Slashdot Mirror
Swiss Researchers Exploit Windows Password Flaw
Bueller_007 writes "CNET is carrying an article about a new (albeit simplistic) method used to hack alphanumeric Windows passwords in a matter of seconds, rather than minutes. To blame is a 'weakness in Microsoft's method of encoding passwords.' According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer."
A few more details: Mister.de writes "As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used. This was found at the
Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL)."
This is why I use Biopassword Perhaps their encryption method is just as insecure as microsoft's, but at least there aren't quite so many Swiss researchers trying to crack it...
People are really running out of interesting stuff to "research", aren't they...
Ñ'
M$ passwords hacked within seconds...
Linux / Mac OSX passwords hacked within an hour too probably...
Maybe we need something just a little stronger!
I sure hope we aren't using Microsoft Technology for anything important like National Security? Cause that would suck!
Please Advise, I don't know how to think about this story, I'm a Swiss-American.
Ted
Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
Microsoft's vulnerable, wow I didnt know??? Granted every OS on the planet is vulnerable given enough time and research into it. Now if someone would forward this little article to the Department of Homeland Security, maybe they might second guess their microsoft solution ;-).
"Slashdot, where telling the truth is overrated but lying is insightful."
deserve's got nothing to do with it...
Good thing they're in Switzerland, or they'd get hit with a nice DMCA Lawsuit :D
"When a ball dreams, it dreams it's a frisbee"
I always thought there was something wrong with Microsofts password "encryption." Now it's confirmed.
Wow.. I _really_ hope this is a (bad attempt at) a joke. ....
--
The only Perfect Source is Unwritten Source
LanMan is not used on win2000 and winXP machines.
NThash dont know, probably not.
This hack is obsolte
They've got those great knives after all.
"You know Myra, some people might think you're cute. But me, I think you're one very large baked potato."
This is hardly a news. These weaknesses have all been known for years, and the use of dictionary attacks against passwords is very common.
Bruce Schneier talks about all of these attacks and weaknesses in his book "Applied Cryptography" which was published years ago.
Visualize the world of wine
"We fear, however, that the titles of these articles are a little sensational. While it is true that the LANMAN and NTHash windows password techniques have issues, the paper that kicked off this whole hub-bub [PDF] describes a refinement of an existing attack, not a new attack. We wanted to remind our readers that adequate password security is a good idea, whether your windows systems are being attacked with an adversary with an old copy of L0phtCrack, or with Philippe Oechslin's new system."
Read it all here
Will MS marketing use this study to convince upgrades to XP for marginally better security? Will PC sales be helped by forcing upgrades machines capable of running XP?
good thing ms just "improved" they're licensing terms ;-)
We tried this at work yesterday, when the announcement hit bugtraq. It doesn't cope well when you throw in any punctuation.
Use a character that isn't a letter or number and the problem goes away. Move along, nothing to see here.
The only thing dumber than this lukewarm attempt at a joke, is the fact that I actually sat here and read the thing.
Spread the RC luvin'
13.6sec * 4096 = 55705.6sec
= 928.4...min
= 15h 28min 25.6 sec
What hardware are they running this on (here is where someone replies RTFA). I would have hoped that it would take longer...
What's the difficulty in adding a salt to the password encryption? This should be one of the easier flaws to fix. In any case, if someone can get your passwd file, you've already lost the battle.
I hope someone hacks my passwords at work and deletes this stinking code I'm debugging.
...
Oh, and the backups too. Just point your password crackers to
If it's not one thing, it's Steve's Mother
Even *nix is affected ny this. I suppose a PKI infrastructure and passwds (shadow - MD5 of course). Maybe it's time for the chip implant.
du du du du du du du du (Twilight Zone Theme)....
.sig
Either way that is too fast. Looks like another good argument for non-alphanumeric characters in your passwords.
You do need either physical access or the admin password to get the hashes, don't you? Also, just curious: Is anything considered more secure than a hash?
If it weren't for fog, the world would run at a really crappy framerate.
This only works with NTML v1. Not with NTML v2.
In order to prevent this
Using secpol.mmc,
in you security pocilies set the LAN manager authentication level to 'NTLMv2 response only refuse LM & NTLM'
The passwords are only crackable if you have Win 9x machines in your doamin.
If you have Windows 2000/2003 domain without Win 9x machines then you passwords cannot be recovered.
Admins can prevent Windows 9x machines from logging in to the network.
This is reason enough to migrate to Windows XP.
Why wasn't something like this found years ago, as opposed to, say, after ms machines already rule half the planet
Original post on Google Groups. People might like other posts by Egg Troll too.
Once I changed the Admin password on my Windows XP Professional box and forgot it. I had an additional user profile but with limited permissions. I had to reformat my disk and reinstall Win XP because I couldn't find a way to recover/change the admin password or make the limited user id to have admin access.
Is there a way that I could have recovered/changed my admin password knowing that I had the original Win XP install CD and I could log-in to the box with a limited access user id that wouldn't allow me to change admin password or install anything that needed admin rights??
You'll notice the line:
/208,827,064,576 /6,634,204,312,890,620
Users can protect themselves against the attack by adding nonalphanumeric characters to a password. The inclusion of symbols other than alphanumeric characters adds complexity to the process of breaking passwords--and that means the code cracker needs more time or more memory or both.
For those that don't realize considering the following for example:
# characters/Upper Case Only
8
# characters/Upper, Lower, Numbers & Symbols
8
This post is more for the types that really don't consider their password selection...
BSD is designed. Linux is grown. C++ libs
I smell a sale coming!
New New NEW. Lower Prices! Krazy Bill is just GIVING these away. Come on down. He's Krazy Krazy KRAZY to license this software with these terms! Get yours TODAY!
In this case, the "dictionary" consists of, not just a list of words, but a list of strings and their encrypted companions.
