0

We are using a Samba configuration on our RedHat (RHEL7.9) systems, where SMB authentication is based on an NTLM password hash, which is basically a clear-text credential for a challenge-response authentication that is stored in a separate attribute, sambaNTPassword, in the LDAP (Oracle Unified Directory) directory database.

So, our security team carried out some pen-testing and found the MD4 which is used by our Samba can be intercepted as it carries a weaker hash.

In addition to authentication, ensuring data integrity and encryption in transit are important parts of SMB security, which is again relying on the MD4 hash.

Below is the sample of my Samba configuration:

 cat /etc/samba/smb.conf

[global]
  log file                       = /var/log/samba/%m.log
  log level                      = 2
  max log size                   = 50
  netbios name                   = FDI0816
  server string                  = FDI0816.myorg.com
  workgroup                      = FDI

; ldap configuration
  invalid users                  = root +wheel
  encrypt passwords              = Yes
  guest account                  = nobody
  ldap admin dn                  = cn=sambaAdmin,ou=users,o=services
  ldap group suffix              = ou=Group
  ldap passwd sync               = only
  ldap ssl                       = no
  ldap suffix                    = ou=FDI,o=myorg
  ldap timeout                   = 4
  ldap user suffix               = ou=People
  map to guest                   = Bad User
  security                       = user
  passdb backend = ldapsam:"ldaps://ldap.FDI.myorg.com ldaps://ldap.rnd.myorg.com"

; client connection settings
  deadtime                       = 15
  dns proxy                      = No
  lm announce                    = No
  server min protocol            = SMB2

; shares default settings
  create mask                    = 0750
  directory mask                 = 2750
  posix locking                  = No
  strict allocate                = Yes
  unix extensions                = No
  wide links                     = Yes

; printers are disabled
  disable spoolss                = Yes
  load printers                  = No
  printcap name                  = /dev/null
  printing                       = bsd
  show add printer wizard        = No

[homes]
  browseable                     = No
  comment                        = Your Home
  create mode                    = 0640
  csc policy                     = disable
  directory mask                 = 0750
  public                         = No
  writeable                      = Yes

[proj]
  browseable                     = Yes
  comment                        = Project directories
  csc policy                     = disable
  path                           = /proj
  public                         = No
  writeable                      = Yes

[home]
  browseable                     = Yes
  comment                        = Project directories
  csc policy                     = disable
  path                           = /home
  public                         = No
  writeable                      = Yes

LDAP side user details with attribute:

Example:

Attribute Description       value
sambaNTPassword             0735509A0ED9A577BD7D8GG7BC1T
uidNumber                   32222
userPassword                {RBKBD4-HMAC-SHA512)...

Just an update while getting it from Security Team:

After reading and going through with pen-testing result, I came to know pen-tester was provided with the internal user-account for a user which is based on LDAP and discovered weaknesses for LDAP(Oracle Unified Directory) where they found "LDAP Anonymous Null Bind" hence they found it possible to retrieve critical information via LDAP service without having to supply any authentication credentials, since it also supports search requests with the NULL and empty, base objects thus an unauthenticated attacker may exploit and get the information even any prior knowledge of LDAP.

So, gained access to the LDAP Server as it was allowing the NUll/empty base connections to LDAP Server and dumped all the LDAP DATA where easily got all the Password information for userPassword & sambaNTPassword.

In order to perform the "pass-the-hash" attack, the tool "Mimikatz" and the browser "Internet Explorer" were used.

What I need to know if it could be:

  • Is there is a way to sync userPassword attribute with sambaNTPassword as samba doesn't use userPassword for samba authentication.
  • Or is there anything else which can use more secure hash.
Karn Kumar
  • 105
  • 3

1 Answers1

2

MD4 is intrinsic to NTLM authentication. NTLM uses an unsalted MD4 hash of the password as the secret, and in some versions, it uses that hash to encrypt a challenge with DES, and in other versions it uses HMAC-MD5. The former is attackable for about $20, and even though the latter requires more effort, neither MD4 nor MD5 should be used anymore for any purpose.

You should switch to using Kerberos instead for authentication. If you're using one of the more modern algorithms, not the rc4-hmac (which is again MD4-based), then this should be sufficient to prevent attackers from performing pass-the-hash attacks. Note that you should still protect the password fields because the Kerberos server may store sensitive data in the LDAP server, but you won't have to deal with MD4.

I will point out that none of the algorithms Windows supports for Kerberos are great, since the best ones still use HMAC-SHA-1, but there are reasonably secure options. If you care about strong security, you won't use Windows and CIFS (the protocol used by SMB) and will use something like SFTP instead.

bk2204
  • 7,828
  • 16
  • 15
  • @ bk2204 , thanks for the answer, but I'm thinking what we can do with the current setup where we are using `NTPassword` for samba and these are stored over LDAP. – Karn Kumar Aug 20 '21 at 14:29
  • If you want to stop using MD4 and/or not be vulnerable to pass-the-hash attacks, then you can't use `sambaNTPassword` or NTLM at all. The only option is to use other authentication. – bk2204 Aug 20 '21 at 14:55