Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion


Chronological Thread 
  • From: Eric Goodman <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion
  • Date: Fri, 21 Jun 2013 18:42:31 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport03.merit.edu; dkim=neutral (message not signed) header.i=none

I was going to make the same apology for unnecessarily describing what Pass-the-Hash attacks are in detail, which was of course totally unnecessary.

 

--- Eric

 

From: [mailto:] On Behalf Of Ron Thielen
Sent: Friday, June 21, 2013 10:14 AM
To:
Subject: [AD-Assurance] Sorry for the NTLMv1/v2 confusion

 

I apologize for nearly derailing the conversation.  While I still maintain that hash stealing attacks against NTLMv2 are irrelevant to Silver assertion if you can't use the hash to authenticate to a service that compromises the actual password (e.g. as long as Shib isn't using Windows authentication), the piece I confused was that NTLMv1 does actually pass the password.  So, a brute force attack on v1 does get you the actual password, not just a hash collision.

 

This just reinforces my conviction that the world would be a much better place without Windows.  If only IBM had chosen CPM instead of MS-DOS back in the day.  :-)

 

Ron




Archive powered by MHonArc 2.6.16.

Top of Page