We are using samba configuration on our RedHat(RHEL7.9) systems, where SMB authentication is based on a NTLM password hash which basically a clear-text credential
for a challenge-response authentication which getting stored in a separate attribute, sambaNTPassword in the LDAP(Oracle unified Directory) directory database.
So, Our security team carried out some pen-testing and found the MD4 which is used by our samba that can be intercepted as it carries weaker hash.
In addition to authentication, ensuring data integrity and encryption in transit are important parts of SMB security, which is again relying on MD4 hash.
Below is the sample of my samba configuration:
cat /etc/samba/smb.conf
[global]
log file = /var/log/samba/%m.log
log level = 2
max log size = 50
netbios name = FDI0816
server string = FDI0816.myorg.com
workgroup = FDI
; ldap configuration
invalid users = root +wheel
encrypt passwords = Yes
guest account = nobody
ldap admin dn = cn=sambaAdmin,ou=users,o=services
ldap group suffix = ou=Group
ldap passwd sync = only
ldap ssl = no
ldap suffix = ou=FDI,o=myorg
ldap timeout = 4
ldap user suffix = ou=People
map to guest = Bad User
security = user
passdb backend = ldapsam:"ldaps://ldap.FDI.myorg.com ldaps://ldap.rnd.myorg.com"
; client connection settings
deadtime = 15
dns proxy = No
lm announce = No
server min protocol = SMB2
; shares default settings
create mask = 0750
directory mask = 2750
posix locking = No
strict allocate = Yes
unix extensions = No
wide links = Yes
; printers are disabled
disable spoolss = Yes
load printers = No
printcap name = /dev/null
printing = bsd
show add printer wizard = No
[homes]
browseable = No
comment = Your Home
create mode = 0640
csc policy = disable
directory mask = 0750
public = No
writeable = Yes
[proj]
browseable = Yes
comment = Project directories
csc policy = disable
path = /proj
public = No
writeable = Yes
[home]
browseable = Yes
comment = Project directories
csc policy = disable
path = /home
public = No
writeable = Yes
LDAP side user details with attribute:
Example:
Attribute Description value
sambaNTPassword 0735509A0ED9A577BD7D8GG7BC1T
uidNumber 32222
userPassword {RBKBD4-HMAC-SHA512)...
Other details:
Samba Version: 4.10
Client side smb version: 2
Samba Server : RHEL7.9
If anyone came across this and have a solution, then I would like to seek the guidance or advice to mitigate the issue.
Post Update receiving Security assessment Document:
After reading and going through with pen-testing result, I came to know pen-tester was provided with the internal user-account for a user which is based on LDAP and discovered weaknesses for LDAP(Oracle Unified Directory) where they found "LDAP Anonymous Null Bind" hence they found it possible to retrieve critical information via LDAP service without having to supply any authentication credentials, since it also supports search requests with the NULL and empty, base objects thus an unauthenticated attacker may exploit and get the information even any prior knowledge of LDAP.
So, gained access to the LDAP Server as it was allowing the NUll/empty base connections to LDAP Server and dumped all the LDAP DATA where easily got all the Password information for userPassword
& sambaNTPassword
.
In order to perform the "pass-the-hash" attack, the tool "Mimikatz" and the browser "Internet Explorer" were used.
However, interesting here to highlight, to get access to the Organization they required VPN access from outside, thus they used meterpreter
tool to bypass the same with the reverse https connection
paylod.