Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion

Chronological Thread 
  • From: Eric Goodman <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion
  • Date: Fri, 21 Jun 2013 18:42:31 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

I was going to make the same apology for unnecessarily describing what Pass-the-Hash attacks are in detail, which was of course totally unnecessary.


--- Eric


From: [mailto:] On Behalf Of Ron Thielen
Sent: Friday, June 21, 2013 10:14 AM
Subject: [AD-Assurance] Sorry for the NTLMv1/v2 confusion


I apologize for nearly derailing the conversation.  While I still maintain that hash stealing attacks against NTLMv2 are irrelevant to Silver assertion if you can't use the hash to authenticate to a service that compromises the actual password (e.g. as long as Shib isn't using Windows authentication), the piece I confused was that NTLMv1 does actually pass the password.  So, a brute force attack on v1 does get you the actual password, not just a hash collision.


This just reinforces my conviction that the world would be a much better place without Windows.  If only IBM had chosen CPM instead of MS-DOS back in the day.  :-)



Archive powered by MHonArc 2.6.16.

Top of Page