MS systems use one of the following:MS systems use one of the following:

• LanManager Hash (LM)LanManager Hash (LM)

• NT LanManager (NTLM)NT LanManager (NTLM)

• Cached passwordsCached passwords

• KerberosKerberos

MS systems use one of the following:MS systems use one of the following:

• LanManager Hash (LM)LanManager Hash (LM)

• NT LanManager (NTLM)NT LanManager (NTLM)

• Cached passwordsCached passwords

• KerberosKerberos

Microsoft hashes…Microsoft hashes…Microsoft hashes…Microsoft hashes…

Weakness of LM hashesWeakness of LM hashesWeakness of LM hashesWeakness of LM hashesWell documented weakness explained…how to create the hashWell documented weakness explained…how to create the hashWell documented weakness explained…how to create the hashWell documented weakness explained…how to create the hash

pAsSWOrd PASSWORD

P A S S W O R D 0 0 0 0 0 0

P A S S W O R D 0 0 0 0 0 0

1 1 0 1 0 0 0

0

0 1 1

1 1 0 1 0 0 0 0 1 1

CONVERT 7 BYTES INTO BITS (56 BITS)

ADD A 0 BIT AFTER EVERY 7 BITS (64 BITS)

DES KEY #1

1.

2.

3.

4.

5.

DES KEY #2

Weakness of LM hashesWeakness of LM hashesWeakness of LM hashesWeakness of LM hashes

DES KEY #1

DES KEY #2

ENCYRPT(KGS!@#$%)

ENCYRPT(KGS!@#$%)

FIRST 8 BYTES OF LM HASH SECOND 8 BYTES OF LM HASH

Weakness of LM hashesWeakness of LM hashesWeakness of LM hashesWeakness of LM hashesPASSWORD

P A S S W O R D 0 0 0 0 0 0

P A S S W O R D 0 0 0 0 0 0

DES KEY #1

DES KEY #2

ENCYRPT(KGS!@#$%)

FIRST 8 BYTES OF LM HASH SECOND 8 BYTES OF LM HASH

Proof that case doesn’t Proof that case doesn’t mattermatterPassword = E52CAC67419A9A22 Password = E52CAC67419A9A22

4A3B108F3FA6CB6D 4A3B108F3FA6CB6D

PaSSwORd = E52CAC67419A9A22 PaSSwORd = E52CAC67419A9A22 4A3B108F3FA6CB6D 4A3B108F3FA6CB6D

Password1 = E52CAC67419A9A22 Password1 = E52CAC67419A9A22 38F10713B629B56538F10713B629B565

http://www.lmcrack.comhttp://www.lmcrack.com

NTLMNTLM

Uses MD4 algorithm to create a hash of the Uses MD4 algorithm to create a hash of the mixed-case passwordmixed-case password

Results in a 16 byte hash of the password (stored Results in a 16 byte hash of the password (stored in the SAM…we’ll cover later)in the SAM…we’ll cover later)

Used for any password greater than 14 charactersUsed for any password greater than 14 characters

It is possible to turn LM hash storing off in It is possible to turn LM hash storing off in Windows systems (although this is rarely Windows systems (although this is rarely implemented)implemented)

NTLMNTLM

PassWOrD

MD4 HASH ALGORITHM (RFC 1320)

16 BYTE NTLM HASH

Proof that case DOES Proof that case DOES mattermatterPassword = F15ABD57801840F3Password = F15ABD57801840F3

348DDCCAFB677F6A 348DDCCAFB677F6A

PaSSwORd = 17504CE07C0A0D4APaSSwORd = 17504CE07C0A0D4A

1BD3A99A0821F9571BD3A99A0821F957

Password1 = F9A3152D926F9FF8Password1 = F9A3152D926F9FF8

98D0BAFBA0BFFD3098D0BAFBA0BFFD30

NTLMv1NTLMv1Challenge-response mechanism that works as followsChallenge-response mechanism that works as follows

DES KEY #1

16 BYTE NTLM HASH

21 BYTE NTLM HASH

NULL PAD THE NTLM HASH TO 21 BYTES

7 BYTE NTLM HASH #1 7 BYTE NTLM HASH #2 7 BYTE NTLM HASH #3

SPLIT INTO 3 7 BYTE KEYS

DES KEY #2

DES KEY #3

DES-ENCRYPTION

DES-ENCRYPTION

DES-ENCRYPTION

8 BYTE RESPONSE #1 8 BYTE RESPONSE #2 8 BYTE RESPONSE #3

24 BYTE NTLM RESPONSE

= 8 BYTE SERVER CHALLENGE

NTLMv1NTLMv1

DES KEY #1

16 BYTE LM HASH

21 BYTE LM HASH

NULL PAD THE LM HASH TO 21 BYTES

7 BYTE LM HASH #1 7 BYTE LM HASH #2 7 BYTE LM HASH #3

SPLIT INTO 3 7 BYTE KEYS

DES KEY #2

DES KEY #3

DES-ENCRYPTION

DES-ENCRYPTION

DES-ENCRYPTION

8 BYTE RESPONSE #1 8 BYTE RESPONSE #2 8 BYTE RESPONSE #3

24 BYTE LM RESPONSE

= 8 BYTE SERVER CHALLENGE

NTLMv1NTLMv1

(2) 24 BYTE RESPONSES SENT TO SERVER

NTLM HASH

24 BYTE NTLM RESPONSE

DES-ENCRYPTION

8 BYTE SERVER CHALLENGE

24 BYTE LM RESPONSE

LM HASH

SERVER ISSUES THE CHALLENGE

CALCULATE RESPONSES USING LM

AND NTLM HASHES

NTLMv2NTLMv2

More complicated than version 1More complicated than version 1

Includes the use of a two different client challenges in Includes the use of a two different client challenges in addition to the server challengeaddition to the server challenge

One client challenge is a randomly generated 8 byte One client challenge is a randomly generated 8 byte valuevalue

The other client challenge includes the time, a random 8 The other client challenge includes the time, a random 8 byte value, and domain namebyte value, and domain name

Two 16 byte responses to the challenges are sent backTwo 16 byte responses to the challenges are sent back

Not covered in detail hereNot covered in detail here

Local SAM and AD SAMLocal SAM and AD SAM

• Security Accounts Manager (SAM) is a database of the Security Accounts Manager (SAM) is a database of the users and groups of a system and their associated users and groups of a system and their associated password hashespassword hashes

• Stored as a registry keyStored as a registry key

• Located in /windows/system32/config (/winnt/…for 2000)Located in /windows/system32/config (/winnt/…for 2000)

• Protected since NT 4 SP3 with SYSKEYProtected since NT 4 SP3 with SYSKEY

• SYSKEY encrypts the SAM database…easily broken now, SYSKEY encrypts the SAM database…easily broken now, you’ll see this with one of the tools we’ll use in the demoyou’ll see this with one of the tools we’ll use in the demo

Local SAM and AD SAMLocal SAM and AD SAM

Local SAM and AD SAMLocal SAM and AD SAM• When Windows is running the SAM is protected by the kernelWhen Windows is running the SAM is protected by the kernel

• The process that protects the SAM is called the Local The process that protects the SAM is called the Local Security Authority Subsystem (LSASS)Security Authority Subsystem (LSASS)

• Password tools have been created that allow the tool do the Password tools have been created that allow the tool do the following (fgdump):following (fgdump):

• Use a process to force the LSASS to load a DLLUse a process to force the LSASS to load a DLL

• The code within the DLL is executed in the context of The code within the DLL is executed in the context of LSASSLSASS

• The newly unprotected password hashes are pulled using The newly unprotected password hashes are pulled using the same API that LSASS uses to access themthe same API that LSASS uses to access them

• This works locally and remotelyThis works locally and remotely

• Requires admin access to the systemRequires admin access to the system

Local SAM and AD SAMLocal SAM and AD SAM• The SAM in AD is very similar to that of a local The SAM in AD is very similar to that of a local

systemsystem

• The AD SAM holds all AD account information The AD SAM holds all AD account information including users, groups, hashes, and password including users, groups, hashes, and password historyhistory

• This requires that we run as an administrator in This requires that we run as an administrator in the domainthe domain

• Can be completed with admin access or using Can be completed with admin access or using service hijacking (to be covered in a different service hijacking (to be covered in a different presentation)presentation)

Salted versus Unsalted Salted versus Unsalted Password HashesPassword Hashes• We’re not talking about popcorn…We’re not talking about popcorn…

• An unsalted hash is one that simply uses the same An unsalted hash is one that simply uses the same key (or the same static value) on every systemkey (or the same static value) on every system

