Presentation on theme: "Windows Password Handling and Security Faults Nate Prosser Lenny Calabrese Travis Stitt."— Presentation transcript:
Windows Password Handling and Security Faults Nate Prosser Lenny Calabrese Travis Stitt
Windows Password Algorithms LAN Manager (LM) Hashes NT Hashes Cached Credentials
LAN Manager Hash Password must be less than or equal to 14 characters in length If less, it is NULL padded to 14 characters long Uses only the ASCII character set: 142 unique characters This scheme allows for 6.8x10^12 unique passwords
LM Hash (continued) 14 character string broken into 2 7- character strings Each separate string is encoded with DES Final output: 128 bits – looks like 16 random characters
NT Hash Password must be less than or equal to 127 characters in length Uses full Unicode character set: 65,535 unique characters 14 characters used: allows for 2.7x10^67 unique passwords 127 characters used: allows for 4.9x10^611 unique passwords
NT Hash (continued) Entire password encrypted with MD4 Stored as unicode Password MD4 Long Unicode Hash
Which versions use which algorithms? LM Hashes: -Authentication to LM servers -Locally on Windows 9x and ME with share-level access -Authentication from any Windows 3.x or CE NT Hashes: -Locally on Windows NT, 2000, and XP -Authentication from Windows 9x and ME with user-level access
Where are they stored? NT Hashes (locally) C:\WINDOWS\system32\config\SAM C:\WINDOWS\system32\config\SECURITY C:\WINDOWS\system32\config\SYSTEM LM Hashes.pwl (password list) files -Username -> usern001.pwl
Cached Credentials Enhanced security for network authentication Combination of several pieces of data used for the final hash Encrypted with MD5 NT Password Hash Domain Username concatenate MD5 Cached Credentials
Authentication WINLOGON is accessed by using the CTRL+ALT+DELTE combination (secure attention sequence) User inputs username and account Information is passed to the Local Security authority subsystem (LSASS) Local or remote access is determined
Access Location Local: – Username and password is compared to local values Network: – Uses a network authentication protocol to establish a secure connection and login – LM/NTLM/v2 – Kerberos
LM/NTLM/v2 New Technology/LAN Manager Used for LAN Server Authentication Windows 3.x/CE/9x Used LM and NT hashes Now called Integrated Windows Authentication Used with web services
Kerberos Developed at MIT Provides mutual authentication Prevents eavesdropping and replay attacks Maintains data integrity Default for Windows 2000,XP, and Server 2003
Policy Solutions Nothing easy to guess Minimum character requirement Use of pass phrases Password expiration No password reuse
Technology Solutions Disable LM hashes Password filter Account lockout Use of anti-virus and spyware detection software
What are Rainbow Tables? Passwords stored in computers are changed from their plain text form to an encrypted value. These values are called hashes, and there is a unique plain text value for every hash. An example of different hashes can be see below: TypeHash MD2A8FA298E39DCCD4BB99546AD015F4146 MD4725C086015707D08849CC22283ADE154 MD5CD13B6A6AF66FB774FAA589A9D18F906 SHA-11EB08C4E3F8A5AB5761723B1210AD4C30E41DC7 RIPEMD-1604870CE7A5BB385EDC57930F05E3DAB0FB883DCC4 LM9224FC255C58C50E NT87F65D137998A4CE59EA65B114A0F831 MySQL32356F306146F12605E MySQLSHA179239E0207CD5F6A472C8795C73B451D349C8573 Cisco PIXEQRTXAW3PX3q9K5A
What Are Rainbow Tables? A Rainbow Table is a table of all of the possible hashes from a certain cipher. Brute Force attacks are time and resource consuming. In many cases, the dictionary cracking method requires an enormous list(s) to be effective. One gigabyte of dictionary passwords might be able to yield a 40 to 50 percent compromise of a set of hashes. The same set of hashes with a complete set of Rainbow Tables properly implemented and utilized could effectively compromise 90 to 95 percent of the hashes in less than 25% of the time.
Generating Rainbow Tables There are several programs that generate Rainbow Tables on your home computer along with companies that for a small fee allow you to use their pre-generated Rainbow Tables. Rainbow Table Generation is time and resource consuming. – It take 13.2 hours on a 666 MHz CPU to produce the 610 MB complete alphabetical character set LM hash table. Keep in mind that the LM has is the simplest and least complex one way hash. Once the table is sorted a non-salted LM hash value can be cracked in matter of seconds (avg. 3.7841 sec) with a success rate of 99.9%
Generating Rainbow Tables Most hashes though contain more than just an alphabetical character set. They are constructed of a character set with letters, numbers, and symbols. – To construct an alpha-numeric symbolic character set LM hash it takes 119 GB of disk space and 2354 days on a 666 MHz. On faster machines is takes about 261 days to construct. However a table of this size is rarely ever used for most software does not support the characters which can be used in a password of this size. However, it was discovered that some of the best hackers have constructed the complete Rainbow Tables of the most popular one-way hashes and had them running and stored on several different computers in their houses upon government raids.
Beating Rainbow Tables There are several easy ways to beat Rainbow Tables and make their usage impossible – Salting – Force the amount of time to create the table or run cryptanalysis so long that hackers wont attempt to crack the hash Salting is taking random bits and inserting them in certain spots of the plaintext. This way when the hash is performed the hashes will not match the Rainbow Tables Ways of increasing the table production time and cryptanalysis time is to: – Force password changes every 30 days – Make all password at least 15 characters long – Use pass phrases – Make all network control device at least 25 characters long – Force password complexity to require the use of at least the following: Upper case Alpha, lower case alpha, a number, and at least one symbol.
Demo Congratulations you have been hired by the Dúmbáss Corporation and you are required to created a new password for your user account. Since the company does not hire RIT trained network administrators they require that your password be 10 characters or less and can only use letters and numbers. Please change the password on the laptop in front of you and write it down on a piece of paper (never do this in reality just for this demonstration incase something goes wrong). Watch as the password is destroyed.
Bibliography Operating System Concepts (Our textbook) Windows Passwords, Everything You Need to Know – By Steve Riley, Security Program Manager Microsoft Corporation http://www.antsight.com/zsl/rainbowcrack/ http://www.securityfocus.com/infocus/1554 http://en.wikipedia.org – For definitions in less complex language http://news.com.com/2100-1009_3-5053063.html