Slashdot Mirror
Swiss Researchers Exploit Windows Password Flaw
Bueller_007 writes "CNET is carrying an article about a new (albeit simplistic) method used to hack alphanumeric Windows passwords in a matter of seconds, rather than minutes. To blame is a 'weakness in Microsoft's method of encoding passwords.' According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer."
A few more details: Mister.de writes "As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used. This was found at the
Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL)."
This is why I use Biopassword Perhaps their encryption method is just as insecure as microsoft's, but at least there aren't quite so many Swiss researchers trying to crack it...
People are really running out of interesting stuff to "research", aren't they...
Ñ'
M$ passwords hacked within seconds...
Linux / Mac OSX passwords hacked within an hour too probably...
Maybe we need something just a little stronger!
I sure hope we aren't using Microsoft Technology for anything important like National Security? Cause that would suck!
Please Advise, I don't know how to think about this story, I'm a Swiss-American.
Ted
Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
Microsoft's vulnerable, wow I didnt know??? Granted every OS on the planet is vulnerable given enough time and research into it. Now if someone would forward this little article to the Department of Homeland Security, maybe they might second guess their microsoft solution ;-).
"Slashdot, where telling the truth is overrated but lying is insightful."
deserve's got nothing to do with it...
Good thing they're in Switzerland, or they'd get hit with a nice DMCA Lawsuit :D
"When a ball dreams, it dreams it's a frisbee"
LanMan is not used on win2000 and winXP machines.
NThash dont know, probably not.
This hack is obsolte
They've got those great knives after all.
"You know Myra, some people might think you're cute. But me, I think you're one very large baked potato."
This is hardly a news. These weaknesses have all been known for years, and the use of dictionary attacks against passwords is very common.
Bruce Schneier talks about all of these attacks and weaknesses in his book "Applied Cryptography" which was published years ago.
Visualize the world of wine
"We fear, however, that the titles of these articles are a little sensational. While it is true that the LANMAN and NTHash windows password techniques have issues, the paper that kicked off this whole hub-bub [PDF] describes a refinement of an existing attack, not a new attack. We wanted to remind our readers that adequate password security is a good idea, whether your windows systems are being attacked with an adversary with an old copy of L0phtCrack, or with Philippe Oechslin's new system."
Read it all here
I hope someone hacks my passwords at work and deletes this stinking code I'm debugging.
...
Oh, and the backups too. Just point your password crackers to
If it's not one thing, it's Steve's Mother
This only works with NTML v1. Not with NTML v2.
In order to prevent this
Using secpol.mmc,
in you security pocilies set the LAN manager authentication level to 'NTLMv2 response only refuse LM & NTLM'
The passwords are only crackable if you have Win 9x machines in your doamin.
If you have Windows 2000/2003 domain without Win 9x machines then you passwords cannot be recovered.
Admins can prevent Windows 9x machines from logging in to the network.
This is reason enough to migrate to Windows XP.
You'll notice the line:
/208,827,064,576 /6,634,204,312,890,620
Users can protect themselves against the attack by adding nonalphanumeric characters to a password. The inclusion of symbols other than alphanumeric characters adds complexity to the process of breaking passwords--and that means the code cracker needs more time or more memory or both.
For those that don't realize considering the following for example:
# characters/Upper Case Only
8
# characters/Upper, Lower, Numbers & Symbols
8
This post is more for the types that really don't consider their password selection...
BSD is designed. Linux is grown. C++ libs
I smell a sale coming!
New New NEW. Lower Prices! Krazy Bill is just GIVING these away. Come on down. He's Krazy Krazy KRAZY to license this software with these terms! Get yours TODAY!
In this case, the "dictionary" consists of, not just a list of words, but a list of strings and their encrypted companions.
But you're still right: not really news worthy.
Karma: NaN
Why do I keep getting ads for watches and chocolate now?
Sensational headline, don't you think Timothy? Swiss Researchers [i]exploited[/i] a password flaw?
I guess you could argue they [i]exploited[/i] it in order to publish their research results, as much as a planetary scientist exploits images of Mars to publish a new theory on subsurface water.
13.6 seconds or 101 seconds doesn't make much difference, now does it? The real problem is still getting administrator access to the target computer in the first place.
Cracking becomes easier if you have access to a distributed network. Parse the table into managable chunks and throw it out to 100 computers. While the time taken to crack the password might not scale down in a linear fashion [ie: time/(N computers)], it will most definately drop the crack time down to less than an hour for those computers with 12bit salts (4906*.6min= 41 hr, 41hr/100comps= 25 minutes).
Even if the 12 bit salt for mac/linux/etc was increased in size, a scale up in the number of computers used would defeat this added protection. The trend in the comp world seems to be more connectivity between large numbers of computers. All it takes is one disgruntled folding@Home grad student out at stanford to break even the most stringent password.
It seems that increasing the size of the salt would prevent the average script kiddie from breaking your password, but does nothing to alleviate the threat distributed computing presents. So what other options are there?
with a grain of salt.
rimshot
SCO employee? Check out the bounty
You've made a supposition that MS passwords are marginally weaker than Unix passwords. Read the article, and there's a more basic factor at work.
/etc/shadow.
>"Windows passwords are not very good," he wrote. "The problem with Windows passwords is that they do not include any random information."
From what I understand, Unix passwords normally take a little 'salt', a little random information, as well as the user password, and hash that. Microsoft just hashed the user password without the salt. This makes it easier to crack., anything else aside.
To their credit, you have to be Admin to get to the password hashes, rather like
To their debit, most WinDesktops that I'm aware of end up as glorified single-user machines, and that user is also.... Admin. Finally build a decent security model, and then customers ignore it.
The living have better things to do than to continue hating the dead.
13.6 seconds! Aren't swiss watches wunderful?
Windows uses less memory to do this trick than Linux. Who knew Windows was so efficient at handling memory when being hacked?
Nanite
God is real unless declared integer.
This authN method is 8 or 9 years old. You can disable the NT hash by using either a password length of more than 14 chars or by using a simple registry value on Windows 2000 SP2 systems or higher. This KB explains how. Any good sys admin should have the LM hash disabled on all Windows machines by default anyways and set strong passwords which contains more than simple letters and numbers.
Mindless Microsoft bashing at it's best!
You can (and should) disable NTLM authentication if you're running Windows 2000 or 2003. This is very easy to do and makes any server immune to this type of hashing attack. It's even listed in Microsoft's Best Practices documentation for administrating their servers. It might cause problems with older Win9x clients, but there are updates to these clients that allow them to get along without NTLM.
If you're running Active Directory in Native Mode, NTLM is easily kicked to the curb. However, NT4 machines remain vulnerable to this hack. Yet another reason to just get off of NT.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Now to keep it close to 13 secs, you would need 4096x more data - 1.4G x 4096 = ~5.7 Terabytes.
If you don't have any data, and have 4096 more combinations, you need to take 4096 x 1m41s ~= 4.8 days. Not quite as bad but it still looks like like we need a few more bits for the password salt...
We should just make it a 64-bit salt and not have to worry about it until Quantum computers are viable..
Looking for any old 8-bit Heathkit/Zenith software/hardware - http://heathkit.garlanger.com
The article makes a statement that I think is untrue:
Using a tool like Cain & Able, it is possible to get access to this information without having administrative rights.
You can also dump the hashes using Cain & Able's password cracking tool. It is really quite trivial to do.
By the way, you can easily acquire the passwords of the last five users who logged into an NT system. They are stored in LSA "secrets", an area of memory which is easy to dump. Cain & Able does this for you.
Have fun.
Join Tor today!
I'm not sure about XP, but 2000 had a CD that, with physical access to the machine, could very easily reset the admin password to whatever you wanted. All you did was boot up to the CD. Here's info about Windows 2000. Also, on Windows XP, there is an option to create a password reset disk when you first create your password, or Start->Control Panel->User Accounts. From there, choose the option to create a password reset disk. This only works for BEFORE you forget your password, and is quite unsafe (if someone gets the disk).
"Men lie."
"Yeah, about sleeping with other women, but never about bioluminescent plankton."
-Dan Brown
Why bother cracking NT (and Win2K/XP) passwords when you can just overwrite them? Boot from this floppy and you can change any local password (including the administrator). It's been useful on more than one occasion at work...when somebody quits or is fired, I can go in and retrieve everything in just a few minutes.
That they're nearly as trivial to crack is somewhat disturbing...but given the ready availability of the password changer, it doesn't make Windows significantly less secure than it already is (hell, it can't get much less secure).
20 January 2017: the End of an Error.
...password phr4c|
The point of the article is to show off a faster, new time-memory trade-off technique, not to just down-play Windows security. The manner in which Window's password security is built simply provided an error-free sandbox for this method to be tested, and exemplified.
Don't feed the trolls.
Informatus Technologicus
Boot from this floppy
Because this doesn't require physical access to the machine? Because now some l33t d00d from another country can get passwords?
MORTAR COMBAT!
Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points
;-)
Wow, does that mean that they are getting 100MB/s from a CD-ROM? That'd be more of story than the cracking!
You could recover your data using Knoppix, which would let you boot into a system and read the file system. Unless you encrypted that.
Michael
There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
I strongly disagree. Maybe this 4096 times applies to the traditional single DES crypt. But execept for some rare compatibilities issues with old systems or for dumb people that create Apache .htpasswd files with it, nobody uses single DES any more for years.
Passwords hashed with MD5 and Blowfish don't have the 8 character limitation. There are still some people who like to assign users passwords like "*9_p7Z9ox" even though their system doesn't use single DES any more. This is just plenty stupid. Not only it's a hell to remember for the end user, but it's damn fast to brute force when hashes are precomputed as described in this article.
A normal password like a real sentence (ex: "I'd like to have sex with Sandra") is not only way more easy to remember, it's also orders of magnitudes harder to brute force.
{{.sig}}
Go here and use their nt password recovery tool. Click here for the floppy boot disk or click here for the cd boot image (only 2.0 mb)
This works well on Win2k machines and WinXp boxes with sp 3 and 1 respectively as well as the native installs.
cheers!
Delete the SAM file, reboot the machine and the admininstrator password will be blank on W2K, I'd guess it would work on Win XP as well. Easy to get in as long as you have physical access to the machine and a boot disk that will make the drive writeable.
As you know we have a company security policy based around frequently changing passwords, in order to keep our Windows network secure.
Previously, as you are all no doubt aware, you were required to change your Windows passwords once every 90 seconds, since NT passwords can be cracked in 100 seconds flat.
Due to recent developments in MS password cracking, we will now be requiring all employees to change their passwords once every 10 seconds, to ensure they remain secure.
We hope this will not detract from productivity, and apologise for any inconvenience it does cause.
thanks,
Management
With regards to upgrading, I've come to the conclusion that even though MS says they want to improve security in their products having flaws is a great way to force people to upgrade.
I'ill give NT4 as an example which is EOL'd. You're a company who has managed to get your NT4 server rock solid. A new security flaw comes out and since NT4 is EOL'd MS says no security patch for you, upgrade to Win2K.
Of course if you was a complete conspiracy theorist you could say even MS would leak holes in their old products.
As with many file based cracks, it is at very least debatable over the need for Administrator access on the box itself. One method that I used to see in the L0phtCrack days was to boot the machine using a black box distribution on a floppy (compressed minimal *nix kernel with ntfs support) then grab the .sam file from the hard drive itself. From there, you can take your time cracking the Administrator password, and then with that access you can remotely dump the registry database on the server from any box on the network. Then all thats needed is the time to crack away at leisure. Note that the domain controller registry contains user/password hash for all users on the domain, while the .sam file only contains the local admin password hash (and possibly a few others ... its been a while).
.sam file off of the hdd and run good ole L0pht ... bang! 15 seconds later (if of course the dictionary attack works) and you have the password.
On a small aside, this can also be handy as hell when your a computer store looking at a perfectly good server box that the admin (and I use the term lightly) has forgotten the password to. Rather than reinstall the entire box, pull the
Oh and as a counter to the comment about the security of unix passwords being only 4096 times greater, I have two words: md5 hash.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
Wow, these guys just invented the dictionary attack!
What you need to understand is that this salt is no different than lengthening the actual password itself! For example if my password is "passwd" a unix system will add an extra 12-bits onto this password and then encrypt it. A password that is encrypted on a Unix system is say "passwdzd" where "zd" is the "salt" (BTW the salt is stored in /etc/passwd along with the encrypted password). While on a windows system the password that is encrypted is simply just "passwd". On both systems I still type "passwd" to log in.
