how safe is "net use" in a batch file? plus some encryption questions

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

how safe is "net use" in a batch file? plus some encryption questions

Samba - General mailing list

A customer asked me if someone would be able to sniff (wireshark or
something like that) a password if plugging into the same switch as
their samba server.

They use a desktop icon pointing at a plain old bat-file containing a
"net use" command with the password right in there.

I *assume* that the "net use" authenticates via encrypted communication?
could someone confirm that?

-

Unfortunately we can't use domain context there because of the special
structure there: the thin clients are members in a AD domain separate
from our protected standalone samba server (and these worlds have to be
kept separated).

*and* I have to keep NTLMv1 etc activated to support old Windows XP VMs
... as far as I remember there are ways to activate safer protocols for
XP as well, correct? (they insist on XP because of a specific software ...)

-

They also ask for encryption. I think I could encrypt the underlying
layer via encfs or something, but that means that somebody has to
provide a passphrase at boot/mount-time. I want to avoid a
single-person-of-failure-scenario here: even if I am not available they
have to be able to get that server up and running again in case of some
reboot or so.

Is it recommended to just place a container like Truecrypt or Veracrypt
inside a Samba-share? Any thoughts or recommendations here, best
practices ... ?

have a nice weekend,
Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: how safe is "net use" in a batch file? plus some encryption questions

Samba - General mailing list
On Sat, 11 Nov 2017 11:02:31 +0100
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

>
> A customer asked me if someone would be able to sniff (wireshark or
> something like that) a password if plugging into the same switch as
> their samba server.
>
> They use a desktop icon pointing at a plain old bat-file containing a
> "net use" command with the password right in there.
>
> I *assume* that the "net use" authenticates via encrypted
> communication? could someone confirm that?

As far as I am aware, 'net use' sends the password unencrypted, so if
someone is trying to 'sniff' the password, they will get it, but then
if the password is stored in the bat file unencrypted and anybody can
read the bat file, they wont need to 'sniff' the password.

>
> -
>
> Unfortunately we can't use domain context there because of the
> special structure there: the thin clients are members in a AD domain
> separate from our protected standalone samba server (and these worlds
> have to be kept separated).
>
> *and* I have to keep NTLMv1 etc activated to support old Windows XP
> VMs ... as far as I remember there are ways to activate safer
> protocols for XP as well, correct? (they insist on XP because of a
> specific software ...)

You can make XP use NTLMv2, see here:

https://www.imss.caltech.edu/node/396

I don't know who your customer is, but they really should find a more
up to date way of doing things.

>
> -
>
> They also ask for encryption. I think I could encrypt the underlying
> layer via encfs or something, but that means that somebody has to
> provide a passphrase at boot/mount-time. I want to avoid a
> single-person-of-failure-scenario here: even if I am not available
> they have to be able to get that server up and running again in case
> of some reboot or so.
>
> Is it recommended to just place a container like Truecrypt or
> Veracrypt inside a Samba-share? Any thoughts or recommendations here,
> best practices ... ?

Cannot help you with encryption, I don't use it. However I feel that I
should point out that the rest of the system seems to be so insecure,
that if a badhat does get in, they will problem get the encryption keys
as well.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: how safe is "net use" in a batch file? plus some encryption questions

Samba - General mailing list
Am 2017-11-11 um 13:36 schrieb Rowland Penny:

> As far as I am aware, 'net use' sends the password unencrypted, so if
> someone is trying to 'sniff' the password, they will get it, but then
> if the password is stored in the bat file unencrypted and anybody can
> read the bat file, they wont need to 'sniff' the password.

Yes, we know ;-)

The thin client with the batch file is physically far away from the
server which is in a protected rack inside a closed basement.

I think I will try to wireshark such a session. Just to learn.

> You can make XP use NTLMv2, see here:
>
> https://www.imss.caltech.edu/node/396

Great, I will test that on monday. thanks.

> I don't know who your customer is, but they really should find a more
> up to date way of doing things.

That's why we talk and discuss these issues.

> Cannot help you with encryption, I don't use it. However I feel that I
> should point out that the rest of the system seems to be so insecure,
> that if a badhat does get in, they will problem get the encryption keys
> as well.

oh, come on, it's not that bad ;-)
greets, Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: how safe is "net use" in a batch file? plus some encryption questions

Samba - General mailing list
On Sat, Nov 11, 2017 at 12:26 PM, Stefan G. Weichinger via samba <
[hidden email]> wrote:

> Am 2017-11-11 um 13:36 schrieb Rowland Penny:
>
> > As far as I am aware, 'net use' sends the password unencrypted, so if
> > someone is trying to 'sniff' the password, they will get it, but then
> > if the password is stored in the bat file unencrypted and anybody can
> > read the bat file, they wont need to 'sniff' the password.
>
> Yes, we know ;-)
>

I thought "net use" will use ntlm for auth (no clear-text passwords passing
over the wire). At least that's what I see in wireshark on modern windows.


