Date   : Wed, 02 Nov 2011 22:11:20 +0000
From   : philb@... (Phil Blundell)
Subject: Request for Help - Security Research Project

On Wed, 2011-11-02 at 21:57 +0000, jgh@... wrote:
> You could grab the hash off the wire, but it was of no use to you
> as it was only valid for the station that had requested it, and
> only if the folloing NetFS_op was an attempt to log on, so the
> only way you could do it was to nip around to the logging-on
> station and pull out the network cable at the correct millisecond
> between the NetFS_Op(PasswordHash) and the NetFS_Op(Command),
> change your station's network ID to the other machine's, and send
> a hashed NetFS_Op(Command) from your station with it's new ID, all
> within less than a second or so.

I think you're talking about the encrypted hash rather than the hash
itself.  It's true that you couldn't just replay the login attempt using
the encrypted string but that wasn't really what I was referring to.

The underlying problem with the security model, at least as originally
constituted, was that it was based on a one-way (but deterministic) hash
of the password, followed by a reversible crypto step.  So, given an
encrypted hash and the key that was used to generate it (both of which
you can get off the wire) you could run the encryption backwards to
obtain the plaintext hash.

Once you've got that plaintext hash (which, for a given password, will
always be the same) you just need to ask the server for a new encryption
key, re-encrypt the hash under your new key, and off you go.

p.