Swiss Researchers Exploit Windows Password Flaw

Bueller_007 writes "CNET is carrying an article about a new (albeit simplistic) method used to hack alphanumeric Windows passwords in a matter of seconds, rather than minutes. To blame is a 'weakness in Microsoft's method of encoding passwords.' According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer." A few more details: Mister.de writes "As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used. This was found at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL)."

One problem

[felix9x]

LanMan is not used on win2000 and winXP machines.

NThash dont know, probably not.

This hack is obsolte

Re:One problem

[truthsearch]

LanMan is still supported on Win2000 and maybe WinXP for backwards campatability (I assume to network with older system like Win98).

Just because it's called NThas doesn't mean it died with NT. LanMan was used until early releases of NT. The Win2000 bootup screen says "Built with NT technology". Whatever that means it implies lots of shared code. Since NThas was introduced with NT its unlikely they just drop it, especially since it was an improvement and they didn't care to fix this one major weakness anyway.

Re:One problem

[Shell!U4$]

Actually,

The LANMAN hashes are still used in Win2k. They are enabled and kept in the ActiveDirectory by default.

If your a 100% Win2k or higher shop, you can disable the LANMAN hashes and use NTLM 2 hashes exclusively.

Microsoft is willing to tell you how, if you look here, along with some details about the whole subject.

Hello, my name is Shakey Weaselteat and this is a song about a whale ...

Re:One problem

[Torne]

This crack breaks both LanMan and NTLM hashes. NTLMv2 is not affected.

NTLMv2 was introduced in Windows 2000 and is still not the default; Windows Server 2003 Enterprise defaults to 'Send NTLM only', which will stop LanMan attacks, but not prevent NTLM attacks. It will also not ALLOW NTLMv2 to be used, even if the client supports it. I.E. the only secure authentication system which is available is disabled by default.

Yes, all the MS security practise documents will tell you to set it to NTLMv2 only (which requires upgrading all clients to Windows 2000 or above).. but it's still not the *default*. Enabling NTLMv2 does not break backward compatibility (only disabling v1 does), so I'm not sure how they justify this decision =)

Torne

Re:One problem

[drsmithy]

Yes, I know NT was always just a marketing title. As I said I only just recently found out what it was supposed to be an acronym for and it was released how many years ago?

You must be a recent arrival :). Back when NT was new, "everyone" knew it stood for "New Technology".

It's been a while since I've seen an NT4 machine boot, but I think it and earlier versions actually had "New Technology" on their boot screens.

BTW, can anyone tell me what the hell XP is supposed to stand for?

I think it's supposed to stand for "experience". As in, "the Windows eXPerience".

Nothing new

[raffe]

"We fear, however, that the titles of these articles are a little sensational. While it is true that the LANMAN and NTHash windows password techniques have issues, the paper that kicked off this whole hub-bub [PDF] describes a refinement of an existing attack, not a new attack. We wanted to remind our readers that adequate password security is a good idea, whether your windows systems are being attacked with an adversary with an old copy of L0phtCrack, or with Philippe Oechslin's new system."

Read it all here

Only works with NTMLv1, NTLM v2 not effected.

[figleaf]

This only works with NTML v1. Not with NTML v2.

In order to prevent this
Using secpol.mmc,
in you security pocilies set the LAN manager authentication level to 'NTLMv2 response only refuse LM & NTLM'

The passwords are only crackable if you have Win 9x machines in your doamin.

If you have Windows 2000/2003 domain without Win 9x machines then you passwords cannot be recovered.

Admins can prevent Windows 9x machines from logging in to the network.

This is reason enough to migrate to Windows XP.

If You RTA

[deadlinegrunt]

You'll notice the line:

Users can protect themselves against the attack by adding nonalphanumeric characters to a password. The inclusion of symbols other than alphanumeric characters adds complexity to the process of breaking passwords--and that means the code cracker needs more time or more memory or both.

For those that don't realize considering the following for example:

# characters/Upper Case Only
8 /208,827,064,576
# characters/Upper, Lower, Numbers & Symbols
8 /6,634,204,312,890,620

This post is more for the types that really don't consider their password selection...

Actually...

[tomzyk]

From what I got out of the article, it's NOT a "dictionary attack" - where common words are [brute-force] used to obtain access; rather, it's a brute-force attack where they compare the original password string to the encrypted string.

In this case, the "dictionary" consists of, not just a list of words, but a list of strings and their encrypted companions.

But you're still right: not really news worthy.

"This is not a new vulnerability," he said. "It is only the first time that it has been worked in so much detail. Microsoft passwords are just a nice example to demonstrate the theoretical results."

No salt

[dpilot]

You've made a supposition that MS passwords are marginally weaker than Unix passwords. Read the article, and there's a more basic factor at work.

>"Windows passwords are not very good," he wrote. "The problem with Windows passwords is that they do not include any random information."

From what I understand, Unix passwords normally take a little 'salt', a little random information, as well as the user password, and hash that. Microsoft just hashed the user password without the salt. This makes it easier to crack., anything else aside.

To their credit, you have to be Admin to get to the password hashes, rather like /etc/shadow.
To their debit, most WinDesktops that I'm aware of end up as glorified single-user machines, and that user is also.... Admin. Finally build a decent security model, and then customers ignore it.

Re:No salt

[Zathrus]

The salt can depend on the system used, but AFAIK, it's usually the first 2 characters of the password

Traditionally the salt is a 2 byte random value. It is stored as the first 2 bytes of the hashed password, but has nothing to do with the password or username at all.

Before shadow passwords were standard this was no real help at all, since all you had to do was read /etc/passwd and suck up the salt out of those first 2 bytes. Now you need to get access to the shadow password file, which is at least an improvement on things.

Many Unix systems are now moving to MD5 encrypted passwords though, which as I understand it are more secure (how? I dunno... I'm not that up to date on it).

Re:No salt

[iantri]

ERD? As in [E]merency [R]escue/Repair [D]isk?

AFAIK, All you have to do to get /etc/shadow on a Linux box is throw in a single-floppy linux like tomsrtbt and mount the / partition. Voila. /etc/shadow.

No difference between Windows and Linux here. This is why you should disable the floppy drive (or take it out) in the BIOS and password protect it.

Re:No salt

[Jucius+Maximus]

"Many Unix systems are now moving to MD5 encrypted passwords though, which as I understand it are more secure (how? I dunno... I'm not that up to date on it)."

The String -> MD5 hash is an easy converison, it was designed to work nicely on 32 bit processors

The MD5 -> String reverse-hash is not an easy conversion. So even if you give out the md5sum of your password, getting the actual password from that hash value is not trivial.

That is why it is more secure. Now MD5 is not invulnerable. I have read some reports about more mathematical vulnerabilities in it. Some say that SHA-1 crypto hashing is the only way to do things now adays.

Re:No salt

[MattCohn.com]

Not only that, but I've run Windows Update on a restricted user using Run As...

I don't know why this guy thinks Run As isn't good enough, I've never seen one thing I can do as Administrator but can't as a user with the correct password in my pocket.

Note, there is both a graphical run as, and a command line run as. The graphical run as is reached by holding down shift and then right clicking on the item to open, and the command line run as is the same as sudo.

Re:I don't understand

[truthsearch]

The game's over with admin rights to every workstation. With this scenerio, once you're admin on one computer of the network, it's quick to get every other password on the network, such as domain admins. On Unix, Linux, and Mac OS X, if you're admin and have the hash entries you can't use them to crack into other computers on the same network because of the random bits added to each hash.

Welcome to the 90s

[jeeptj]

This authN method is 8 or 9 years old. You can disable the NT hash by using either a password length of more than 14 chars or by using a simple registry value on Windows 2000 SP2 systems or higher. This KB explains how. Any good sys admin should have the LM hash disabled on all Windows machines by default anyways and set strong passwords which contains more than simple letters and numbers.

Mindless Microsoft bashing at it's best!

