Brooks Martin wrote:
> As a sidepoint, if IE is configured (in)correctly, it will cheerfully send
> your user/domain name and password hash to any server that requests it. IIS
> uses this feature to 'auto-authenticate' clients. Nice hey?
The password hash is DES3 scrambled, but can be used in a simoultaneous
attack on one of your NTLM enabled servers (including file servers).
The username/domain/stationname is sent in plain text, available to all.
-- Henrik Nordstrom Squid hackerReceived on Wed Dec 22 1999 - 06:42:40 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:05 MST