Search Form

BlackHat 2010 – SMB NTLM Weak Nonce [Ochoa/Azubel]


Understanding the Windows SMB NTLM Weak Nonce vulnerability

In February of this year, Hernan Ochoa and Agustin Azubel discovered a deadly flaw that has been present in most Microsoft Windows systems for at least 14 years.  This flaw or vulnerability exploits the SMB (Server Block Code) NTLM (NT Lan Manager) Windows Authentication mechanism giving hackers remote access to system resources.  Other exposures include read/write access to remote file shares and remote code execution without use of any credentials. The main causes of the flaw are weaknesses in challenge-response mechanisms and the Pseudo-Random Number Generator (PRNG) being predictable.  The live demo showcased how easily an attacker could quickly collect challenges/responses and abuse the predictability of the PRNG to gain access. Microsoft released a security bulletin and followed up with a patch to mitigate the issue.

For more information about this vulnerability and exploits see below:

Windows SMB NTLM Authentication Weak Nonce Vulnerability Security Advisory

SMB NTLM Authentication Lack of Entropy Vulnerability – CVE-2010-0231

Vulnerabilities in SMB Could Allow Remote Code Execution (958687)


  1. […] This post was mentioned on Twitter by christwl, twlcoryb, tcpflorida, thoth87, bigtgows and others. bigtgows said: Review: BlackHat 2010 – SMB NTLM Weak Nonce [Ochoa/Azubel] – […]

Join in, share your thoughts

You must be logged in to post a comment.