Hack obsolete on curent Windows servers

[prisoner-of-enigma]

You can (and should) disable NTLM authentication if you're running Windows 2000 or 2003. This is very easy to do and makes any server immune to this type of hashing attack. It's even listed in Microsoft's Best Practices documentation for administrating their servers. It might cause problems with older Win9x clients, but there are updates to these clients that allow them to get along without NTLM.

If you're running Active Directory in Native Mode, NTLM is easily kicked to the curb. However, NT4 machines remain vulnerable to this hack. Yet another reason to just get off of NT.

no

[MORTAR_COMBAT!]

This is difference between a 50 speed writer and a 5 speed writer. Order of magnitude. Much as they discovered that UNIX is 3 orders of magnitude (e.g., 1000, 2000, etc, in this case 4000 times) harder to crack than Windows.

Re:no

Much as they discovered that UNIX is 3 orders of magnitude (e.g., 1000, 2000, etc, in this case 4000 times) harder to crack than Windows.

13.6 seconds x 4096 = 55705.6 seconds
55705.6 seconds / 3600 = 15.47 hours

15.5 hours to crack a password doesn't say a lot for Unix either. No longer is changing your password everyday enough to stop a brute force attack.

Incorrect Information In The Article

[Jerk+City+Troll]

The article makes a statement that I think is untrue:

While an attacker would need administrator rights to a system to grab the file that contains the password hashes, the file is still valuable, said David Dittrich, a senior security researcher at University of Washington.

Using a tool like Cain & Able, it is possible to get access to this information without having administrative rights.

You can also dump the hashes using Cain & Able's password cracking tool. It is really quite trivial to do.

By the way, you can easily acquire the passwords of the last five users who logged into an NT system. They are stored in LSA "secrets", an area of memory which is easy to dump. Cain & Able does this for you.

Have fun.

Re:Lost Win XP Pro password

[Richardsonke1]

I'm not sure about XP, but 2000 had a CD that, with physical access to the machine, could very easily reset the admin password to whatever you wanted. All you did was boot up to the CD. Here's info about Windows 2000. Also, on Windows XP, there is an option to create a password reset disk when you first create your password, or Start->Control Panel->User Accounts. From there, choose the option to create a password reset disk. This only works for BEFORE you forget your password, and is quite unsafe (if someone gets the disk).

Re:Lost Win XP Pro password

[mgv]

You could recover your data using Knoppix, which would let you boot into a system and read the file system. Unless you encrypted that.

Michael

Re:Performance increase

Hum... the *point* of having a large keyspace is to make sure it is longer to brute-force the password than its expected lifetime. So no, I don't think there's any reason to "give it up".

Unless I don't understand what you are trying to say.

Re:Lost Win XP Pro password

[zoloto]

Go here and use their nt password recovery tool. Click here for the floppy boot disk or click here for the cd boot image (only 2.0 mb)

This works well on Win2k machines and WinXp boxes with sp 3 and 1 respectively as well as the native installs.

cheers!

Re:Lost Win XP Pro password

[Cromac]

Delete the SAM file, reboot the machine and the admininstrator password will be blank on W2K, I'd guess it would work on Win XP as well. Easy to get in as long as you have physical access to the machine and a boot disk that will make the drive writeable.

Re:With distributed computing, why bother?

[phkamp]

Nobody but old fashioned "enterprise" UNIXes like HPUX, AIX, Solaris use 12 bit salt.

FreeBSD started using 64 bit salt and MD5 scrambled passwords back in 1994 (when I wrote the code) and since then NetBSD, OpenBSD, Cisco, GLIBC and presumably MAC OSX have adopted that code.

Look for the tell-tale "$1$..." magic marker.

(The fact that GLIBC doesn't correctly attribute the algorithm is somewhat sad, but they refused to do so, even when asked directly).

Re:This is why...