But you're still right: not really news worthy.
Karma: NaN
Why do I keep getting ads for watches and chocolate now?
WHAT I THINK we need is for the Swiss researchers to release the server program/or client program that we can use ourselves to test the security and we can start crackin' password...! ;)
They need to release something like John the ripper or l0ftcrack (now LC4)...
Sensational headline, don't you think Timothy? Swiss Researchers [i]exploited[/i] a password flaw?
I guess you could argue they [i]exploited[/i] it in order to publish their research results, as much as a planetary scientist exploits images of Mars to publish a new theory on subsurface water.
This sounds like the method I saw demonstrated at Rubi-Con 2002. This demonstration by Jon Erickson was very impressive and attacked traditional crypt(3) Unix password hashes. Use MD5 passwords!
13.6 seconds or 101 seconds doesn't make much difference, now does it? The real problem is still getting administrator access to the target computer in the first place.
In those days security was a different thing altogether (I am talking about when WFW 3.11 was released). I would not have included any random data into anything encrypted that I wrote back then because literally gigabytes would have been needed to make use of any supposed weakness. Well now the gigabytes are here and cheap and the shit is going to hit the fan.
It is obvious now that it has been shown up in the light but it wasn't obvious back when MS made windows a networking environment.
My opinion is that this is going to be a harrycarry day for Microsoft. There is no getting around this little lack of prescience.
Cuiusvis hominis est errare; nullius nisi insipientis in errore perseverare.
Cracking becomes easier if you have access to a distributed network. Parse the table into managable chunks and throw it out to 100 computers. While the time taken to crack the password might not scale down in a linear fashion [ie: time/(N computers)], it will most definately drop the crack time down to less than an hour for those computers with 12bit salts (4906*.6min= 41 hr, 41hr/100comps= 25 minutes).
Even if the 12 bit salt for mac/linux/etc was increased in size, a scale up in the number of computers used would defeat this added protection. The trend in the comp world seems to be more connectivity between large numbers of computers. All it takes is one disgruntled folding@Home grad student out at stanford to break even the most stringent password.
It seems that increasing the size of the salt would prevent the average script kiddie from breaking your password, but does nothing to alleviate the threat distributed computing presents. So what other options are there?
with a grain of salt.
rimshot
SCO employee? Check out the bounty
I'm not sure about NT, but most UNIX like systems have some kind of shadow password file that is only readable by root. If a person has already hacked root on my box, I could care less if they then "crack" user level passwords. This may leave other systems vulnerable to a userlevel compromise, but when I've been called in to fix a rooted box, I always assume that the passwords have been compromised and tell the users to change their password if they reuse it on another system.
No. You got my dick in your ass butt burglar.
From a few minutes to a few seconds? I hope they can patch this somehow and get it back to a few minutes.
You've made a supposition that MS passwords are marginally weaker than Unix passwords. Read the article, and there's a more basic factor at work.
/etc/shadow.
>"Windows passwords are not very good," he wrote. "The problem with Windows passwords is that they do not include any random information."
From what I understand, Unix passwords normally take a little 'salt', a little random information, as well as the user password, and hash that. Microsoft just hashed the user password without the salt. This makes it easier to crack., anything else aside.
To their credit, you have to be Admin to get to the password hashes, rather like
To their debit, most WinDesktops that I'm aware of end up as glorified single-user machines, and that user is also.... Admin. Finally build a decent security model, and then customers ignore it.
The living have better things to do than to continue hating the dead.
I've seen tools to crack Windows NT passwords for years now, most of them in the form of a Linux bootdisk (I keep one here, in case of emergency, break glass...)
Granted, this is different, as the Swiss in this article basically reverse-engineered the algorithms for password encryption, whereas all the bootdisk does is re-hash the registry entry containing the desired password.
13.6 seconds! Aren't swiss watches wunderful?
Hacker(2) + University Affiliation = Researcher
Windows uses less memory to do this trick than Linux. Who knew Windows was so efficient at handling memory when being hacked?
Nanite
God is real unless declared integer.
Because of faults in NT machines I've had to use Linux boot disks on many occasions to get into and change/verify passwords.
I guess I never considered any of my Microsoft machine secure, not that anyone would want my g0at pr0n anyway.
Why try and guess the password with computer power if you can just open the hash and look at it using a little linux install and app that fits on a floppy or CD?
An average of 13.6 seconds.
Of course. Just like Swiss clockwork.
I agree whole-heartedly with this poster, and this was one of the best slashdot posts of all time!!!
No wonder Microsoft said they would foot the legal bill for anyone using their products. With security like this...
Shesh
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
This authN method is 8 or 9 years old. You can disable the NT hash by using either a password length of more than 14 chars or by using a simple registry value on Windows 2000 SP2 systems or higher. This KB explains how. Any good sys admin should have the LM hash disabled on all Windows machines by default anyways and set strong passwords which contains more than simple letters and numbers.
Mindless Microsoft bashing at it's best!
If the MPAA will charge foreigners under the DMCA, I suspect that Microsoft might do so as well
You can't judge a book by the way it wears its hair.
You can (and should) disable NTLM authentication if you're running Windows 2000 or 2003. This is very easy to do and makes any server immune to this type of hashing attack. It's even listed in Microsoft's Best Practices documentation for administrating their servers. It might cause problems with older Win9x clients, but there are updates to these clients that allow them to get along without NTLM.
If you're running Active Directory in Native Mode, NTLM is easily kicked to the curb. However, NT4 machines remain vulnerable to this hack. Yet another reason to just get off of NT.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
This is difference between a 50 speed writer and a 5 speed writer. Order of magnitude. Much as they discovered that UNIX is 3 orders of magnitude (e.g., 1000, 2000, etc, in this case 4000 times) harder to crack than Windows.
MORTAR COMBAT!