Salt is not some kind of magic elixir, it is simply a means to add additional length to the password (without the user having to remember it), to make the dictionary attack take longer (or more memory). To have approximately equivalent dictionary attack complexity the windows password would have to be two characters longer than a Unix password, to make up for the salt.
So in summary, the attack is not an attack per sea. It is simply a way to speed up a standard dictionary attack. On all systems this can be done assuming you have root/administrator access. The notion of salt is somewhat of a red herring -- the researchers results still apply to Unix systems as well, it is just that the dictionary would have to be 4096 times larger assuming the same password length. Or you would have to go after passwords that were ~ 2 characters less.
As always the best way to defeat these kinds of attacks is to use long, nondictonary words, placing nonalphanumeric characters throughout the password. (Not just as the first or last character).
There is no immediate future for a table driven attack on this algorithm (Which can be recognized by the '$1$...' prefix.
HP-UX, Solaris and AIX, however still use the old 12 bit salted DES derived passwords.
Poul-Henning Kamp -- FreeBSD since before it was called that...
This isn't a security problem.
Windows password hashes (both the LanManager hash described here and the newer NT hash) are never sent "in the clear" over a network, or accessible to non-admins.
Why? Because they are plaintext-equivalent. Most NT network protocols treat the hash itself as a shared secret and do not make any attempt to verify that you know the actual password.
Yes, that's right. You already don't need to know the user's unencrypted password - except possibly for changing it (I can't remember offhand whether the various password-change calls require proof of knowledge of the old password - but I don't think they do either). Once an attacker gets the hashes out of your SAM, the game is already up, even if he can't decrypt them.
Given this fact, I sometimes wonder why Microsoft even bothered to try making NTLM a secure hash. BASE64 would have done pretty much the same job.
Move along, nothing to see here. Your passwords are just as secure, or as insecure, as they ever were.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
What the hell is this happy horseshit?
When you create a new account in 2000, XP, and 2003, the account is only a member of Users by default. You have to go in and add them as an admin. And here is the description of the Users group.
'Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications' Gee, sounds like a pretty good thing for new users to me. I'll admit, most people don't do it, but stop talking out of your ass...it just makes your breathe stink.
Things fall down...People look up... And when it rains, it pours.
This is why physical security is important. It's alot easier to get into your system while inside your firewalls to the internet. Having a key card isn't all too expensive. It's not the most secure, but it carries a fairly good price vs security bonus value. If your company had millions of dollars to burn sure everyone could get a fingerprint/voice/whatever scanner on the doors and for each computer/office room, but the point is, if you do have to deal with a Windows network, at least try to get some physical limitations to people just walking in and using your own local computers to hack into your server, or hell, physical access to the server itself.
...in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points.
To be honest, this isnt as much of a scare as most people would think. A person willing to crack a password in ~13.6 seconds would no doubt be willing to take the extra minute regardless.
Plus you need Administrator privelages to get the hash file anyways, so you'd be able to access anything needed locally anyways.
Finally, crackers wouldnt be able to escalate to these privelages in the first place (hey, they wouldnt have any access on the system), so there really isnt anything for anyone to be concerned.
After a dozen or so times typing it in, you actually start to remember it. For those wondering, that password is something I just made up. I don't actually use it. =P~
-Lucas
Anyone who want to learn more about how UNIX Password security was designed should read this paper by Robert Morris and Ken Thompson that explains things like hashes (one way cryptographic functions) and salted passwords.
MOD THE CHILD UP!
The salt is stored in the hash itself. For example, on a pre-MD5 password ystem you would call the crypt function with the salt and plaintext. It would generate a hash with the first two letters being the salt you provided to crypt(). On more recent Un*x there's a (IIRC) 8 character salt embedded in the hash.
Much as they discovered that UNIX is 3 orders of magnitude (e.g., 1000, 2000, etc, in this case 4000 times) harder to crack than Windows.
13.6 seconds x 4096 = 55705.6 seconds
55705.6 seconds / 3600 = 15.47 hours
15.5 hours to crack a password doesn't say a lot for Unix either. No longer is changing your password everyday enough to stop a brute force attack.
I'll buy that certainly for situations where you want to 0wnz0r every account, but usually you only need one priveleged one. From there, everything's candy.
Besides, before that you could only crack into your evil co-worker station when he was away for a cup of coffe. Now it is enough for him to be distracted by the hot boss assistant's legs...
The who....mmmmm...leggggs....ah shit, somebody h4X0r3d my box! ;) Seriously, as I understand it though, all you do at the local machine is get the hashes - which takes a fixed amount of time. The processing time is all on your own machine. And as I said, unless I want every account on the machine, I'll surf the net for the extra 90 seconds or whatever while that shit's a-crackin'.
I mean, I appreciate them saving me the extra 90 seconds and all,thanx guys, but I'm much more afraid that it takes anywhere as short as 2 minutes in the first place, ya know? I'd feel better with, say, months. To me, the most relevant thing about this is the nice web page the put up where they'll crack windows hashes for you. Very considerate, guys. ;)
-Looking for a job as a materials chemist or multivariat
Is that adequate passwords make this hack impossible. It relies on a "lookup table" (read, pregenerated dictionary attack results). If your password ain't in it, it ain't happening. Look, chances are, you speak at least few phrases of a foreign language. Dictionary attacks generally use English words; choose a couple of foreign words and numbers for your password, and all this crap goes away.
If you don't choose a decent password, then, well, your password will take five minutes to crack rather than 13.6 seconds. Feel better?
If your bitterest enemies are people who hack the heads off civilians, then I would say you're doing something right.
"Originally, we were targeting NT to the Intel i860 (code-named 'N-Ten)', a RISC processor that was horribly behind schedule. Because we didn't have any i860 machines in-house to test on, we used an i860 simulator. That's why we called it NT, because it worked on the 'N-Ten.'"
-Mark Lucovsky
Distinguished Engineer
Windows Server Architect
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
Come on, this is just a bunch of anti-American FUD by the Swiss. It's widely known that the .pwl encryption method is the safest in the world!
Have fun: Join D.N.A. (National Dyslexics Association)
Try this. Install XP and it asks for your desired user name. You enter your user name, how about "jkarlin". Boom. "jkarlin" is now an Administrator.
MORTAR COMBAT!
You grab the password hash off the network with a sniffer. Then you can work at cracking it for as long as you like.
----
All of whose base are belong to the what-now?
This is pretty much what my pet project (parasite, it's in my sig) does, except it does it for crypt and md5. I'm not really sure what windows uses. The main problem I have right now is actually with GCC under cygwin. It seems to choke sometimeson the large static arrays I use to speed things up. Works fine on everything else though.
====
Crudely Drawn Games
In recent report, Swiss researchers avocated the use of "a good hash" in computer security matters. Quoted one researcher, David Dittrich; "...you can escalate your privilege and slowly move your way through the network. If you can get your hands on the hash, then game over." [emphasis added]
With the recent wave of DMT experimentation in Silicon Valley, CA, US, governemnt agents are on the alert. U.S. Attorney General John Ashcorft may have stated "As computer specialists may not choose to consume psychoactive parts of nature, our Persecution Roadmap is unlikely to change.... unfortunately"
At the time of writing, the Swiss government was on Swatch Internet Time, and could not be coordinated with for comment.
Step 1.5.1 Stuff dounuts with laxatives before distributing them.
Of course afterwards you're probably going to want to use a different bathroom afterwards...
I don't want knowledge. I want certainty. - Law, David Bowie
Yeah, I understand the general intention of the code. I don't think there's anything wrong with trying to make the hashing code slower, in fact, that's probably a good idea.
What does worry me is:
- The whole algorithm is extremely ad-hoc. Since it serves an important cryptographic function, it should use cryptography carefully, and this doesn't. I have faith in MD5's practical ability to mask the author's missteps, but I'm not a genius cryptographer myself so I don't know what's possible. I do think that knowing the input has a special form would be an aid to cryptanalysis of the algorithm.
- The code itself is bizarre and (IMO) buggy, which leads me to believe that nobody ever audited it. It seems likely that I was the first person to look at it carefully (7 years later when I ported it to SML)--that's really scary since it plays such a vital role in the security of the system.