Bug Bounty ShortsLM Challenge-Response Hash Always Sent in SMB Authentication
This vulnerability is an Authentication Bypass due to the consistent transmission of LM Challenge-Response hash during SMB authentication. The application failed to disable the LM hash in favor of the more secure NTLM hash, allowing attackers to perform offline attacks against weak LM hashes. The researcher discovered this by observing the network traffic during SMB authentication and identifying the presence of LM hashes, which should have been deprecated. The LM hash is susceptible to dictionary attacks, allowing attackers to crack passwords offline. The system's flawed configuration resulted in the consistent transmission of LM hashes, making it easier for attackers to perform offline attacks. This vulnerability could lead to account takeovers, unauthorized access, and data breaches. The researcher received $5,000 for this discovery. To prevent similar issues, it is crucial to disable the LM hash and ensure that only NTLM hashes are transmitted during SMB authentication. Key lesson: Always use stronger authentication mechanisms like NTLM over deprecated LM hashes. #BugBounty #Cybersecurity #WebSecurity #AuthenticationBypass #SMB
curl disclosed on HackerOne: LM Challenge-Response Hash Always Sent...
# LM Challenge-Response Hash Always Sent in SMB Authentication ## Summary The curl SMB client unconditionally computes and sends both the legacy LAN Manager (LM) and NT challenge-response hashes during SMB session setup. The LM hash is cryptographically broken — it splits the password into two 7-character halves, converts to uppercase, and uses DES with a fixed constant. Combined with the...