The article makes a statement that I think is untrue:
Using a tool like Cain & Able, it is possible to get access to this information without having administrative rights.
You can also dump the hashes using Cain & Able's password cracking tool. It is really quite trivial to do.
By the way, you can easily acquire the passwords of the last five users who logged into an NT system. They are stored in LSA "secrets", an area of memory which is easy to dump. Cain & Able does this for you.
Have fun.
Join Tor today!
SOOOO many software products basically require you to be an Administrator to run properly, that the customer (user) has to run as an Administrative user just to be able to run what SHOULD be user-space applications.
Most Microsoft applications actually do the right thing, they keep your application data on a user-basis, but a TON of third-party applications (and GAMES) basically want the user to be able to write to "Program Files" or specific directories, and/or the registry, just to USE the application.
MORTAR COMBAT!
Why bother cracking NT (and Win2K/XP) passwords when you can just overwrite them? Boot from this floppy and you can change any local password (including the administrator). It's been useful on more than one occasion at work...when somebody quits or is fired, I can go in and retrieve everything in just a few minutes.
That they're nearly as trivial to crack is somewhat disturbing...but given the ready availability of the password changer, it doesn't make Windows significantly less secure than it already is (hell, it can't get much less secure).
20 January 2017: the End of an Error.
Its disturbing that more organizations don't implement the correct NT policies to disable creation of these old LM hashes on their NT/2000 networks. Its a simple process.
Cracking the current NTLMv2 128bit hashes is extremely more difficult, and generally renders L0phtCrack useless for all but the most weak passwords.
...password phr4c|
The point of the article is to show off a faster, new time-memory trade-off technique, not to just down-play Windows security. The manner in which Window's password security is built simply provided an error-free sandbox for this method to be tested, and exemplified.
Don't feed the trolls.
Informatus Technologicus
Boot from this floppy
Because this doesn't require physical access to the machine? Because now some l33t d00d from another country can get passwords?
MORTAR COMBAT!
Am i too late for a lame swiss cheese joke?
Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points
;-)
Wow, does that mean that they are getting 100MB/s from a CD-ROM? That'd be more of story than the cracking!
If you're an admin, just connect to the 2k/XP machines with the Computer Management console and reset the passwords remotely. Or log onto the workstation as the domain admin and do the same thing locally. This comes in even more handy when the account you need to change the password on is a domain account.
First the cheese, and now this!
What a horribly bad way of doing things. It would've been smarter to use a one-way hash function, and then store the hash of the password, rather than the encrypted password itself. For verification, you just compare the hash of the entered password to the one stored on the system. This makes passwords unrecoverable, since they're never actually on the system. The major problem with this is that multiple strings can generate the same hash. However, taken in the grand scheme of things, this can also be a strength. While one system may be compromised, the chances that the intruder has generated the user's actual password are very low, greatly reducing the risk of a leapfrog attacks across the network.
I strongly disagree. Maybe this 4096 times applies to the traditional single DES crypt. But execept for some rare compatibilities issues with old systems or for dumb people that create Apache .htpasswd files with it, nobody uses single DES any more for years.
Passwords hashed with MD5 and Blowfish don't have the 8 character limitation. There are still some people who like to assign users passwords like "*9_p7Z9ox" even though their system doesn't use single DES any more. This is just plenty stupid. Not only it's a hell to remember for the end user, but it's damn fast to brute force when hashes are precomputed as described in this article.
A normal password like a real sentence (ex: "I'd like to have sex with Sandra") is not only way more easy to remember, it's also orders of magnitudes harder to brute force.
{{.sig}}
I pepper my passwords and they are 65,536 times harder to crack than salty passwords.
ObSimpsonsQuote:
"40 seconds? I want it NOW!" - Homer Simpson.
As you know we have a company security policy based around frequently changing passwords, in order to keep our Windows network secure.
Previously, as you are all no doubt aware, you were required to change your Windows passwords once every 90 seconds, since NT passwords can be cracked in 100 seconds flat.
Due to recent developments in MS password cracking, we will now be requiring all employees to change their passwords once every 10 seconds, to ensure they remain secure.
We hope this will not detract from productivity, and apologise for any inconvenience it does cause.
thanks,
Management
This stuff is good! I've used it before!
Check out their next projects
:
Check this one out
Monitoring Chat Users (Assigned)
* Status: proposal
* Type: Open
* Description: A tool has been developed for monitoring users of various chat systems. It is being used by the police to monitor trading of illegal material by Swiss Internet users. The goal of this project is to make the current tool more robust, to collaborate with an inspector in order to develop advanced features and to adapt the tool to additionnal chat systems.
* Requirements: Good programming (Java).
As others have pointed out, people use Admin not just because it's easier, but because so many windows apps require Admin access.
Give people the encouragement to use other password-- like, say, an enormous, annoying Flash warning that pops up whenever they log in as Admin, and they'll use their own usernames.
I can crack any computer in 2 seconds. Now where did I put my sledge hammer?
"I have never let my schooling interfere with my education." - Mark Twain
With regards to upgrading, I've come to the conclusion that even though MS says they want to improve security in their products having flaws is a great way to force people to upgrade.
I'ill give NT4 as an example which is EOL'd. You're a company who has managed to get your NT4 server rock solid. A new security flaw comes out and since NT4 is EOL'd MS says no security patch for you, upgrade to Win2K.
Of course if you was a complete conspiracy theorist you could say even MS would leak holes in their old products.
...Microsoft had more holes than Swiss Cheese!
Bada bing! I'll be here all week...
--
Mac OS X--Unix without the assholes^Whassles.
As with many file based cracks, it is at very least debatable over the need for Administrator access on the box itself. One method that I used to see in the L0phtCrack days was to boot the machine using a black box distribution on a floppy (compressed minimal *nix kernel with ntfs support) then grab the .sam file from the hard drive itself. From there, you can take your time cracking the Administrator password, and then with that access you can remotely dump the registry database on the server from any box on the network. Then all thats needed is the time to crack away at leisure. Note that the domain controller registry contains user/password hash for all users on the domain, while the .sam file only contains the local admin password hash (and possibly a few others ... its been a while).