[rzbx]

Another reaon that Gazbo forgot to mention is that there are many different Linux installations. Many factors make it harder for someone to gain access to a majority of servers running Linux. An exploit may target one version of one specific server application that is implemented in one certain way on one specific kernel. Did you catch all the factors? Kernel version (another bonus: kernel compiled with different options), distro (or custom), implementation of the OS can be different, different applications, different versions of applications, various software surrounding all these other applications (such as security apps), and many more. Using proprietary software your very limited. If an exploit is found for Windows 2000 SE (or some other version) then there will a large number of servers that have this specific version with no modifications. There isn't much you can modify on a proprietary OS or software. Yes, many factors still exist on proprietary installations as well, but much much fewer.

Re:Performance increase

[Rogerborg]

Solution:

1. Wipe the pad clean.
2. Wait a few hours.
3. Blow chalk on it and brush gently.
4. Note which 3 digits have chalk stuck to them.
5. Try the six possible combinations.
6. Bingo! You're an executive.

YMMV, depending on whether you have execs of the sweaty oily finger variety, or the scaly lizard species.

Misleading Description

[brad_gillespie]

This whole discussion is completely misleading (imagine that!). What the Swiss researchers did was refine (essentially, as I understand it, by precomputing a very large dictionary of password hashes and load this into memory) an existing "attack". This "attack" is no different under Windows, Unix, Linux or Mac OS X systems: given root/administrator privileges, reverse engineer the users password, from the password file using a dictionary attack. All -- I repeat -- all -- systems are susceptible to this kind of attack! The difference is that under Unix/Linux/OS X a bit of salt (actually 12 bits) is added to the users password prior to encryption.

What you need to understand is that this salt is no different than lengthening the actual password itself! For example if my password is "passwd" a unix system will add an extra 12-bits onto this password and then encrypt it. A password that is encrypted on a Unix system is say "passwdzd" where "zd" is the "salt" (BTW the salt is stored in /etc/passwd along with the encrypted password). While on a windows system the password that is encrypted is simply just "passwd". On both systems I still type "passwd" to log in.

Salt is not some kind of magic elixir, it is simply a means to add additional length to the password (without the user having to remember it), to make the dictionary attack take longer (or more memory). To have approximately equivalent dictionary attack complexity the windows password would have to be two characters longer than a Unix password, to make up for the salt.

So in summary, the attack is not an attack per sea. It is simply a way to speed up a standard dictionary attack. On all systems this can be done assuming you have root/administrator access. The notion of salt is somewhat of a red herring -- the researchers results still apply to Unix systems as well, it is just that the dictionary would have to be 4096 times larger assuming the same password length. Or you would have to go after passwords that were ~ 2 characters less.

As always the best way to defeat these kinds of attacks is to use long, nondictonary words, placing nonalphanumeric characters throughout the password. (Not just as the first or last character).

Re:XP almost makes it worse

[jkarlin]

What the hell is this happy horseshit?

When you create a new account in 2000, XP, and 2003, the account is only a member of Users by default. You have to go in and add them as an admin. And here is the description of the Users group.

'Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications' Gee, sounds like a pretty good thing for new users to me. I'll admit, most people don't do it, but stop talking out of your ass...it just makes your breathe stink.

See..

[xNoLaNx]

This is why physical security is important. It's alot easier to get into your system while inside your firewalls to the internet. Having a key card isn't all too expensive. It's not the most secure, but it carries a fairly good price vs security bonus value. If your company had millions of dollars to burn sure everyone could get a fingerprint/voice/whatever scanner on the doors and for each computer/office room, but the point is, if you do have to deal with a Windows network, at least try to get some physical limitations to people just walking in and using your own local computers to hack into your server, or hell, physical access to the server itself.

Symbols in the password

[Nintendork]

If there are symbols in the password, techniques such as this don't work. Most security professionals recommend that password be at least 8 characters and contain random characters including upper and lower case letters, numbers, and symbols. A good example would be 8e#^D2(h

After a dozen or so times typing it in, you actually start to remember it. For those wondering, that password is something I just made up. I don't actually use it. =P~

-Lucas

About hashes and salted passwords

[DVega]

Anyone who want to learn more about how UNIX Password security was designed should read this paper by Robert Morris and Ken Thompson that explains things like hashes (one way cryptographic functions) and salted passwords.

