Automatically passing NTLM authentication credentials on Windows XP
Windows XP will perform NTLM authentication when connecting to a remote SMB server. This could allow a malicious user to obtain your NTLM authentication credentials without your knowledge.
A malicious user could exploit this behavior by putting a normal Microsoft Word document on a normal IIS and running a rogue SMB server on the same machine. After opening the document (just close it), an XP client with WebClient service would attempt to initiate a SMB session to the server - automatically passing NTLM authentication credentials to the malicious server's owner.
Disable WebClient service at your own risk.
My test environment:
For your reference:
Rainbow tables for NTLM authentication not hashes
Additional information about throwing a fixed challenge with SMBRelay; the last part of
This is how to "Prevent Network Share Shortcuts from Being Added to My Network Places" but does NOT resolve this problem.
Microsoft Knowledge Base Article - 242578