.sam file off of the hdd and run good ole L0pht ... bang! 15 seconds later (if of course the dictionary attack works) and you have the password.
On a small aside, this can also be handy as hell when your a computer store looking at a perfectly good server box that the admin (and I use the term lightly) has forgotten the password to. Rather than reinstall the entire box, pull the
Oh and as a counter to the comment about the security of unix passwords being only 4096 times greater, I have two words: md5 hash.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
That's like the MHz myth - if the increment isn't really perceivable, then it doesn't matter. Like, say, how I couldn't tell the difference between a 3 GHz computer and a 2000000GHz computer - similarly, it also won't matter much whether I crack passwords in 13 seconds or 100, as it will take me a lot longer than that to get the hashes. Here, the factor of 10 is pretty much irrelevant in practice.
It might matter if they somehow made the password hashes longer or something, as then the analysis you make would take effect - 1 hour vs. 8 hours, etc. But over such short time intervals, no way. Bottom line is 100 seconds is so short, you're already screwed.
Just wondering, but is there any reason why it's so easy to get the hashes? I might recommend shadowing the password file...oh, wrong OS. ;)
-Looking for a job as a materials chemist or multivariat
Well, most linux systems I know use md5 passwords.
Granted, getting people used to using longer password than 8 chars is a pain.
Brute force alphanumeric still is strong, there.
Wow, these guys just invented the dictionary attack!
From My Experience With l0phtCrack, Which is what this is basicially except much faster...
The only way this will work is if someone gets access to a Domain Administrator acct. (unless you are running NT as your DC and Didn't Run Syskey to increase your Password security. Then Your Screwed) After someone has a DA account why are they going to bother to hack passwords? They already own the farm.
This is the Equivelant of Someone getting root on Linux. Pretty much if someone hacked the Administrator account you are screwed.
In Soviet Russia, Trojan exploits YOU!
I hate my life....why do I even read the posts anymore....
I don't know what I'm talking about, but that doesn't stop many of us on Slashdot.
If I understand correctly, they're using an optimization technique where they pre-hash the dictionary database, in this case for no salt. With a 12 bit salt (your example) the pre-hash database would have to be 4096 times as large and presumably be available on every node in your cluster, or you would have to hash the whole dictionary at each node (not optimized) for every password hash/salt combination you try to crack.
If this doesn't make sense, read the subject line again.
What you need to understand is that this salt is no different than lengthening the actual password itself! For example if my password is "passwd" a unix system will add an extra 12-bits onto this password and then encrypt it. A password that is encrypted on a Unix system is say "passwdzd" where "zd" is the "salt" (BTW the salt is stored in /etc/passwd along with the encrypted password). While on a windows system the password that is encrypted is simply just "passwd". On both systems I still type "passwd" to log in.
Salt is not some kind of magic elixir, it is simply a means to add additional length to the password (without the user having to remember it), to make the dictionary attack take longer (or more memory). To have approximately equivalent dictionary attack complexity the windows password would have to be two characters longer than a Unix password, to make up for the salt.
So in summary, the attack is not an attack per sea. It is simply a way to speed up a standard dictionary attack. On all systems this can be done assuming you have root/administrator access. The notion of salt is somewhat of a red herring -- the researchers results still apply to Unix systems as well, it is just that the dictionary would have to be 4096 times larger assuming the same password length. Or you would have to go after passwords that were ~ 2 characters less.
As always the best way to defeat these kinds of attacks is to use long, nondictonary words, placing nonalphanumeric characters throughout the password. (Not just as the first or last character).
When you create your "user" when setting up XP, you're actually creating a new Administrator account, in _addition_ to the existing "Administrator" account, and, more than likely, without a password.
MORTAR COMBAT!
There is no immediate future for a table driven attack on this algorithm (Which can be recognized by the '$1$...' prefix.
HP-UX, Solaris and AIX, however still use the old 12 bit salted DES derived passwords.
Poul-Henning Kamp -- FreeBSD since before it was called that...
You could say that they made Swiss cheese out of those Windows passwords.
To-do List: Receive telemarketing call during a tornado warning. Check.
They took advantage of a Time/Space tradeoff. How is this news? Surely, this doesn't make windows passwords much less secure than they already were. If I wanted to crack your windows password I'd be willing to wait a minute and a half.
This isn't a security problem.
Windows password hashes (both the LanManager hash described here and the newer NT hash) are never sent "in the clear" over a network, or accessible to non-admins.
Why? Because they are plaintext-equivalent. Most NT network protocols treat the hash itself as a shared secret and do not make any attempt to verify that you know the actual password.
Yes, that's right. You already don't need to know the user's unencrypted password - except possibly for changing it (I can't remember offhand whether the various password-change calls require proof of knowledge of the old password - but I don't think they do either). Once an attacker gets the hashes out of your SAM, the game is already up, even if he can't decrypt them.
Given this fact, I sometimes wonder why Microsoft even bothered to try making NTLM a secure hash. BASE64 would have done pretty much the same job.
Move along, nothing to see here. Your passwords are just as secure, or as insecure, as they ever were.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
I suspect much more damage is done by people who know the passwords already: unhappy exemployees, crazy wives, blackmailed secretaries.
The only solution I can see is to store nothing confidential on computers. I already do this: all my valuable information is saved onto the memory of my digital camera (32 Mbytes can hold a lot of ASCII documents).
Now, if I can find those bastards that burgled my appartment last month and stole both my digital camera PLUS my backups I held on my MP3 player...!
Ceci n'est pas une signature
...or a poor one if you are.
