View
214
Download
0
Category
Tags:
Preview:
Citation preview
Windows Password Handling and Security Faults
Nate Prosser
Lenny Calabrese
Travis Stitt
Windows Password Algorithms
LAN Manager (LM) “Hashes” NT Hashes Cached Credentials
LAN Manager Hash
Password must be less than or equal to 14 characters in length
If less, it is NULL padded to 14 characters long
Uses only the ASCII character set: 142 unique characters
This scheme allows for6.8x10^12 unique
passwords
LM Hash (continued)
PASSWORD░ ░ ░ ░ ░ ░ ░ ░
PASSWOR D░ ░ ░ ░ ░ ░ ░ ░
Password
DES DES
Hash 1 Hash 2
Hash 1 + Hash 2
14 character string broken into 2 7-character strings
Each separate string is encoded with DES
Final output: 128 bits – looks like 16 “random” characters
NT Hash
Password must be less than or equal to 127 characters in length
Uses full Unicode character set: 65,535 unique characters
14 characters used: allows for2.7x10^67 unique passwords
127 characters used: allows for4.9x10^611 unique passwords
NT Hash (continued)
Entire password encrypted with MD4 Stored as unicode
Password
MD4
Long Unicode Hash
Which versions use which algorithms?
LM Hashes: -Authentication to LM servers-Locally on Windows 9x and ME with share-level access-Authentication from any Windows 3.x or CE
NT Hashes:-Locally on Windows NT, 2000, and XP-Authentication from Windows 9x and ME with user-level access
Where are they stored?
NT Hashes (locally)C:\WINDOWS\system32\config\SAMC:\WINDOWS\system32\config\SECURITYC:\WINDOWS\system32\config\SYSTEM
LM Hashes“.pwl” (password list) files-Username -> usern001.pwl
Cached Credentials
Enhanced security for network authentication Combination of several pieces of data used for
the final hash Encrypted with MD5
NT Password Hash
Domain
Username
concatenate MD5
CachedCredentials
Authentication
WINLOGON is accessed by using the CTRL+ALT+DELTE combination (secure attention sequence)
User inputs username and account Information is passed to the Local Security
authority subsystem (LSASS) Local or remote access is determined
Access Location
Local:– Username and password is compared to local values
Network:– Uses a network authentication protocol to establish a
secure connection and login– LM/NTLM/v2– Kerberos
LM/NTLM/v2
New Technology/LAN Manager Used for LAN Server Authentication Windows 3.x/CE/9x Used LM and NT hashes Now called Integrated Windows Authentication Used with web services
Kerberos
Developed at MIT Provides mutual authentication Prevents eavesdropping and replay attacks Maintains data integrity Default for Windows 2000,XP, and Server 2003
Policy Solutions
Nothing easy to guess Minimum character requirement Use of pass phrases Password expiration No password reuse
Technology Solutions
Disable LM hashes Password filter Account lockout Use of anti-virus and spyware detection
software
What are Rainbow Tables?
Passwords stored in computers are changed from their plain text form to an encrypted value.
These values are called hashes, and there is a unique plain text value for every hash. An example of different hashes can be see below:
Type Hash
MD2 A8FA298E39DCCD4BB99546AD015F4146
MD4 725C086015707D08849CC22283ADE154
MD5 CD13B6A6AF66FB774FAA589A9D18F906
SHA-1 1EB08C4E3F8A5AB5761723B1210AD4C30E41DC7
RIPEMD-160 4870CE7A5BB385EDC57930F05E3DAB0FB883DCC4
LM 9224FC255C58C50E
NT 87F65D137998A4CE59EA65B114A0F831
MySQL 32356F306146F12605E
MySQLSHA1 79239E0207CD5F6A472C8795C73B451D349C8573
Cisco PIX EQRTXAW3PX3q9K5A
What Are Rainbow Tables?
A Rainbow Table is a table of all of the possible hashes from a certain cipher.
Brute Force attacks are time and resource consuming. In many cases, the dictionary cracking method requires an enormous list(s) to be effective. One gigabyte of dictionary passwords might be able to yield a 40 to 50 percent compromise of a set of hashes.
The same set of hashes with a complete set of Rainbow Tables properly implemented and utilized could effectively compromise 90 to 95 percent of the hashes in less than 25% of the time.
Generating Rainbow Tables
There are several programs that generate Rainbow Tables on your home computer along with companies that for a small fee allow you to use their pre-generated Rainbow Tables.
Rainbow Table Generation is time and resource consuming.
– It take 13.2 hours on a 666 MHz CPU to produce the 610 MB complete alphabetical character set LM hash table. Keep in mind that the LM has is the simplest and least complex one way hash.
Once the table is sorted a non-salted LM hash value can be cracked in matter of seconds (avg. 3.7841 sec) with a success rate of 99.9%
Generating Rainbow Tables
Most hashes though contain more than just an alphabetical character set. They are constructed of a character set with letters, numbers, and symbols.
– To construct an alpha-numeric symbolic character set LM hash it takes 119 GB of disk space and 2354 days on a 666 MHz. On faster machines is takes about 261 days to construct.
However a table of this size is rarely ever used for most software does not support the characters which can be used in a password of this size.
However, it was discovered that some of the best hackers have constructed the complete Rainbow Tables of the most popular one-way hashes and had them running and stored on several different computers in their houses upon government raids.
Beating Rainbow Tables
There are several easy ways to beat Rainbow Tables and make their usage impossible
– Salting– Force the amount of time to create the table or run cryptanalysis so
long that hackers won’t attempt to crack the hash Salting is taking random bits and inserting them in certain spots of
the plaintext. This way when the hash is performed the hashes will not match the Rainbow Tables
Ways of increasing the table production time and cryptanalysis time is to:
– Force password changes every 30 days– Make all password at least 15 characters long– Use pass phrases– Make all network control device at least 25 characters long– Force password complexity to require the use of at least the following:
Upper case Alpha, lower case alpha, a number, and at least one symbol.
Demo
Congratulations you have been hired by the Dúmbáss Corporation and you are required to created a new password for your user account.
Since the company does not hire RIT trained network administrators they require that your password be 10 characters or less and can only use letters and numbers.
Please change the password on the laptop in front of you and write it down on a piece of paper (never do this in reality just for this demonstration incase something goes wrong).
Watch as the password is destroyed.
Bibliography
Operating System Concepts (Our textbook) Windows Passwords, Everything You Need to
Know– By Steve Riley, Security Program Manager Microsoft
Corporation
http://www.antsight.com/zsl/rainbowcrack/ http://www.securityfocus.com/infocus/1554 http://en.wikipedia.org
– For definitions in less complex language http://news.com.com/2100-1009_3-5053063.html
Recommended