fouzhe
2023-Jan-09 02:57 UTC
[Samba] Does samba provide a fuzzing mode that uses deterministic NTLMSSP_Challenge?
Hi, Recently I want to fuzz samba systematically (instead of functional fuzzing like OSS-Fuzz/samba). However, the fuzzer acts like smbclient and needs to establish a connection with the samba server via NTLM authentication. The NTLMSSP_Challenge sent by the server is not deterministic, which can render the fuzzing based on previously captured traffic futile. Does samba provide a fuzzing mode that uses deterministic NTLMSSP_Challenge, or how can I directly bypass the authentication stage? Thanks for your time.
Douglas Bagnall
2023-Jan-09 04:33 UTC
[Samba] Does samba provide a fuzzing mode that uses deterministic NTLMSSP_Challenge?
hi Fouzhe, On 9/01/23 15:57, fouzhe via samba wrote:> Recently I want to fuzz samba systematically (instead of functional fuzzing like OSS-Fuzz/samba). However, the fuzzer acts like smbclient and needs to establish a connection with the samba server via NTLM authentication. The NTLMSSP_Challenge sent by the server is not deterministic, which can render the fuzzing based on previously captured traffic futile. Does samba provide a fuzzing mode that uses deterministic NTLMSSP_Challenge, or how can I directly bypass the authentication stage? >That question might get more answers on the samba-technical list. https://lists.samba.org/mailman/listinfo/samba-technical In the mean time the best answer I have is I don't think so. Some of what you want might be possible with LD_PRELOAD or something to intercept gnutls_rnd(). cheers, Douglas