Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

Understanding the Windows SMB NTLM Weak Nonce vulnerability

NTLM, Windows
Agustin Azubel, Hernan Ochoa
Black Hat USA 2010
Indexed on
Mar 27, 2013
File name
File size
2.8 MB

In February 2010, we found a vulnerability in the SMB NTLM Windows Authentication mechanism that have been present in Windows systems for at least 14 years (from Windows NT 4 to Windows Server 2008). You probably haven't heard about this vulnerability, but basically the authentication mechanism used by all Windows systems to access remote resources using SMB was flawed, allowing attackers to get read/write access to remote resources and remote code execution without credentials, using different techniques such as passive replay attacks, active collection of duplicate challenges/responses, and prediction of challenges. This vulnerability is also a good example of flaws found in challenge-response authentication mechanisms. This presentation will describe the vulnerability in detail, including its scope and severity, explain different techniques to exploit the flaws found and demo fully functional exploit code.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !