nt password security l.
Skip this Video
Loading SlideShow in 5 Seconds..
NT Password Security PowerPoint Presentation
Download Presentation
NT Password Security

Loading in 2 Seconds...

play fullscreen
1 / 15

NT Password Security - PowerPoint PPT Presentation

  • Uploaded on

NT Password Security TSM 352 System Security Where are Passwords Stored in NT/2k? The ‘SAM’ (Security Account Manager) Windows-directorysystem32configSAM Permissions are ‘world-readable’ Not normally accessible while the system is running since it is locked by the system kernel

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

NT Password Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
nt password security

NT Password Security

TSM 352

System Security

where are passwords stored in nt 2k
Where are Passwords Stored in NT/2k?
  • The ‘SAM’ (Security Account Manager)
  • Windows-directory\system32\config\SAM
  • Permissions are ‘world-readable’
  • Not normally accessible while the system is running since it is locked by the system kernel
how to access the sam file
How to access the SAM file
  • Cannot be accessed once NT/2K is up and running
  • Sometimes it has been backed up
  • A copy is also put on the ‘Emergency Repair Disk’
  • Boot the system with a floppy into DOS or Linux and access the file
  • Use a utility running on the NT system, such as L0phtcrack or pwdump
how does nt encrypt passwords
How does NT Encrypt Passwords?
  • Uses two hash algorithms
  • One for the regular NT hash.
    • Converts password to Unicode
    • Then runs it through an MD4 algorithm to obtain a 16-byte value
  • One for the LANMAN hash.
    • Pads the password with 0’s until it has a length of 14 characters.
    • Then converts to uppercase and split into two 7-character pieces.
    • An 8-byte odd parity DES key is calculated from each half, and then the DES keys are encrypted and combined to get a 16-byte, one-way hash.
lan manager hashes lm
LAN Manager Hashes (LM)
  • LAN Manager was the predecessor to NT – appeared in the late 80’s.
  • Machines then were slow.
  • Still needed, since NT is designed to be backward compatible with earlier versions of Windows
  • Dividing into two 7-byte chunks makes NT passwords easier to crack.
    • A 14-byte password takes incredibly longer time to crack than two 7-byte passwords.
    • Two separated ones can be cracked in parallel.
    • It is not case-sensitive which considerably reduces the guessing ‘set’.
    • Since numbers usually appear at the end of a password, crackers are more likely to be able to crack the first half quicker if they start with letters only.
    • Once one half is known, the other half is often easier to guess
  • No Salts used – the same clear text password encrypts the same way
    • With no salt being used.. an attacker can calculate a hash and compare it to the entire list. So, what might have taken 5 days for a single user is now 5 days for an entire list of users.
what is the math
What is the math?
  • <number of possible characters> Raised to the Power <number of character positions>
  • Compare two 7-character with one 14-character
  • Assume 40 possible characters
  • 2 x 40^7 = 3.2 E^11
  • 1 x 40^14 = 2.7 E^22
  • @ 1 million tries/second, two 7-character will take about 53 minutes (doing them both separately)
  • @ 1 million tries/second, a 14-character will take about 860 million years
  • “Password Auditing Tool”
  • 15-day demo free for download, but must pay for the ‘brute force’ capability ($100)
  • Has a number of additional capabilities
    • Password cracking
    • Extracting hashes from the password registry (admin privileges required)
    • Loading the passwords from a file
    • Sniffing passwords off the network
    • Choice of brute force, dictionary, hybrid, or any combination
    • Custom character set for foreign languages
  • Cole’s Experience with L0phtcrack:
    • Cracks 90% of corporation’s password in under 5 hours
    • 18% in under 5 minutes
    • Most domain admin accounts cracked
    • Most companies have a 8 character min policy, but no other restrictions
  • Another password cracker that uses a different approach
    • Based on the DC function which allows any user to change a password if the original password is known.
    • NTSweep takes a guessed password and tries it on all of the accounts on the domain. It then changes the password to the same thing – the only result being that it finds a user account that goes with the password.
    • If this ‘change’ works, then the password has been discovered
  • Interesting method, since it does not require access to ‘administratively-controlled’ files, such as the registry or the SAM. The operation it is trying is absolutely ‘legal’.
  • Some Issues
    • It uses a broadcast to discover the domain users, so obviously it cannot be a remote attack.
    • It is very slow.
    • The operation is logged – including all the failed attempts.
    • User accounts might be set up so that they cannot change their passwords.
protection against password crackers
Protection against Password Crackers
  • No way to completely prevent password cracking.
  • The goal is to make it much harder.
    • Disable LAN manager (LM) authentication
    • Enforce strong passwords – with a policy
    • Implement SYSKEY
    • Use one-time passwords
    • Use Biometric authentication where feasible
    • Audit access to key files
    • Scan for cracking tools
    • Keep inventory of active accounts
    • Limit who has domain admin access
disable lm authentication
Disable LM Authentication
  • Have to account for older clients that may use LM.
  • If you have at least win98 and NT you are ok, since there is a patch that updates them to use NTLM.
  • If you do not upgrade, then your password security has not improved
enforcing strong passwords
Enforcing Strong Passwords
  • NT and 2k have some mechanisms to help
  • The most important mechanism is account policies, under User Manager
  • NT SP 2 introduced a password filter called passflt.dll, which enforces the following:
    • Minimum 6 characters
    • Must contain 3 of the following categories: Uppercase, lowercase, numbers, and special characters.
    • Password cannot contain the user id
  • Another way to enforce strong passwords is to use ‘passprop’, which comes with the Resource Kit.
  • Enforces same as passfilt, but is easier to set up.
strong password policy
Strong Password Policy
  • Minimum of 8; 10 is better
  • Change every 45 days
  • Lockout at 3 tries in 5 hours, and lockout for 3 hours
  • At least one alpha, one number, and one special
  • Cannot reuse previous 5 passwords
implement syskey
Implement Syskey
  • Available with SP3 for NT, automatic with 2K.
  • Allows 128-bit encryption of the SAM
  • Prevents L0phtcrack from extracting hashes
  • Implemented by running syskey.exe – careful it cannot be reversed.
  • Beware of 3rd party authentication systems that are not compatible with syskey
use one time passwords
Use One-time Passwords
  • Password changes each time the user logs on
  • There are no passwords to guess.
  • Downside: cost, complexity
  • Most common form are ‘smart cards’.
    • The device is time-triggered so the password changes every minute
    • When user wants to logon, they read the display of the smart card.
    • This system can be used in conjunction with standard passwords – maybe only used on the ‘road’
some additional tips
Some Additional Tips
  • Audit Access to Key Files
    • Watch out for access of the SAM database
    • Use programs such as tripwire to watch over your files
  • Scan for Cracking Tools
    • Watch out for programs on your systems
    • Again, tripwire can be useful to monitor directory contents
  • Keep Inventory of Active Accounts
    • Watch for past employees accounts.
    • Remove accounts that should no longer be active
    • Monitor accounts, looking for new ones, or accounts whose privileges have changed.
  • Still not enough?
    • Use Biometrics