Web lists-archives.com

Re: [Samba] how safe is "net use" in a batch file? plus some encryption questions




On Sat, Nov 11, 2017 at 12:26 PM, Stefan G. Weichinger via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> Am 2017-11-11 um 13:36 schrieb Rowland Penny:
>
> > As far as I am aware, 'net use' sends the password unencrypted, so if
> > someone is trying to 'sniff' the password, they will get it, but then
> > if the password is stored in the bat file unencrypted and anybody can
> > read the bat file, they wont need to 'sniff' the password.
>
> Yes, we know ;-)
>

I thought "net use" will use ntlm for auth (no clear-text passwords passing
over the wire). At least that's what I see in wireshark on modern windows.


>
> The thin client with the batch file is physically far away from the
> server which is in a protected rack inside a closed basement.
>
> I think I will try to wireshark such a session. Just to learn.
>
> > You can make XP use NTLMv2, see here:
> >
> > https://www.imss.caltech.edu/node/396
>
> Great, I will test that on monday. thanks.
>
> > I don't know who your customer is, but they really should find a more
> > up to date way of doing things.
>
> That's why we talk and discuss these issues.
>
> > Cannot help you with encryption, I don't use it. However I feel that I
> > should point out that the rest of the system seems to be so insecure,
> > that if a badhat does get in, they will problem get the encryption keys
> > as well.
>
> oh, come on, it's not that bad ;-)
> greets, Stefan
>

Unless your XP systems are air-gapped, it is that bad ;-)

I know that in some cases it's impractical to upgrade Windows versions. For
instance, I helped a man once who had a machine shop / small business. His
CNC mill required windows 98. Replacing the CNC mill would cost over
$50,000, which was not practical; however, keeping the network air-gapped
was practical.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba