Presentation is loading. Please wait.

Presentation is loading. Please wait.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Published bySuzanna Dalton Modified over 8 years ago

Similar presentations

Presentation on theme: "MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords."— Presentation transcript:

1 MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords Kerberos Kerberos MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords Kerberos Kerberos Microsoft hashes…

2 Weakness of LM hashes Well documented weakness explained…how to create the hash

3 Weakness of LM hashes

4

5 Proof that case doesn’t matter Password = E52CAC67419A9A22 4A3B108F3FA6CB6D PaSSwORd = E52CAC67419A9A22 4A3B108F3FA6CB6D Password1 = E52CAC67419A9A22 38F10713B629B565 http://www.lmcrack.com

6 NTLM Uses MD4 algorithm to create a hash of the mixed-case password Results in a 16 byte hash of the password (stored in the SAM…we’ll cover later) Used for any password greater than 14 characters It is possible to turn LM hash storing off in Windows systems (although this is rarely implemented)

7 NTLM

8 Proof that case DOES matter Password = F15ABD57801840F3 348DDCCAFB677F6A PaSSwORd = 17504CE07C0A0D4A 1BD3A99A0821F957 Password1 = F9A3152D926F9FF8 Password1 = F9A3152D926F9FF898D0BAFBA0BFFD30

9 NTLMv1 Challenge-response mechanism that works as follows

10 NTLMv1

11 NTLMv1

12 NTLMv2 More complicated than version 1 Includes the use of a two different client challenges in addition to the server challenge One client challenge is a randomly generated 8 byte value The other client challenge includes the time, a random 8 byte value, and domain name Two 16 byte responses to the challenges are sent back Not covered in detail here

13 Local SAM and AD SAM Security Accounts Manager (SAM) is a database of the users and groups of a system and their associated password hashes Security Accounts Manager (SAM) is a database of the users and groups of a system and their associated password hashes Stored as a registry key Stored as a registry key Located in /windows/system32/config (/winnt/…for 2000) Located in /windows/system32/config (/winnt/…for 2000) Protected since NT 4 SP3 with SYSKEY Protected since NT 4 SP3 with SYSKEY SYSKEY encrypts the SAM database…easily broken now, you’ll see this with one of the tools we’ll use in the demo SYSKEY encrypts the SAM database…easily broken now, you’ll see this with one of the tools we’ll use in the demo

14 Local SAM and AD SAM

15 When Windows is running the SAM is protected by the kernel When Windows is running the SAM is protected by the kernel The process that protects the SAM is called the Local Security Authority Subsystem (LSASS) The process that protects the SAM is called the Local Security Authority Subsystem (LSASS) Password tools have been created that allow the tool do the following (fgdump): Password tools have been created that allow the tool do the following (fgdump): Use a process to force the LSASS to load a DLL Use a process to force the LSASS to load a DLL The code within the DLL is executed in the context of LSASS The code within the DLL is executed in the context of LSASS The newly unprotected password hashes are pulled using the same API that LSASS uses to access them The newly unprotected password hashes are pulled using the same API that LSASS uses to access them This works locally and remotely This works locally and remotely Requires admin access to the system Requires admin access to the system

16 Local SAM and AD SAM The SAM in AD is very similar to that of a local system The SAM in AD is very similar to that of a local system The AD SAM holds all AD account information including users, groups, hashes, and password history The AD SAM holds all AD account information including users, groups, hashes, and password history This requires that we run as an administrator in the domain This requires that we run as an administrator in the domain Can be completed with admin access or using service hijacking (to be covered in a different presentation) Can be completed with admin access or using service hijacking (to be covered in a different presentation)

17 Salted versus Unsalted Password Hashes We’re not talking about popcorn… We’re not talking about popcorn… An unsalted hash is one that simply uses the same key (or the same static value) on every system An unsalted hash is one that simply uses the same key (or the same static value) on every system An example would be LM and NTLM hashes stored in the SAM database (the static value is KGS!@#$%) An example would be LM and NTLM hashes stored in the SAM database (the static value is KGS!@#$%) For example, if we both run Windows XP systems, and both of our passwords are “apple” then the password hash on both systems would be the same For example, if we both run Windows XP systems, and both of our passwords are “apple” then the password hash on both systems would be the same

18 Salted versus Unsalted Password Hashes A salted password hash is one that uses some other value, in addition to the static value, as a modifier A salted password hash is one that uses some other value, in addition to the static value, as a modifier For example, UNIX systems use salt in the storage of their password hashes For example, UNIX systems use salt in the storage of their password hashes If we both had the same password again, “apple”, and if our system used the system hostname as the salt, then unless our systems have the same hostname then the password hash on the two systems would be different If we both had the same password again, “apple”, and if our system used the system hostname as the salt, then unless our systems have the same hostname then the password hash on the two systems would be different Keep in mind the salted value either needs to be shared or available before the hash in plaintext so other system knows what it was salted with. Keep in mind the salted value either needs to be shared or available before the hash in plaintext so other system knows what it was salted with.

19 What does it matter? The SAM file is unsalted which means: The SAM file is unsalted which means: We can pre-compute the possible password hashes in advance and do a simple look up for the hash….or We can pre-compute the possible password hashes in advance and do a simple look up for the hash….or We can use rainbow tables (more efficient way of pre- computing) We can use rainbow tables (more efficient way of pre- computing) Microsoft also uses something called a cached password which we’ll examine next Microsoft also uses something called a cached password which we’ll examine next

20 MS Cached passwords If you’re system is a member system of a Microsoft Active Directory domain (drop down in the login) what happens if you’re not connected to the network? Can you still log in using the AD username and password? If you’re system is a member system of a Microsoft Active Directory domain (drop down in the login) what happens if you’re not connected to the network? Can you still log in using the AD username and password? Yes you can, all thanks to cached credentials on the system Yes you can, all thanks to cached credentials on the system These are stored (and protected) in the registry (depending on your systems settings, normally the last 10) These are stored (and protected) in the registry (depending on your systems settings, normally the last 10) HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 - 10 HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 - 10

21 MS cached passwords So if they are stored can’t we get them and crack as we would a normal SAM file? So if they are stored can’t we get them and crack as we would a normal SAM file? Yes, we can get them, and since they are salted, no, we cannot just crack them as we would a SAM file password hash Yes, we can get them, and since they are salted, no, we cannot just crack them as we would a SAM file password hash This uses a “password verifier and not the actual password itself This uses a “password verifier and not the actual password itself How is it salted? With the username: How is it salted? With the username: The user’s NTLM hash is added to the username The user’s NTLM hash is added to the username Re-run the NTLM hash of the new salted value Re-run the NTLM hash of the new salted value When we get access to the cached password we get the salt used (the username) and the hash of the username + NTLM hash… When we get access to the cached password we get the salt used (the username) and the hash of the username + NTLM hash… This leads us to only brute force as a cracking mechanism…unless? This leads us to only brute force as a cracking mechanism…unless?

22 MS cached passwords What is the standard name for the administrator account in Windows? What is the standard name for the administrator account in Windows? Couldn’t we just build our pre-computed tables with that as the known username and salt? Couldn’t we just build our pre-computed tables with that as the known username and salt? Microsoft and the government have done this already…I’m trying to get a copy Microsoft and the government have done this already…I’m trying to get a copy

23 Kerberos Developed by MIT, adopted and reworked by Microsoft and put into Windows 2000/2003/2008 Developed by MIT, adopted and reworked by Microsoft and put into Windows 2000/2003/2008 Used for authentication between end systems and the Active Directory domain controller Used for authentication between end systems and the Active Directory domain controller Uses concepts we will not cover in detail, however, it does not transmit the user’s hash, or response to a challenge, over the wire directly Uses concepts we will not cover in detail, however, it does not transmit the user’s hash, or response to a challenge, over the wire directly

Download ppt "MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.

Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 

Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.

Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Similar presentations

Ads by Google