GO to the azbil Global Site

The photo of a boy and his father who are looking at the screen of pc. Products Company Research In The Media Contact



Automatically passing NTLM authentication credentials on Windows XP

Windows XP will perform NTLM authentication when connecting to a remote SMB server. This could allow a malicious user to obtain your NTLM authentication credentials without your knowledge.

A malicious user could exploit this behavior by putting a normal Microsoft Word document on a normal IIS and running a rogue SMB server on the same machine. After opening the document (just close it), an XP client with WebClient service would attempt to initiate a SMB session to the server - automatically passing NTLM authentication credentials to the malicious server's owner.

Disable WebClient service at your own risk.

My test environment:


  • Windows 2000 server with IIS 5.0 by default
  • Place zzz.doc in wwwroot\test folder.


  • Windows XP SP1 with Microsoft Office 2000 SP3 or 2002 SP3, and Windows XP SP2 with Microsoft Office 2002 SP3
  • Access with Internet Explorer and open with Microsoft Word plug-in.
  • Close it or access another page. Then Windows XP will attempt to access \\\test via SMB.
  • Confirm that a shortcut to \\\test is placed in My Network Places.

(Sep. 2004)

For your reference:

Rainbow tables for NTLM authentication not hashes

Additional information about throwing a fixed challenge with SMBRelay; the last part of

This is how to "Prevent Network Share Shortcuts from Being Added to My Network Places" but does NOT resolve this problem.
Microsoft Knowledge Base Article - 242578

Similar vulnerability

img src="file://\\\test" is also still alive after 7 years



SecurityFriday TM

(C)Azbil SecurityFriday Co., Ltd. All rights reserved.