Look at it this way, you've been trying to crack their password for 90 days, that means 90 days or more of attacks and "failed logon" events. If the administrator doesn't notice your malicious activity within that time period and do something about your access method, I think you deserve to get in.
(no text)
Most corporate Windows networks that I'm aware of use domain controllers for authentication, which means that even if you COULD gain local admin access to a workstation on the network, using this Swiss method isn't going to get you passwords other than the local passwords stored on the compromised box.
If their method worked on domains, this would be much more significant. As it stands, it is only a concern to physically insecure, standalone boxes.
Why bother cracking NT (and Win2K/XP) passwords when you can just overwrite them?
Why would you even bother to overwrite them? Just boot to DOS and read/copy at will. Apparenly, none of the information at your work is encrypted, otherwise you would not be able to just overwrite the password.
As you know, all encrypted files with NTFS require the creator's password to unlock. There is a reason to crack the passwords, because if security was employed as tightly as possible, simply overwriting them with a floppy will not be enough. Just because you can login as admin doesn't mean you can access all the files. If any of those people that left were savvy enough to encrypt any files, you've essentially locked yourself out of reading those by changing the password.
Here's a spare
F
hth
You could recover your data using Knoppix, which would let you boot into a system and read the file system. Unless you encrypted that.
Better yet, you can use your bootloader to pass "init=/bin/bash" to the kernel so the first thing you get is a shell with no password checks at all.
(From Linux Server Hacks by Rob Flickenger)
Jay (=
This is why physical security is important. It's alot easier to get into your system while inside your firewalls to the internet. Having a key card isn't all too expensive. It's not the most secure, but it carries a fairly good price vs security bonus value. If your company had millions of dollars to burn sure everyone could get a fingerprint/voice/whatever scanner on the doors and for each computer/office room, but the point is, if you do have to deal with a Windows network, at least try to get some physical limitations to people just walking in and using your own local computers to hack into your server, or hell, physical access to the server itself.
...in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points.
To be honest, this isnt as much of a scare as most people would think. A person willing to crack a password in ~13.6 seconds would no doubt be willing to take the extra minute regardless.
Plus you need Administrator privelages to get the hash file anyways, so you'd be able to access anything needed locally anyways.
Finally, crackers wouldnt be able to escalate to these privelages in the first place (hey, they wouldnt have any access on the system), so there really isnt anything for anyone to be concerned.
We're not set up that way...there is no domain controller or other centralized password management scheme. A couple of Linux boxes run Samba as workgroup file servers and another Linux box runs lpd to handle printing, but everybody is the "admin" of his own workstation(s). Maybe that's not the best way to run a network, but when you have fewer than a dozen people, it works well enough. (I did some experimenting at home a while back with configuring Samba as a domain controller (and got Win2K to log into the domain), but I haven't implemented it at work.)
20 January 2017: the End of an Error.
This might be an easy question, and it's probably offtopic, but can anyone provide a 5 cent explanation about how the salt bits work?
To clarify: I understand the hashing part:
data bits + salt bits ==(hashing algorithm)==> hashed data
The idea is that the hashed result is unpredictable because of the addition of the salt bits, so the data is more difficult to decode with a dictionary attack.
What I don't understand is how you get the salt out on the other side to recover the original data. I know, I know - it's a one-way hash so you have to hash the thing you want to compare it to and see if its hash matches, but without knowing the salt before-hand, how do you get this to work?
Are the salt bits selected so that they get mapped to the kernel of the hashing function? That can't be it - the result would the same as with no salt. (Definition of kernel(f), IIRC - my group theory is old.
Help?
"Lawyers are for sucks."
- Doug McKenzie
Last time I checked, DOS doesn't grok NTFS. (A bootable Linux CD would work, but then you have the iffy support for the cheap-ass NICs in HP Pavilions and the built-in NIC in nForce-based systems to deal with. Those can be dealt with by temporarily installing a 3C905B that I keep on hand for the purpose, but it's simpler to just overwrite the password, log in, and get what I need.)
20 January 2017: the End of an Error.
Very, very good. I laughed a lot after the second of hesitation my brain needed to form the whole picture. Sorry I don't have some mod point to give you. Cheers!
If you read their paper, then they actually did do something kinda nifty.
r ch.php?ref=Oech03
Short version is that they precalculated a hell of a lot of hashes to passwords.
This is possible on Windows because it uses no salt for the password (no machine specific number to create the hash). So one password generates the same hash on all Windows boxes.
Where they actually did something nifty is devised a way to do an extremely fast lookup through those hashes. You input the hash and it can find it in that 1.4 gig of data within 13.6 seconds, as opposed to 101 seconds using the older fastest way available.
So it's news worthy not in that they cracked M$ crappy passwords, but in that they developed a better search method to do it fast. Read the paper here: http://lasecwww.epfl.ch/php_code/publications/sea
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Step 1.5: Bring donuts into the office. Don't bring napkins.
Then you can basically skip the chalk steps because you can identify the donut glaze.
The other method:
Step 1: Talk to the VP on the way to his office.
Step 2: Watch which buttons he presses and remember the code.
Simple solutions work with high frequency.
Network Security: It always comes down to a big guy with a gun.
After a dozen or so times typing it in, you actually start to remember it. For those wondering, that password is something I just made up. I don't actually use it. =P~
-Lucas
You get acess to a 1000 users netowrk password file. Recovering all paswords will take you 9 days instead of 70, giving you a large advantage over the network security reaction.
Besides, before that you could only crack into your evil co-worker station when he was away for a cup of coffe. Now it is enough for him to be distracted by the hot boss assistant's legs...
Anyone who want to learn more about how UNIX Password security was designed should read this paper by Robert Morris and Ken Thompson that explains things like hashes (one way cryptographic functions) and salted passwords.
MOD THE CHILD UP!
What's it matter? Everybody's password is written on a Post-It next to their terminal anyway.
