Stefan G. Weichinger
2017-Nov-11 18:26 UTC
[Samba] how safe is "net use" in a batch file? plus some encryption questions
Am 2017-11-11 um 13:36 schrieb Rowland Penny:> As far as I am aware, 'net use' sends the password unencrypted, so if > someone is trying to 'sniff' the password, they will get it, but then > if the password is stored in the bat file unencrypted and anybody can > read the bat file, they wont need to 'sniff' the password.Yes, we know ;-) The thin client with the batch file is physically far away from the server which is in a protected rack inside a closed basement. I think I will try to wireshark such a session. Just to learn.> You can make XP use NTLMv2, see here: > > https://www.imss.caltech.edu/node/396Great, I will test that on monday. thanks.> I don't know who your customer is, but they really should find a more > up to date way of doing things.That's why we talk and discuss these issues.> Cannot help you with encryption, I don't use it. However I feel that I > should point out that the rest of the system seems to be so insecure, > that if a badhat does get in, they will problem get the encryption keys > as well.oh, come on, it's not that bad ;-) greets, Stefan
Andrew Walker
2017-Nov-11 19:32 UTC
[Samba] how safe is "net use" in a batch file? plus some encryption questions
On Sat, Nov 11, 2017 at 12:26 PM, Stefan G. Weichinger via samba < samba at lists.samba.org> wrote:> Am 2017-11-11 um 13:36 schrieb Rowland Penny: > > > As far as I am aware, 'net use' sends the password unencrypted, so if > > someone is trying to 'sniff' the password, they will get it, but then > > if the password is stored in the bat file unencrypted and anybody can > > read the bat file, they wont need to 'sniff' the password. > > Yes, we know ;-) >I thought "net use" will use ntlm for auth (no clear-text passwords passing over the wire). At least that's what I see in wireshark on modern windows.> > The thin client with the batch file is physically far away from the > server which is in a protected rack inside a closed basement. > > I think I will try to wireshark such a session. Just to learn. > > > You can make XP use NTLMv2, see here: > > > > https://www.imss.caltech.edu/node/396 > > Great, I will test that on monday. thanks. > > > I don't know who your customer is, but they really should find a more > > up to date way of doing things. > > That's why we talk and discuss these issues. > > > Cannot help you with encryption, I don't use it. However I feel that I > > should point out that the rest of the system seems to be so insecure, > > that if a badhat does get in, they will problem get the encryption keys > > as well. > > oh, come on, it's not that bad ;-) > greets, Stefan >Unless your XP systems are air-gapped, it is that bad ;-) I know that in some cases it's impractical to upgrade Windows versions. For instance, I helped a man once who had a machine shop / small business. His CNC mill required windows 98. Replacing the CNC mill would cost over $50,000, which was not practical; however, keeping the network air-gapped was practical.
Rowland Penny
2017-Nov-11 19:48 UTC
[Samba] how safe is "net use" in a batch file? plus some encryption questions
On Sat, 11 Nov 2017 13:32:31 -0600 Andrew Walker <walker.aj325 at gmail.com> wrote:> I thought "net use" will use ntlm for auth (no clear-text passwords > passing over the wire). At least that's what I see in wireshark on > modern windows. >If you use NTLMv1, you might as well use plain passwords. Given the NTLMv1 password, it would take your average badhat about half an hour to have the plain password.> > Unless your XP systems are air-gapped, it is that bad ;-) > > I know that in some cases it's impractical to upgrade Windows > versions. For instance, I helped a man once who had a machine shop / > small business. His CNC mill required windows 98. Replacing the CNC > mill would cost over $50,000, which was not practical; however, > keeping the network air-gapped was practical.There are cases when using an old OS version is valid, but they are few and far between, the case above is one of them. In Stefan's case, I am sure that an upgrade path can be found, it may prove to be cheaper in the long run ;-) Rowland
Stefan G. Weichinger
2017-Nov-14 14:06 UTC
[Samba] how safe is "net use" in a batch file? plus some encryption questions
>> You can make XP use NTLMv2, see here: >> >> https://www.imss.caltech.edu/node/396Did these changes on the 2 VMs and rebooted. For sure I also have to remove stuff from smb.conf, I run these non-default settings for the XPs: lm announce = no lanman auth = no ntlm auth = no client lanman auth = no client ntlmv2 auth = yes That was a recommendation from Louis, afai remember? Do I have to keep something? The XPs show up with protocol NT1 in smbstatus. I will edit smb.conf in a few hours and retest.
Rowland Penny
2017-Nov-14 14:38 UTC
[Samba] how safe is "net use" in a batch file? plus some encryption questions
On Tue, 14 Nov 2017 15:06:01 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> >> You can make XP use NTLMv2, see here: > >> > >> https://www.imss.caltech.edu/node/396 > > Did these changes on the 2 VMs and rebooted. > > For sure I also have to remove stuff from smb.conf, I run these > non-default settings for the XPs: > > lm announce = no > lanman auth = no > ntlm auth = no > client lanman auth = no > client ntlmv2 auth = yes > > That was a recommendation from Louis, afai remember? > Do I have to keep something? > > The XPs show up with protocol NT1 in smbstatus. > > I will edit smb.conf in a few hours and retest. > >If you are running a recent version of Samba (>= 4.5.0), you might as well remove all of them, they are (apart from 'lm announce') the default settings. The default for 'lm announce' is 'auto' and this setting doesn't broadcast unless something asks it to and AD doesn't ask. Rowland