On Fri, 2020-09-18 at 15:39 +0200, Marco Gaiarin via samba wrote:> Mandi! Karolin Seeger via samba > In chel di` si favelave... > > > (Both as classic/NT4-style and active direcory DC.) > > I've searched some info on impact of this bug on NT domains, finding > nothing on the net. > > OK, NT domain are dead, i know, but... i seek some feedback. >On real NT4 domains? The particular crypto here was a Windows 2000 thing. NT4 used 2DES and RC4, which was actually secure for the purpose it was used for. On Samba NT4-like domains, see the advisory and read source3/rpc_server/netlogon/srv_netlogon_nt.c for context. If you don't have any trusted domains then the big thing is an attacker being able to remove a member server from the domain, or get session keys (assisting a takeover 'MITM attack' of an existing session). Just set 'server schannel = yes' and you will be fine, but better to already be running a supported version where this is already the default. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Mandi! Andrew Bartlett via samba In chel di` si favelave...> If you don't have any trusted domains then the big thing is an attacker > being able to remove a member server from the domain, or get session > keys (assisting a takeover 'MITM attack' of an existing session).So, effectively, on NT domain the attack surface of the bug is reduced? If i've understood well the paper, in AD (but speak only about Microsoft AD DC, if again i've understood well) an attacker can completely take over the domain, escalating until Administrator's credential. In NT mode this is not effectively possible? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Tue, 2020-09-22 at 18:43 +0200, Marco Gaiarin via samba wrote:> Mandi! Andrew Bartlett via samba > In chel di` si favelave... > > > If you don't have any trusted domains then the big thing is an > > attacker > > being able to remove a member server from the domain, or get > > session > > keys (assisting a takeover 'MITM attack' of an existing session). > > So, effectively, on NT domain the attack surface of the bug is > reduced?On Samba NT domains, yes. Real NT domains never implemented the broken crypto (but I'm sure are a pushover to break into anyway).> If i've understood well the paper, in AD (but speak only about > Microsoft AD DC, if again i've understood well) an attacker can > completely take over the domain, escalating until Administrator's > credential.Yes.> In NT mode this is not effectively possible?In short yes. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba