Clear Text Passwords

SMB (Server Message Block) clear text password could allow an attacker to obtain sensitive information, caused by the use of plaintext passwords for authentication challenge-response. An attacker could exploit this trait in attempting brute-force password-guessing attacks.

This vulnerability could indicate the presence of very old LAN Manager clients, misconfigured clients or servers, or SMB "downgrade" attacks, in which an attacker attempts to trick the client into sending a password in plain text.

Also, a vulnerability in Windows 95 plus Microsoft Internet Explorer could allow users from anywhere on the Internet to obtain a Windows 95 login password given only the IP address and the workgroup.

Remedy

To stop this type of attack from outside your network, block access to inbound traffic for ports 137, 138, and 139 on your network. This setup does not solve problems with this type of attack coming from inside your network.

Examine the source and destination addresses. If these show the presence of old LAN Manager clients or servers, consider upgrading these systems. Otherwise, examine the systems involved for configuration errors. If there are no configuration errors, consider monitoring for IP hijacking attacks, which in combination with SMB cleartext passwords can help to identify SMB downgrade attacks.