search

lgandx / Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
GNU General Public License v3.0
5.28k stars 755 forks source link

NTLMv1 downgrade "requires" SMB1 ? #149

Closed ghost closed 3 years ago

ghost commented 3 years ago

i run responder with --lm option win10 20H2 client -> Network Security: Lan Manager authentication level is 0 or 1 (send LM & NTLM responses) i get a connection to responder, but then the client terminates it without sending credentials.

installing smb1 support on the box makes the connection work properly and NTLMv1 credentials are captured.

this is strange because i do not see a direct relation between NTLMv1 and SMB1. after all, wpad / http poisoning or capturing NTLMv1 over RDP server works fine on the same box, regardless of SMB1 installed or not. just to confirm, is there no way to downgrade to NTLMv1 over SMB2 ?

debugging details: image

smb negotiation request: image

smb negotiation response: image

here is the same negotiation response when SMBv1 is installed image

it says "Selected Index: NT LM 0.12", so the same in both cases. LM 0.12 indicates SMBv1, so it is clear why this fails on the box without SMBv1 support. i am just wondering if downgrading is also possible over SMBv2.

thanks for clarification.

lgandx commented 3 years ago

SMB is only a transport passing NTLM messages to LSASS. The downgrade attack you're referring to, targets NTLM message. But the issue you described occurs because of SMB1 seems to be disabled on the client. Using the --lm switch forces Responder to use Windows 95 like SMB exchanges.

Hackndo commented 3 years ago

Using the --lm switch forces Responder to use Windows 95 like SMB exchanges

But it could be possible to have NTLMv1 authentication using recent SMB version, right? So --lm switch should only ask for NTLMv1, and that should be independent of SMB version, shouldn't it?

lgandx commented 3 years ago

That would be tricky, and not a default behavior. This option was added a long time ago, and was used against Windows 2003 servers/XP workstations, as at that time NTLMv2 was not mandatory and either NTLMv1 or v2 could be negotiated. Using this option nowadays is not recommended, as this type of SMB exchange is using Windows 95 behavior and you would probably be missing all these SMB2 hashes from these servers with SMBv1 disabled. The option is still present because it's useful in SCADA like networks, where Windows NT4 and server 2003 are still kings :) I should probably add some warning about it either on Responder when this option is set, or in the documentation.