read the bat file, they wont need to 'sniff' the password.
Yes, we know ;-)

The thin client with the batch file is physically far away from the
server which is in a protected rack inside a closed basement.

I think I will try to wireshark such a session. Just to learn.
> You can make XP use NTLMv2, see here:
> 
> https://www.imss.caltech.edu/node/396
Great, I will test that on monday. thanks.
> I don't know who your customer is, but they really should find a more
> up to date way of doing things.
That's why we talk and discuss these issues.
> Cannot help you with encryption, I don't use it. However I feel that I
> should point out that the rest of the system seems to be so insecure,
> that if a badhat does get in, they will problem get the encryption keys
> as well.
oh, come on, it's not that bad ;-)
greets, Stefan

On Sat, Nov 11, 2017 at 12:26 PM, Stefan G. Weichinger via samba <
samba at lists.samba.org> wrote:
> Am 2017-11-11 um 13:36 schrieb Rowland Penny:
>
> > As far as I am aware, 'net use' sends the password
unencrypted, so if
> > someone is trying to 'sniff' the password, they will get it,
but then
> > if the password is stored in the bat file unencrypted and anybody can
> > read the bat file, they wont need to 'sniff' the password.
>
> Yes, we know ;-)
>
I thought "net use" will use ntlm for auth (no clear-text passwords
passing
over the wire). At least that's what I see in wireshark on modern windows.

>
> The thin client with the batch file is physically far away from the
> server which is in a protected rack inside a closed basement.
>
> I think I will try to wireshark such a session. Just to learn.
>
> > You can make XP use NTLMv2, see here:
> >
> > https://www.imss.caltech.edu/node/396
>
> Great, I will test that on monday. thanks.
>
> > I don't know who your customer is, but they really should find a
more
> > up to date way of doing things.
>
> That's why we talk and discuss these issues.
>
> > Cannot help you with encryption, I don't use it. However I feel
that I
> > should point out that the rest of the system seems to be so insecure,
> > that if a badhat does get in, they will problem get the encryption
keys
> > as well.
>
> oh, come on, it's not that bad ;-)
> greets, Stefan
>
Unless your XP systems are air-gapped, it is that bad ;-)

I know that in some cases it's impractical to upgrade Windows versions. For
instance, I helped a man once who had a machine shop / small business. His
CNC mill required windows 98. Replacing the CNC mill would cost over
$50,000, which was not practical; however, keeping the network air-gapped
was practical.

On Sat, 11 Nov 2017 13:32:31 -0600
Andrew Walker <walker.aj325 at gmail.com> wrote:
> I thought "net use" will use ntlm for auth (no clear-text
passwords
> passing over the wire). At least that's what I see in wireshark on
> modern windows.
> 
If you use NTLMv1, you might as well use plain passwords. Given the
NTLMv1 password, it would take your average badhat about half an hour
to have the plain password.
> 
> Unless your XP systems are air-gapped, it is that bad ;-)
> 
> I know that in some cases it's impractical to upgrade Windows
> versions. For instance, I helped a man once who had a machine shop /
> small business. His CNC mill required windows 98. Replacing the CNC
> mill would cost over $50,000, which was not practical; however,
> keeping the network air-gapped was practical.
There are cases when using an old OS version is valid, but they are few
and far between, the case above is one of them. In Stefan's case, I am
sure that an upgrade path can be found, it may prove to be cheaper in
the long run ;-)

Rowland

>> You can make XP use NTLMv2, see here:
>>
>> https://www.imss.caltech.edu/node/396
Did these changes on the 2 VMs and rebooted.

For sure I also have to remove stuff from smb.conf, I run these
non-default settings for the XPs:

lm announce = no
lanman auth = no
ntlm auth = no
client lanman auth = no
client ntlmv2 auth = yes

That was a recommendation from Louis, afai remember?
Do I have to keep something?

The XPs show up with protocol NT1 in smbstatus.

I will edit smb.conf in a few hours and retest.

On Tue, 14 Nov 2017 15:06:01 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> >> You can make XP use NTLMv2, see here:
> >>
> >> https://www.imss.caltech.edu/node/396
> 
> Did these changes on the 2 VMs and rebooted.
> 
> For sure I also have to remove stuff from smb.conf, I run these
> non-default settings for the XPs:
> 
> lm announce = no
> lanman auth = no
> ntlm auth = no
> client lanman auth = no
> client ntlmv2 auth = yes
> 
> That was a recommendation from Louis, afai remember?
> Do I have to keep something?
> 
> The XPs show up with protocol NT1 in smbstatus.
> 
> I will edit smb.conf in a few hours and retest.
> 
> 
If you are running a recent version of Samba (>= 4.5.0), you might as
well remove all of them, they are (apart from 'lm announce') the
default settings. The default for 'lm announce' is 'auto' and
this
setting doesn't broadcast unless something asks it to and AD doesn't
ask.

Rowland