Download
1 / 23
250 likes | 518 Views
Microsoft hashes…. MS systems use one of the following: LanManager Hash (LM) NT LanManager (NTLM) Cached passwords Kerberos. Weakness of LM hashes. Well documented weakness explained…how to create the hash. Weakness of LM hashes. Weakness of LM hashes. Proof that case doesn’t matter.
E N D
Microsoft hashes… MS systems use one of the following: • LanManager Hash (LM) • NT LanManager (NTLM) • Cached passwords • Kerberos
Weakness of LM hashes Well documented weakness explained…how to create the hash
Proof that case doesn’t matter Password = E52CAC67419A9A22 4A3B108F3FA6CB6D PaSSwORd = E52CAC67419A9A22 4A3B108F3FA6CB6D Password1 = E52CAC67419A9A22 38F10713B629B565 http://www.lmcrack.com
NTLM Uses MD4 algorithm to create a hash of the mixed-case password Results in a 16 byte hash of the password (stored in the SAM…we’ll cover later) Used for any password greater than 14 characters It is possible to turn LM hash storing off in Windows systems (although this is rarely implemented)
Proof that case DOES matter Password = F15ABD57801840F3 348DDCCAFB677F6A PaSSwORd = 17504CE07C0A0D4A 1BD3A99A0821F957 Password1 = F9A3152D926F9FF8 98D0BAFBA0BFFD30
NTLMv1 Challenge-response mechanism that works as follows
NTLMv2 More complicated than version 1 Includes the use of a two different client challenges in addition to the server challenge One client challenge is a randomly generated 8 byte value The other client challenge includes the time, a random 8 byte value, and domain name Two 16 byte responses to the challenges are sent back Not covered in detail here
Local SAM and AD SAM • Security Accounts Manager (SAM) is a database of the users and groups of a system and their associated password hashes • Stored as a registry key • Located in /windows/system32/config (/winnt/…for 2000) • Protected since NT 4 SP3 with SYSKEY • SYSKEY encrypts the SAM database…easily broken now, you’ll see this with one of the tools we’ll use in the demo
Local SAM and AD SAM • When Windows is running the SAM is protected by the kernel • The process that protects the SAM is called the Local Security Authority Subsystem (LSASS) • Password tools have been created that allow the tool do the following (fgdump): • Use a process to force the LSASS to load a DLL • The code within the DLL is executed in the context of LSASS • The newly unprotected password hashes are pulled using the same API that LSASS uses to access them • This works locally and remotely • Requires admin access to the system
Local SAM and AD SAM • The SAM in AD is very similar to that of a local system • The AD SAM holds all AD account information including users, groups, hashes, and password history • This requires that we run as an administrator in the domain • Can be completed with admin access or using service hijacking (to be covered in a different presentation)
Salted versus Unsalted Password Hashes • We’re not talking about popcorn… • An unsalted hash is one that simply uses the same key (or the same static value) on every system • An example would be LM and NTLM hashes stored in the SAM database (the static value is KGS!@#$%) • For example, if we both run Windows XP systems, and both of our passwords are “apple” then the password hash on both systems would be the same
Salted versus Unsalted Password Hashes • A salted password hash is one that uses some other value, in addition to the static value, as a modifier • For example, UNIX systems use salt in the storage of their password hashes • If we both had the same password again, “apple”, and if our system used the system hostname as the salt, then unless our systems have the same hostname then the password hash on the two systems would be different • Keep in mind the salted value either needs to be shared or available before the hash in plaintext so other system knows what it was salted with.
What does it matter? • The SAM file is unsalted which means: • We can pre-compute the possible password hashes in advance and do a simple look up for the hash….or • We can use rainbow tables (more efficient way of pre-computing) • Microsoft also uses something called a cached password which we’ll examine next
MS Cached passwords • If you’re system is a member system of a Microsoft Active Directory domain (drop down in the login) what happens if you’re not connected to the network? Can you still log in using the AD username and password? • Yes you can, all thanks to cached credentials on the system • These are stored (and protected) in the registry (depending on your systems settings, normally the last 10) • HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 - 10
MS cached passwords • So if they are stored can’t we get them and crack as we would a normal SAM file? • Yes, we can get them, and since they are salted, no, we cannot just crack them as we would a SAM file password hash • This uses a “password verifier and not the actual password itself • How is it salted? With the username: • The user’s NTLM hash is added to the username • Re-run the NTLM hash of the new salted value • When we get access to the cached password we get the salt used (the username) and the hash of the username + NTLM hash… • This leads us to only brute force as a cracking mechanism…unless?
MS cached passwords • What is the standard name for the administrator account in Windows? • Couldn’t we just build our pre-computed tables with that as the known username and salt? • Microsoft and the government have done this already…I’m trying to get a copy
Kerberos • Developed by MIT, adopted and reworked by Microsoft and put into Windows 2000/2003/2008 • Used for authentication between end systems and the Active Directory domain controller • Uses concepts we will not cover in detail, however, it does not transmit the user’s hash, or response to a challenge, over the wire directly
