List Info

Thread: Weak Lanman Auth Sig
Weak Lanman Auth Sig
country flaguser name
United States		 2007-07-20 19:00:39 
#by Adam Ellison
# Detects the old style weak and crackable windows auth in
use. By
default this should not be in
#  active use, but can be forced by hostile parties by a
number of methods
alert tcp $HOME_NET 139 -> any any
(msg:"BLEEDING-EDGE POLICY Weak
Netbios Lanman Auth Challenge Detected";
flow:from_server,establi
shed; content:"|ff 53 4d 42|"; content:"|00
11 22 33 44 55 66 77 88|";
classtype:policy-violation; sid:2006417; rev:1;)

Please give this a test and let me know how it goes. May be
noisy in
very old windows environments.

Matt

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
Re: Weak Lanman Auth Sig
country flaguser name
United Kingdom		 2007-07-20 19:41:25 
False positives should be zero.
The chances of a random LM challenge being 
001122334455667788 are akin to 
wining "a" lottery.  There are publicly available
pre calculated 
half_LM_challenge rainbow tables available on the net that
make this exploit 
a favourite =)

reference: http://en.wikibooks.org/wiki/Metasploit/Tips_and_Tricks
	"LM Half-Challenge"

Anyone interested in half_LM_challenge rainbow tables with
something other 
than "001122334455667788" challenge? *hahaha!*

kATAR


On Saturday 21 July 2007 01:00, Matt Jonkman wrote:
> #by Adam Ellison
> # Detects the old style weak and crackable windows auth
in use. By
> default this should not be in
> #  active use, but can be forced by hostile parties by
a number of methods
> alert tcp $HOME_NET 139 -> any any
(msg:"BLEEDING-EDGE POLICY Weak
> Netbios Lanman Auth Challenge Detected";
flow:from_server,establi
> shed; content:"|ff 53 4d 42|";
content:"|00 11 22 33 44 55 66 77 88|";
> classtype:policy-violation; sid:2006417; rev:1;)
>
> Please give this a test and let me know how it goes.
May be noisy in
> very old windows environments.
>
> Matt
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )