A "man-in-the-middle" can remove the bit in the SMB_COM_NEGPROT response that says the server supports challenge/response, thus fooling a client into thinking that it should supply a plaintext password. This attack can be mitigated if clients are able to be configured to require challenge/response, either in general or for particular servers.