>
> The thin client with the batch file is physically far away from the
> server which is in a protected rack inside a closed basement.
>
> I think I will try to wireshark such a session. Just to learn.
>
> > You can make XP use NTLMv2, see here:
> >
> > https://www.imss.caltech.edu/node/396
>
> Great, I will test that on monday. thanks.
>
> > I don't know who your customer is, but they really should find a more
> > up to date way of doing things.
>
> That's why we talk and discuss these issues.
>
> > Cannot help you with encryption, I don't use it. However I feel that I
> > should point out that the rest of the system seems to be so insecure,
> > that if a badhat does get in, they will problem get the encryption keys
> > as well.
>
> oh, come on, it's not that bad ;-)
> greets, Stefan
>

Unless your XP systems are air-gapped, it is that bad ;-)

I know that in some cases it's impractical to upgrade Windows versions. For
instance, I helped a man once who had a machine shop / small business. His
CNC mill required windows 98. Replacing the CNC mill would cost over
$50,000, which was not practical; however, keeping the network air-gapped
was practical.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: how safe is "net use" in a batch file? plus some encryption questions

Samba - General mailing list
On Sat, 11 Nov 2017 13:32:31 -0600
Andrew Walker <[hidden email]> wrote:

> I thought "net use" will use ntlm for auth (no clear-text passwords
> passing over the wire). At least that's what I see in wireshark on
> modern windows.
>

If you use NTLMv1, you might as well use plain passwords. Given the
NTLMv1 password, it would take your average badhat about half an hour
to have the plain password.

>
> Unless your XP systems are air-gapped, it is that bad ;-)
>
> I know that in some cases it's impractical to upgrade Windows
> versions. For instance, I helped a man once who had a machine shop /
> small business. His CNC mill required windows 98. Replacing the CNC
> mill would cost over $50,000, which was not practical; however,
> keeping the network air-gapped was practical.

There are cases when using an old OS version is valid, but they are few
and far between, the case above is one of them. In Stefan's case, I am
sure that an upgrade path can be found, it may prove to be cheaper in
the long run ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: how safe is "net use" in a batch file? plus some encryption questions

Samba - General mailing list
Am 2017-11-11 um 20:48 schrieb Rowland Penny via samba:

> On Sat, 11 Nov 2017 13:32:31 -0600
> Andrew Walker <[hidden email]> wrote:
>
>> I thought "net use" will use ntlm for auth (no clear-text passwords
>> passing over the wire). At least that's what I see in wireshark on
>> modern windows.
>>
>
> If you use NTLMv1, you might as well use plain passwords. Given the
> NTLMv1 password, it would take your average badhat about half an hour
> to have the plain password.

That will be first priority to get rid of that, sure.
Plus new passwords after closing that gap.

>> Unless your XP systems are air-gapped, it is that bad ;-)
>>
>> I know that in some cases it's impractical to upgrade Windows
>> versions. For instance, I helped a man once who had a machine shop /
>> small business. His CNC mill required windows 98. Replacing the CNC
>> mill would cost over $50,000, which was not practical; however,
>> keeping the network air-gapped was practical.
>
> There are cases when using an old OS version is valid, but they are few
> and far between, the case above is one of them. In Stefan's case, I am
> sure that an upgrade path can be found, it may prove to be cheaper in
> the long run ;-)

This is a very protected environment: the VMs are only accessible from a
specific subnet etc etc

But I agree: XP shouldn't be there anymore.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: how safe is "net use" in a batch file? plus some encryption questions

Samba - General mailing list
In reply to this post by Samba - General mailing list
>> You can make XP use NTLMv2, see here:
>>
>> https://www.imss.caltech.edu/node/396

Did these changes on the 2 VMs and rebooted.

For sure I also have to remove stuff from smb.conf, I run these
non-default settings for the XPs:

lm announce = no
lanman auth = no
ntlm auth = no
client lanman auth = no
client ntlmv2 auth = yes

That was a recommendation from Louis, afai remember?
Do I have to keep something?

The XPs show up with protocol NT1 in smbstatus.

I will edit smb.conf in a few hours and retest.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: how safe is "net use" in a batch file? plus some encryption questions

Samba - General mailing list
On Tue, 14 Nov 2017 15:06:01 +0100
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> >> You can make XP use NTLMv2, see here:
> >>
> >> https://www.imss.caltech.edu/node/396
>
> Did these changes on the 2 VMs and rebooted.
>
> For sure I also have to remove stuff from smb.conf, I run these
> non-default settings for the XPs:
>
> lm announce = no
> lanman auth = no
> ntlm auth = no
> client lanman auth = no
> client ntlmv2 auth = yes
>
> That was a recommendation from Louis, afai remember?
> Do I have to keep something?
>
> The XPs show up with protocol NT1 in smbstatus.
>
> I will edit smb.conf in a few hours and retest.
>
>

If you are running a recent version of Samba (>= 4.5.0), you might as
well remove all of them, they are (apart from 'lm announce') the
default settings. The default for 'lm announce' is 'auto' and this
setting doesn't broadcast unless something asks it to and AD doesn't
ask.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: how safe is "net use" in a batch file? plus some encryption questions

Samba - General mailing list
Am 2017-11-14 um 15:38 schrieb Rowland Penny via samba:

> If you are running a recent version of Samba (>= 4.5.0), you might as
> well remove all of them, they are (apart from 'lm announce') the
> default settings. The default for 'lm announce' is 'auto' and this
> setting doesn't broadcast unless something asks it to and AD doesn't
> ask.

Interesting: why did these settings then change something back then?
hmm.

Samba-4.5.10 on gentoo linux there.

So "NT1" isn't "bad" ? ;-)

thanks, Stefan


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba