Swiss Researchers Exploit Windows Password Flaw

Bueller_007 writes "CNET is carrying an article about a new (albeit simplistic) method used to hack alphanumeric Windows passwords in a matter of seconds, rather than minutes. To blame is a 'weakness in Microsoft's method of encoding passwords.' According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer." A few more details: Mister.de writes "As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used. This was found at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL)."

One problem

[felix9x]

LanMan is not used on win2000 and winXP machines.

NThash dont know, probably not.

This hack is obsolte

Re:One problem

[Shell!U4$]

Actually,

The LANMAN hashes are still used in Win2k. They are enabled and kept in the ActiveDirectory by default.

If your a 100% Win2k or higher shop, you can disable the LANMAN hashes and use NTLM 2 hashes exclusively.

Microsoft is willing to tell you how, if you look here, along with some details about the whole subject.

Hello, my name is Shakey Weaselteat and this is a song about a whale ...

Re:One problem

[Torne]

This crack breaks both LanMan and NTLM hashes. NTLMv2 is not affected.

NTLMv2 was introduced in Windows 2000 and is still not the default; Windows Server 2003 Enterprise defaults to 'Send NTLM only', which will stop LanMan attacks, but not prevent NTLM attacks. It will also not ALLOW NTLMv2 to be used, even if the client supports it. I.E. the only secure authentication system which is available is disabled by default.

Yes, all the MS security practise documents will tell you to set it to NTLMv2 only (which requires upgrading all clients to Windows 2000 or above).. but it's still not the *default*. Enabling NTLMv2 does not break backward compatibility (only disabling v1 does), so I'm not sure how they justify this decision =)

Torne

Nothing new

[raffe]

"We fear, however, that the titles of these articles are a little sensational. While it is true that the LANMAN and NTHash windows password techniques have issues, the paper that kicked off this whole hub-bub [PDF] describes a refinement of an existing attack, not a new attack. We wanted to remind our readers that adequate password security is a good idea, whether your windows systems are being attacked with an adversary with an old copy of L0phtCrack, or with Philippe Oechslin's new system."

Read it all here

Only works with NTMLv1, NTLM v2 not effected.

[figleaf]

This only works with NTML v1. Not with NTML v2.

In order to prevent this
Using secpol.mmc,
in you security pocilies set the LAN manager authentication level to 'NTLMv2 response only refuse LM & NTLM'

The passwords are only crackable if you have Win 9x machines in your doamin.

If you have Windows 2000/2003 domain without Win 9x machines then you passwords cannot be recovered.

Admins can prevent Windows 9x machines from logging in to the network.

This is reason enough to migrate to Windows XP.

If You RTA

[deadlinegrunt]

You'll notice the line:

Users can protect themselves against the attack by adding nonalphanumeric characters to a password. The inclusion of symbols other than alphanumeric characters adds complexity to the process of breaking passwords--and that means the code cracker needs more time or more memory or both.

For those that don't realize considering the following for example:

# characters/Upper Case Only
8 /208,827,064,576
# characters/Upper, Lower, Numbers & Symbols
8 /6,634,204,312,890,620

This post is more for the types that really don't consider their password selection...

No salt

[dpilot]

You've made a supposition that MS passwords are marginally weaker than Unix passwords. Read the article, and there's a more basic factor at work.

>"Windows passwords are not very good," he wrote. "The problem with Windows passwords is that they do not include any random information."

From what I understand, Unix passwords normally take a little 'salt', a little random information, as well as the user password, and hash that. Microsoft just hashed the user password without the salt. This makes it easier to crack., anything else aside.

To their credit, you have to be Admin to get to the password hashes, rather like /etc/shadow.
To their debit, most WinDesktops that I'm aware of end up as glorified single-user machines, and that user is also.... Admin. Finally build a decent security model, and then customers ignore it.

Re:No salt

[Jucius+Maximus]

"Many Unix systems are now moving to MD5 encrypted passwords though, which as I understand it are more secure (how? I dunno... I'm not that up to date on it)."

The String -> MD5 hash is an easy converison, it was designed to work nicely on 32 bit processors

The MD5 -> String reverse-hash is not an easy conversion. So even if you give out the md5sum of your password, getting the actual password from that hash value is not trivial.

That is why it is more secure. Now MD5 is not invulnerable. I have read some reports about more mathematical vulnerabilities in it. Some say that SHA-1 crypto hashing is the only way to do things now adays.

Re:I don't understand

[truthsearch]

The game's over with admin rights to every workstation. With this scenerio, once you're admin on one computer of the network, it's quick to get every other password on the network, such as domain admins. On Unix, Linux, and Mac OS X, if you're admin and have the hash entries you can't use them to crack into other computers on the same network because of the random bits added to each hash.

