Automatically passing NTLM authentication credentials on Windows XP

Windows XP will perform NTLM authentication when connecting to a remote SMB server. This could allow a malicious user to obtain your NTLM authentication credentials without your knowledge.

A malicious user could exploit this behavior by putting a normal Microsoft Word document on a normal IIS and running a rogue SMB server on the same machine. After opening the document (just close it), an XP client with WebClient service would attempt to initiate a SMB session to the server - automatically passing NTLM authentication credentials to the malicious server's owner.

Disable WebClient service at your own risk.

My test environment:

Server: www.xxx.yyy Windows 2000 server with IIS 5.0 by default Place zzz.doc in wwwroot\test folder. Client: Windows XP SP1 with Microsoft Office 2000 SP3 or 2002 SP3, and Windows XP SP2 with Microsoft Office 2002 SP3 Access http://www.xxx.yyy/test/zzz.doc with Internet Explorer and open with Microsoft Word plug-in. Close it or access another page. Then Windows XP will attempt to access \\www.xxx.yyy\test via SMB. Confirm that a shortcut to \\www.xxx.yyy\test is placed in My Network Places.

(Sep. 2004)

For your reference:

Rainbow tables for NTLM authentication not hashes
http://www.securityfocus.com/archive/1/375137

Additional information about throwing a fixed challenge with SMBRelay; the last part of
http://www.securityfriday.com/tools/NBTdeputy.html

This is how to "Prevent Network Share Shortcuts from Being Added to My Network Places" but does NOT resolve this problem.
Microsoft Knowledge Base Article - 242578

Similar vulnerability
MS00-067
MS01-001

img src="file://\\www.xxx.yyy\test" is also still alive after 7 years