Part of the reason one would want to brute force the hash is to find admin. passwords for other computers, as, if the password cache has not been manually set to 0, the password of anyone logged in the to netwrok through that computer is cached. If an admin. logs in to the network, then the admins password hash is stored for a time so that logins are possible during network outages. Clearing the SAM file will give you access to only one machine.
Easy: Lots of people reuse their passwords. If you just overwrite their password, you lose out on all the other accounts that person might have on other systems. But, if you crack their password, there's a good likelihood that it will work on their yahoo account, their hotmail account, their on-line bank system...
Is that adequate passwords make this hack impossible. It relies on a "lookup table" (read, pregenerated dictionary attack results). If your password ain't in it, it ain't happening. Look, chances are, you speak at least few phrases of a foreign language. Dictionary attacks generally use English words; choose a couple of foreign words and numbers for your password, and all this crap goes away.
If you don't choose a decent password, then, well, your password will take five minutes to crack rather than 13.6 seconds. Feel better?
If your bitterest enemies are people who hack the heads off civilians, then I would say you're doing something right.
Ya know, that same technique would work in a linux environment too, just boot up from a rescue CD, mount your root partition, and overwrite the /etc/passwd file with your own passwd file.
Just use this pass. You'll still get hacked like a poser, but you'll win in the end:
HASH: 7EC45608BC8B887F4F2E8522BCC8E1D0
Pass: youmayknowmypasswordbutimbangingyourwife
I crochet because I'm lonely, I'm lonely because I crochet.
Unlike LANMAN, which uses DES (64-bit) for 7-bytes at a time, (+ assumptions), which makes it within reverse-lookupable reach with some cleverness (as they have shown)
MD5 doesn't provide you an oppurtunity to trivially break the hash into pieces you can analyse seperately, nor does it as easily preserve the relationship between characters composing the password and effects on the hash. This makes it less trivial to guess the password.
Black holes are where the Matrix raised SIGFPE
Some bonar posting "Is this newsworthy? A book two years ago ... blah blah blah" and getting modded +4 insightful for pointing it out.
So the next article on space and solar systems I see I'll post "Is this newsworthy? Copernicus knew about planets long ago" and reap my mods.
You think you know.
damn.. I could've posted this one.. the Hacktivismo site had this on yesterday. Oh well, anyway, go hacktvismo.com and participate in their trusted peer group. Also, to all who mention needing admin access to get sam.. just boot from cd or usbkey or flop.
e
Well, If I am allready using the latest windows exploit, I will be running all my processes as SYSTEM so who would need all these useless password things?. It just sounds like this exploit is a day late and a dollar short. /me goes back to bot-net which is running as SYSTEM
As the article itself points out, you need access to the password file to see the hashes in the 1st place, so if the system is secure this is a minor issue. For instance, that's why people don't use NIS on open networks. You can collect these hashes and decrypt passwords because NIS simply passes the password hash unencrypted
"Originally, we were targeting NT to the Intel i860 (code-named 'N-Ten)', a RISC processor that was horribly behind schedule. Because we didn't have any i860 machines in-house to test on, we used an i860 simulator. That's why we called it NT, because it worked on the 'N-Ten.'"
-Mark Lucovsky
Distinguished Engineer
Windows Server Architect
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
And we can't use a tool like PWDUMP? to grab the hashes remotely? Also, This FREE tool will sniff windows 2k traffic. Yes, Kerberos is one solution.. and disabling NTLANMAN will help as well, but how many enterprise environments are there that don't support mixed mode? Maybe a better question is how many HAVE TO support mixed mode because of the problems with the microsoft version of Kerberos communicating with the long standing tried and true version of Kerberos that ALL other platforms use (and have used) for years?
=-=-=-=-=-=-=-= - The Celtic - =-=-=-=-=-=-=-=
now they've turned the password scheme into swiss cheese.
Then configure the machines so that all the Administrator accounts have the same password that only you know (and the users' accounts aren't just renames of the Administrator account) or create your own user account on all the workstations. The Computer Management console will work then for your setup (this is how it's done at my college which is too stupid to run a domain, but instead use a Novell server with nearly 600 Win2k Pro workstations and 4 WinXP Pro workstations).
They [you?] make a good point, but as Hegel teaches, there are times when a difference in degree ought really to be considered a difference in kind. This is what scientists mean when they talk loosely about a "different order of magnitude," usually a difference of at least 10x.
OK, author of md5_crypt, what the hell is up with this code?s /4.0-stable/src/contrib/libpam/modules/pam_unix/md 5_crypt.c)
/* ... */
/* Don't leave anything around in vm they could use. */
/* Then something really weird... */
/* ... */
(http://www.freebsd.cz/pub/FreeBSD/branche
memset(final, 0, sizeof final);
for (j = 0, i = strlen(pw); i; i >>= 1)
if (i & 1)
MD5Name(MD5Update)(&ctx, (unsigned const char *)final+j, 1);
else
MD5Name(MD5Update)(&ctx, (unsigned const char *)pw+j, 1);
There are a number of alarming things about this code. First,
you're overwriting 'final' with zeros so that it won't stick
around in VM, but you're not done using it yet! Then in the
next loop the variable j is added each time around, but it always
remains zero (essentially, that loop computes alternating 0s and
the first character of the password). Really weird, indeed!
There's a bunch of other awkward things about this code that make
it obvious that (a) it was not designed by a cryptographer and (b)
was never audited. That scares me a little. Do you have any explanation?
see above
"Old man yells at systemd"
Internally, you still have a secret key and your input from the passpicture or biometric scanning software still has to go through some function to match it (it's probably less "hard" than a pure hash function). From that derived input, you can figure out what kind of finger print you need to "send" to the scanner using a serial dongle, or what pictures to press.