Welcome to the 90s

[jeeptj]

This authN method is 8 or 9 years old. You can disable the NT hash by using either a password length of more than 14 chars or by using a simple registry value on Windows 2000 SP2 systems or higher. This KB explains how. Any good sys admin should have the LM hash disabled on all Windows machines by default anyways and set strong passwords which contains more than simple letters and numbers.

Mindless Microsoft bashing at it's best!

Hack obsolete on curent Windows servers

[prisoner-of-enigma]

You can (and should) disable NTLM authentication if you're running Windows 2000 or 2003. This is very easy to do and makes any server immune to this type of hashing attack. It's even listed in Microsoft's Best Practices documentation for administrating their servers. It might cause problems with older Win9x clients, but there are updates to these clients that allow them to get along without NTLM.

If you're running Active Directory in Native Mode, NTLM is easily kicked to the curb. However, NT4 machines remain vulnerable to this hack. Yet another reason to just get off of NT.

Incorrect Information In The Article

[Jerk+City+Troll]

The article makes a statement that I think is untrue:

While an attacker would need administrator rights to a system to grab the file that contains the password hashes, the file is still valuable, said David Dittrich, a senior security researcher at University of Washington.

Using a tool like Cain & Able, it is possible to get access to this information without having administrative rights.

You can also dump the hashes using Cain & Able's password cracking tool. It is really quite trivial to do.

By the way, you can easily acquire the passwords of the last five users who logged into an NT system. They are stored in LSA "secrets", an area of memory which is easy to dump. Cain & Able does this for you.

Have fun.

Re:Lost Win XP Pro password

[zoloto]

Go here and use their nt password recovery tool. Click here for the floppy boot disk or click here for the cd boot image (only 2.0 mb)

This works well on Win2k machines and WinXp boxes with sp 3 and 1 respectively as well as the native installs.

cheers!

Re:With distributed computing, why bother?

[phkamp]

Nobody but old fashioned "enterprise" UNIXes like HPUX, AIX, Solaris use 12 bit salt.

FreeBSD started using 64 bit salt and MD5 scrambled passwords back in 1994 (when I wrote the code) and since then NetBSD, OpenBSD, Cisco, GLIBC and presumably MAC OSX have adopted that code.

Look for the tell-tale "$1$..." magic marker.

(The fact that GLIBC doesn't correctly attribute the algorithm is somewhat sad, but they refused to do so, even when asked directly).

Re:This is why...

[rzbx]

Another reaon that Gazbo forgot to mention is that there are many different Linux installations. Many factors make it harder for someone to gain access to a majority of servers running Linux. An exploit may target one version of one specific server application that is implemented in one certain way on one specific kernel. Did you catch all the factors? Kernel version (another bonus: kernel compiled with different options), distro (or custom), implementation of the OS can be different, different applications, different versions of applications, various software surrounding all these other applications (such as security apps), and many more. Using proprietary software your very limited. If an exploit is found for Windows 2000 SE (or some other version) then there will a large number of servers that have this specific version with no modifications. There isn't much you can modify on a proprietary OS or software. Yes, many factors still exist on proprietary installations as well, but much much fewer.

Re:Relevancy scenario

[siskbc]

You get acess to a 1000 users netowrk password file. Recovering all paswords will take you 9 days instead of 70, giving you a large advantage over the network security reaction.

I'll buy that certainly for situations where you want to 0wnz0r every account, but usually you only need one priveleged one. From there, everything's candy.

Besides, before that you could only crack into your evil co-worker station when he was away for a cup of coffe. Now it is enough for him to be distracted by the hot boss assistant's legs...

The who....mmmmm...leggggs....ah shit, somebody h4X0r3d my box! ;) Seriously, as I understand it though, all you do at the local machine is get the hashes - which takes a fixed amount of time. The processing time is all on your own machine. And as I said, unless I want every account on the machine, I'll surf the net for the extra 90 seconds or whatever while that shit's a-crackin'.

I mean, I appreciate them saving me the extra 90 seconds and all,thanx guys, but I'm much more afraid that it takes anywhere as short as 2 minutes in the first place, ya know? I'd feel better with, say, months. To me, the most relevant thing about this is the nice web page the put up where they'll crack windows hashes for you. Very considerate, guys. ;)

Nope

[Anonymous+DWord]

"Originally, we were targeting NT to the Intel i860 (code-named 'N-Ten)', a RISC processor that was horribly behind schedule. Because we didn't have any i860 machines in-house to test on, we used an i860 simulator. That's why we called it NT, because it worked on the 'N-Ten.'"

-Mark Lucovsky
Distinguished Engineer
Windows Server Architect