Re:How does the salt work?

[digitalhermit]

The salt is stored in the hash itself. For example, on a pre-MD5 password ystem you would call the crypt function with the salt and plaintext. It would generate a hash with the first two letters being the salt you provided to crypt(). On more recent Un*x there's a (IIRC) 8 character salt embedded in the hash.

Re:Relevancy scenario

[siskbc]

You get acess to a 1000 users netowrk password file. Recovering all paswords will take you 9 days instead of 70, giving you a large advantage over the network security reaction.

I'll buy that certainly for situations where you want to 0wnz0r every account, but usually you only need one priveleged one. From there, everything's candy.

Besides, before that you could only crack into your evil co-worker station when he was away for a cup of coffe. Now it is enough for him to be distracted by the hot boss assistant's legs...

The who....mmmmm...leggggs....ah shit, somebody h4X0r3d my box! ;) Seriously, as I understand it though, all you do at the local machine is get the hashes - which takes a fixed amount of time. The processing time is all on your own machine. And as I said, unless I want every account on the machine, I'll surf the net for the extra 90 seconds or whatever while that shit's a-crackin'.

I mean, I appreciate them saving me the extra 90 seconds and all,thanx guys, but I'm much more afraid that it takes anywhere as short as 2 minutes in the first place, ya know? I'd feel better with, say, months. To me, the most relevant thing about this is the nice web page the put up where they'll crack windows hashes for you. Very considerate, guys. ;)

What is not made clear...

[CommieLib]

Is that adequate passwords make this hack impossible. It relies on a "lookup table" (read, pregenerated dictionary attack results). If your password ain't in it, it ain't happening. Look, chances are, you speak at least few phrases of a foreign language. Dictionary attacks generally use English words; choose a couple of foreign words and numbers for your password, and all this crap goes away.

If you don't choose a decent password, then, well, your password will take five minutes to crack rather than 13.6 seconds. Feel better?

Re:What is not made clear...

[DaCool42]

Unless of course that lookup table contains not just dictionary words, but all alphanumeric combinations. Which I'm pretty sure is what they are doing. In any case, if your password is not in their list, they have certainly narrowed things down a lot.

Re:What is not made clear...

[babyrat]

I thought it was pretty clear that the lookup table they used contained ALL combinations of letters and numbers (and because the old windows algortihms converted letters to uppercase it didn't have to worry about caps).

And another set of data created was 20GB that contained 16 other characters in the mix.

It is a dictionary attack but the dictionary is the entire set of possibilities.

Considering EVERY password is already encoded infinite times in PI (in both encrytped and unencrypted form) is any password safe?

Nope

[Anonymous+DWord]

"Originally, we were targeting NT to the Intel i860 (code-named 'N-Ten)', a RISC processor that was horribly behind schedule. Because we didn't have any i860 machines in-house to test on, we used an i860 simulator. That's why we called it NT, because it worked on the 'N-Ten.'"

-Mark Lucovsky
Distinguished Engineer
Windows Server Architect

Re:This is why...

[kiolbasa]

And I think you missed the point that schon was making -- that sobig is offtopic in the context of the immediate discussion, which is technical security breaches, not social security breaches. I don't see how a social problem of a user running malware has anything to do with security through obscurity or open source bugs being shallow, which is where you originally mentioned sobig.

"setting up XP"

[MORTAR_COMBAT!]

Try this. Install XP and it asks for your desired user name. You enter your user name, how about "jkarlin". Boom. "jkarlin" is now an Administrator.

Re:This is why...

[Jeremiah+Cornelius]

More than 40% of MS's server customers are still running NT 3.5x and 4.0 - Mostly the latter!

This is still a big deal. NT4 with LanMan auth is big, so is W2K in compatibility mode for 16-bit clients.

MS always ships the old stuff - usually running by default - along with the new.

The NT 4 customers who won't or can't move their apps are a problem. MS licenses are long ago paid. The shops are mostly self-supporting. It's revenue that MS can't get to. This is why they bought VirtualPC. They want to migrate these customers to VM's on W2K+3...