Hopefully the passpicture program increases the password choice complexity above 2^37 to about 2^48 or more. But you might be sitting there all day clicking photos or rosarchs. I don't know.
Black holes are where the Matrix raised SIGFPE
... you'd know that they only have to lookup a few cyphertexts from keys on the disc (usually no more than t) to trace back to the original. Most of the heavy collision detection between key chains are done before the CD-ROM is made. So they can use depths of something like t=4000 (?) and it's got a high hit rate. Re-checking other chains happens enough that you don't hammer the CD-ROM so much and they can maintain they're average time of 5 seconds.
Black holes are where the Matrix raised SIGFPE
I don't know. Aiiiiiiiiiigh! You cracked my encryption scheme.
KFG
It's just precomputing the hash values.
Since there's a finite number of hashes, they're just doing a brute force attack, then storing the hash results.
Once you've done that, looking up the hash values is trivial.
Of course, doing all the precomputing will take time, but it's a one-time event.
"If your passwords consist of letters and numbers, beware." This is why I only use spaces in my passwords.
Except for the really important ones.. I leave those null.
No, you wouldn't see a "huge increase in the number of 'security breaches'" because the majority of viruses spread on Windows are spread by exploiting flaws in Outlook to automatically run code or that hides the real extension of the attachment.
:)
That is one of the biggest problems with a mono-culture like Windows.
On Linux, there are too many different mailers. At work, we run GroupWise and we are NOT subject to all the Outlook problems.
Now, someone could write a virus/worm/whatever that exploited GroupWise code, but it would have to be sent directly to us.
Unless it also exploited Outlook code.
Which makes it that much harder to write.
Now, add in a third mail client and the problem with getting the virus/worm/whatever to someone becomes that much more difficult.
The only way Linux will ever have the same problems you see on Windows (in regard to worms, viruses, trojans, whatever) is for a single mail client to be deployed on 80%+ of the desktops and for that mail client to have at least one easily exploitable security flaw.
AND for Linux to have 50%+ of the desktop market.
We'll make a deal. When Linux gets to 50%+ (shouldn't be that much longer now), you post again and we'll see what the virus/worm/trojan/whatever situation is like.
Deal?
The particular hash they attack stores up to 14 bytes of password data. However, these 14 are split in two chunks of 7, then converted to uppercase then hashed, then concatenated. This is about the stupidest possible way to waste entropy. It means that alphanumeric passwords have effectively at most log_2 (26+10) bits \approx 5.1 bits of entropy per keystroke. Each chunk will have seven times this entropy (seven bytes), and both chunks combined will have an entropy of (7 * lg_2 36) + 1 \approx. 37.1 bits (They state that in their paper).
With a sufficiently high number of key chains that amounts to 1.4 GB of storage and around 13.6 s on a modest 1.5GHz Intel P4 with 512MB RAM. Now, UNIX of course has bigger keys and salt. With salt, you'd need 4096 times the table size and 2^(56-37) = 524288 times the time (this is of course a ballpark estimate, i doubt that the actual calculation scales this easily, especially the memory lookups will suffer heavily from bigger tables). This means with a table size of 5.6 TB you'd be able to crack a DES password (and actually DES itself) in about 82.5 days.
Ballpark estimate or not, considering what it took to build the machine that was used for "Cracking DES" a couple of years ago, this is pretty impressive work.
I've told you and told you, windows is, aw hell, you know the routine..
When I was a kid I used crayola's and contruction paper in 1st grade. Then they gave us fat pencils and 1" ruled paper.
The next year we got regular #2 pencils and regular paper.
A few years later we got to use ball point pens.
Then came Windows and we used that for a few years.
Now I'm all grown up and I use Linux.
"According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer."
Lets see 100 seconds * 4096 (times more difficult) = 409600 seconds or 6826 minutes or 113 hours or about 5 days (included time for coffee breaks while watching computer churn)....
I would say that Unix passwords are somewhat weak!
Here's for all the "more secure than MS" posters who probably don't even subscribe to security updates notifications for their own OS. This is just what I had in my inbox today so it's a totally random security flaw list affecting everyone who was up to date on RH Linux. Hmm lots of flaws for an "inherently more secure OS".
/proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer
/proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the
Security Advisory - RHSA-2003:238-14
Summary:
Updated 2.4 kernel fixes vulnerabilities
Updated kernel packages are now available fixing several security vulnerabilities.
Description:
The Linux kernel handles the basic functions of the operating system.
Several security issues have been discovered affecting the Linux kernel:
CAN-2003-0461:
password lengths and inter-keystroke timings during password entry.
CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.
CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.
CAN-2003-0501: The
ownership and permissions of already opened entries.
CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by
default.
CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the
same as the local host.
All users are advised to upgrade to these errata packages, which contain backported security patches correcting these vulnerabilities.
Important:
If you use Red Hat Linux 7.1, you must have installed quota-3.06-9.71 from RHSA-2003-187, and if you use Red Hat Linux 7.2 or 7.3, you must have
installed quota-3.06-9.7 from RHSA-2003-187.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
Come on, this is just a bunch of anti-American FUD by the Swiss. It's widely known that the .pwl encryption method is the safest in the world!
Have fun: Join D.N.A. (National Dyslexics Association)
Their passwords crack 4096 times as fast as anyone elses! Windows is screamin' FAST!!!</sarcasm>
Eat at Joe's.
the floppy crack requires pushing a floppy in the drive and booting it. Access to the hash does not. for example, suppose I write a signed active-X application that dumps the hash table to my remote computer. You browse my web page, ten seconds later, before you even leave the page, I know your password.
I'm not up on the state of the art in grabbing hashes remotely. But I think you missed my point, so I'll restate it: it doesn't matter whether or not you can decrypt a LANMAN or NT hash (which is what this story is about). All you need to do is sniff the hash - then use the hash, as an opaque hash, to do pretty much anything on an NT network except log in interactively at the console.
