SMBLibrary icon indicating copy to clipboard operation
SMBLibrary copied to clipboard

Published 20 hours ago verified publisher icon TalAloni

NTLM MIC Support

Open jborean93 opened this issue 2 years ago • 3 comments

I've just noticed that the NTLM messages being exchanged do not include a MIC in the authentication message. Just thought it best to open an issue to track this feature going forward.

jborean93 avatar May 24 '22 04:05 jborean93

Hi Jordan, I know that MIC is implemented and it should be sent when necessary AFAIK, Are you saying that you are not able to connect to a server that require MIC, or that you simply noticed it was missing in some scenario in which it was not clear if it was necessary to send MIC? (and if so - what makes you assume that MIC is necessary in that scenario?)

Tal

TalAloni avatar May 24 '22 04:05 TalAloni

I believe the mechListMIC in the SPNEGO token might be set (I haven't actually looked at that specifically yet though) but the NTLM Authentication MIC seems to not be set anywhere in the code for the client. The mechListMIC field in SPNEGO will protect the negotiated mechanisms in SPNEGO but the MIC field in NTLM will ensure the negotiate or challenge messages were not tampered with by someone sitting in the middle. This is especially important because there is no protection on the SMB negotiate and session setup messages. Being able to tamper with these 2 messages can force the client to negotiate with a weaker hash/key allowing the attacker to more easily extract the NT/LM hashes or force a weaker key used in the subsequent SMB signing and encryption.

The client shouldn't wait for some flag by the server to see if a MIC should be set (I don't even believe NTLM has one for this), it should just always send it if doing NTLMv2 based messages.

jborean93 avatar May 24 '22 04:05 jborean93

You do have a point, I will look into it when I have the time.

TalAloni avatar Jul 02 '22 18:07 TalAloni

Hi Jordan and sorry for the delay, I believe you are correct. I believe there is very low chance of that always the MIC for NTLMv2 will introduce issues, but it would be nice if you can point out a server configuration where the lack of MIC will result in login failure in order to emphasis the importance of this change.

TalAloni avatar Dec 30 '23 12:12 TalAloni

I'm unsure if there is a server side setting to mandate the MIC but the client not including it means any attacker can intercept the messages and perform a relay attack on the NTLM messages exchanged. This is because there is nothing to ensure that any extra security features that stop relay attacks can be performed as without the MIC the attacker can modify the NTLM token in any way they wish.

This means it's more of a security issue rather than a feature.

jborean93 avatar Dec 30 '23 23:12 jborean93

NTLM authentication message MIC calculation added in v1.5.1 I've also added the infrastructure to set MechListMIC and will consider enabling it in the future.

TalAloni avatar Jan 06 '24 14:01 TalAloni