• An example would be LM and NTLM hashes stored in An example would be LM and NTLM hashes stored in the SAM database (the static value is KGS!@#$%)the SAM database (the static value is KGS!@#$%)

• For example, if we both run Windows XP systems, For example, if we both run Windows XP systems, and both of our passwords are “apple” then the and both of our passwords are “apple” then the password hash on both systems would be the samepassword hash on both systems would be the same

Salted versus Unsalted Salted versus Unsalted Password HashesPassword Hashes• A salted password hash is one that uses some other A salted password hash is one that uses some other

value, in addition to the static value, as a modifiervalue, in addition to the static value, as a modifier

• For example, UNIX systems use salt in the storage of For example, UNIX systems use salt in the storage of their password hashestheir password hashes

• If we both had the same password again, “apple”, If we both had the same password again, “apple”, and if our system used the system hostname as the and if our system used the system hostname as the salt, then unless our systems have the same salt, then unless our systems have the same hostname then the password hash on the two hostname then the password hash on the two systems would be differentsystems would be different

• Keep in mind the salted value either needs to be Keep in mind the salted value either needs to be shared or available before the hash in plaintext so shared or available before the hash in plaintext so other system knows what it was salted with.other system knows what it was salted with.

What does it matter?What does it matter?• The SAM file is unsalted which means:The SAM file is unsalted which means:

• We can pre-compute the possible password hashes We can pre-compute the possible password hashes in advance and do a simple look up for the in advance and do a simple look up for the hash….orhash….or

• We can use rainbow tables (more efficient way of We can use rainbow tables (more efficient way of pre-computing)pre-computing)

• Microsoft also uses something called a cached Microsoft also uses something called a cached password which we’ll examine nextpassword which we’ll examine next

MS Cached passwordsMS Cached passwords• If you’re system is a member system of a Microsoft If you’re system is a member system of a Microsoft

Active Directory domain (drop down in the login) what Active Directory domain (drop down in the login) what happens if you’re not connected to the network? Can happens if you’re not connected to the network? Can you still log in using the AD username and password?you still log in using the AD username and password?

• Yes you can, all thanks to cached credentials on the Yes you can, all thanks to cached credentials on the systemsystem

• These are stored (and protected) in the registry These are stored (and protected) in the registry (depending on your systems settings, normally the last (depending on your systems settings, normally the last 10)10)

• HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 - 10HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 - 10

MS cached passwordsMS cached passwords• So if they are stored can’t we get them and crack as we would So if they are stored can’t we get them and crack as we would

a normal SAM file?a normal SAM file?

• Yes, we can get them, and since they are salted, no, we cannot Yes, we can get them, and since they are salted, no, we cannot just crack them as we would a SAM file password hashjust crack them as we would a SAM file password hash

• This uses a “password verifier and not the actual password This uses a “password verifier and not the actual password itselfitself

• How is it salted? With the username:How is it salted? With the username:

• The user’s NTLM hash is added to the usernameThe user’s NTLM hash is added to the username

• Re-run the NTLM hash of the new salted valueRe-run the NTLM hash of the new salted value

• When we get access to the cached password we get the salt When we get access to the cached password we get the salt used (the username) and the hash of the username + NTLM used (the username) and the hash of the username + NTLM hash…hash…

• This leads us to only brute force as a cracking mechanism…This leads us to only brute force as a cracking mechanism…unless?unless?

MS cached passwordsMS cached passwords

• What is the standard name for the What is the standard name for the administrator account in Windows?administrator account in Windows?

• Couldn’t we just build our pre-computed tables Couldn’t we just build our pre-computed tables with that as the known username and salt?with that as the known username and salt?

• Microsoft and the government have done this Microsoft and the government have done this already…I’m trying to get a copyalready…I’m trying to get a copy

KerberosKerberos

• Developed by MIT, adopted and reworked by Developed by MIT, adopted and reworked by Microsoft and put into Windows Microsoft and put into Windows 2000/2003/20082000/2003/2008

• Used for authentication between end systems Used for authentication between end systems and the Active Directory domain controllerand the Active Directory domain controller

• Uses concepts we will not cover in detail, Uses concepts we will not cover in detail, however, it does not transmit the user’s hash, however, it does not transmit the user’s hash, or response to a challenge, over the wire or response to a challenge, over the wire directlydirectly