So - yes it's nice to decrypt a hash, if you need to log in to a local console interactively and you don't want to change the user's password on the domain controller.[*]
And it is also nice in a "hmm, maybe he also used the same password for amazon.com" sort of way.
But NT security rests on the secrecy of the hash, not the encryption of the hash.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
If a function of the OS is to block password access from an obvious scripted intrusion attack. Say 15 strikes then access is blocked for a randomised time of say 3-5 minutes. How the hell could a crack script work?
Can OS intrusions not be eliminated by a built in sniffer/blocker? Even if the script is running in an MS special style buffer overflow attack. You would think that military software would mandate the use of something like this. Certainly versions of Carnivor create phoney access as a honey pot to whack hackers, and any same admin is going to lockup a hard copy of their current pass word if it is good one.
OH THE SHAME I fell off the wagon and use sigs again!
Try this. Install XP and it asks for your desired user name. You enter your user name, how about "jkarlin". Boom. "jkarlin" is now an Administrator.
MORTAR COMBAT!
Do as much research as you like! If you've only got 3 attempts to crack a network password and you don't have access to the password database (like most systems), you're stuffed. You can have my entire life history, pet names, street names whatever, and every CPU on the planet for a 1000's years. It doesn't matter if you go to Stanford or Oxford. If you've got 3 attempts, you won't crack even simple passwords.
What a rubbish story. What rubbish research.
... the password might not be unique.
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
From the site: "DANGER WILL ROBINSON! If used on users that have EFS encrypted files, and the system is XP or later service packs on win2k, all encrypted files for that user will be UNREADABLE! and cannot be recovered unless you remember the old password again" So basically this wont work on computers that are up to date software wise.
-]Phreak Out[-
This is pretty much what my pet project (parasite, it's in my sig) does, except it does it for crypt and md5. I'm not really sure what windows uses. The main problem I have right now is actually with GCC under cygwin. It seems to choke sometimeson the large static arrays I use to speed things up. Works fine on everything else though.
====
Crudely Drawn Games
THis sort of performance increase is only useful for Mission Impossible type movie spies... I mean come on - who can't wait 100 seconds???
An Internet worm cannot wait for 100 seconds! An Internet worm carrying 1.4GB worth of data that is!
In recent report, Swiss researchers avocated the use of "a good hash" in computer security matters. Quoted one researcher, David Dittrich; "...you can escalate your privilege and slowly move your way through the network. If you can get your hands on the hash, then game over." [emphasis added]
With the recent wave of DMT experimentation in Silicon Valley, CA, US, governemnt agents are on the alert. U.S. Attorney General John Ashcorft may have stated "As computer specialists may not choose to consume psychoactive parts of nature, our Persecution Roadmap is unlikely to change.... unfortunately"
At the time of writing, the Swiss government was on Swatch Internet Time, and could not be coordinated with for comment.
I agree the original poster is being silly. The exact same "attack" will work on Linux and every other operating system and is not a Windows bug.
The passwords will be changing fast enough to DoS the server they're stored on!
Karma: Bad. Mostly because the only moderators that notice me are conservatives.
I did not RTFA ;-), but I see where 4,096 comes from -- Windows does not use 2-letter 'salt' value! A simple dictionary attack is possible if you encrypt all possible alphanum passwords either (getting 2 CDs worth of data) and compare them with a given password. In more complex case, when sailt is used, you have to encrypt all posssible passwords with all 4,096 possible salt values, thus getting 4,096 times more data. I suspect that 13 seconds is time to scan through all the data (with some of it in cache, some still on disk), if you have more data you have to spend either 4,096 or (for "smarter" ;-) algorithm) log_2(4,096)=12 times longer.
Paul B.
netcraft to the rescue
is now insecure??? MuuuuHaaaaHaaaaHaaaa!!!
Oh well, what the hell...
Because if I overwrite the password they *know* something is wrong.
If I grab a password and log in while their back is turned, they have no reason to be suspicious that I've even been in.
Say it ain't so!
Not to take anything away from these obviously talented folks, but before their method, it took 101 seconds. Is that really too long to wait for a pssword to get cracked?
4096 * 3 seconds = 12288 = roughly 205 minutes = roughly 3 1/2 hours
You're telling me in the article header that any linux, macos, etc os password can be cracked in 3 1/2 hours? Why didn't they tell me that years ago when passwd files weren't all shadowed?!
You're nothing; like me.
Back in the day (over 5 years ago), I read about how it was not too hard to get passwords from AOL users. A simple trojan virus disguised as a spam blocker or whatnot would do the trick. Even Host and Guide accounts were easy to crack with their simple passwords such as "qwerty" and "john1234", giving you not only overhead access, but credit card/bank info as well.
Password flaw? Big deal...it's not too hard to get the same information and more by other means.
Just as a matter of interest is it just the Windows NT password which is unsafe. Did anyone find a way to crack Word passwords? I mean apart from the obvious brute force method?
AFAIK, a "unique" challenge is sent to each machine on the network. I'm not sure how often (if ever) these challenges change, but I can demonstrate that they are not the same for two different machines. The way I understand it, the challenge is used to compute the hash. So no two machines would ever return the same hash for any given password. Therefore, it is impossible to exploit this in the method you describe unless you can gain physical access to the client machine of which you sniffed the hash. (And if you can gain physical access, there are much better methods than sniffing). If you're actually trying to elevate your privelage level on a remote machine, it's not quite that simple. Not necessarily hard, but just not vulnerable to the method you describe.
An alternatative to physical access might be to knock the target computer off the network, spoof a MAC address, and try to assume the identity of your target. This may (or may not) present you with the same challenge code that was sent to the target machine. Again, I'm not sure of the details of how the challenge is chosen, but it's not a case of "one hash fits all."
https://www.eff.org/https-everywhere