Slashdot Mirror
NTLM 100% Broken Using Hashes Derived From Captures
New submitter uCallHimDrJ0NES writes "Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"
Asshole
OK, I did the unthinkable and skimmed the actual article, but I still have no idea what NTLM does, why it was chosen for whatever task it does, or what the potential repercussions are now that it's broken. Even the "Reminder About the Downside of Doing Nothing" section, which I hoped would explain exactly what an attacker could do, was light on details. Something about sending passwords to a remote machine?
Can anyone shine some light on this?
This is one of the worst summaries I have ever read here. I can easily imagine the joy in the submitter as they are dancing to their own over the top writing style. NTLM is 100% broken. Oh no! Microsoft stopped recommending it and switched to Kerberos starting with Windows 2000. Who the hell cares that someone broke a protocol from 10+ years ago? If anything, it makes NTLM look really good. What sensationalist trash this is.
To disable ntlm on old computers I believe that if you enforce 14 character paswords it will stop working.
But don't take my word for it.
I'm been a victim of pass the hash attack... they can fuck you up pretty up pretty good.
Smoking hashes is bad for your windows?
KERNEL PANIC -SIGFAULT AT ADDRESS #51A54D07
We still have quite a number of XP machines in our front office.
How to harden those XP machines and make them use NTLM2 instead?
Thanks !!
Muchas Gracias, Señor Edward Snowden !
http://technet.microsoft.com/en-us/library/cc738867(v=ws.10).aspx
The crucial detail is whether the physical layer of the network can be trusted. If the physical layer is trusted, then NTLM works fine. Historically, lots of corporate networks controlled every computer on the office network, and air-gapped the internet.
Many modern networks, including wireless networks, have a non-trust worthy physical layer. In this case, only end-to-end encryption protects the network. Yes, the newer versions NTLM protect against the most obvious password scanning attacks. However, with a non-trust worthy physical layer, it is possible to simply scan all the network traffic and get the file contents from the network directly. Also, some (almost all?) ODBC and database servers send passwords in the clear. This makes it straightforward to do simple network traffic analysis attacks, and directly gather valuable information from the company network.
The bottom line is that only protocols like SSH work against a non-trustworthy physical layer.
Good. Helpful for me. http://www.tobaccomachine-leafshredder.com/
Once in either version (I'd do it from the global group policy settings from the AD admin level), follow this down thru the left-hand side pane tree items:
Security Settings -> Local Policies -> Security Options
Then, in the right-hand pane, go to Network Security grouped section.
There, use the "LAN Manager Authentication Level" & set it to NTLMv2 (refuse others, ONLY IF you don't have a "mixed mode" type domain setup, meaning machines or servers that MUST use NTLMv1).
There's about 10 others in that group too (In Windows 7 that is, I don't recall THAT many in earlier models, but that's just me operating on memory alone though & it's been YEARS since I even used Server 2003 or XP).
So - depending on the version of Windows you're doing this on?
It varies!
( & iirc, it got MORE 'stringent & complex' in each version, but all the NTLM stuff is RIGHT THERE in them all - in Windows 7/Server 2008 onwards, you can even set 'exception machines' up too).
APK
P.S.=> Of course, there's also the EASY WAY OUT, via the "FixIt Tool" Microsoft put out today as well, here -> http://support.microsoft.com/kb/2793313 which give a GOOD RUNDOWN of what's going on in it too...
... apk
That's your Group Policy tool (secpol.msc, the mmc.exe snapin that I mentioned earlier is pretty much only a SUBSET of that, but more focused on security-based policies)...
Again - Do it as the Network AD admin, makes it simpler than doing it machine-by-machine (or even using the "FIX IT" Tool I noted from MS they released today).
* There you go!
APK
P.S.=> Sorry about that, not that it really matters, but it's best to give COMPLETE information when possible (I am beat tired today is all, had to kick out some tenants & had to clean the hell out of the place too after working ontop of it - I'm just shot, but that above should "complete the picture")...
... apk
Folks have known, for years, that windows hashes are password equivalent. Grab a hash, don't bother decrypting the pword, since you can use the hash directly.
With all the issues with windows pwords/pword hashes, it appears if MS could do something wrong with handling pwords, they did.
The submitter has a hardon for Linux and is giddy that the authentication mechanism for an OS that is over a decade old now can be broken.
Only the State obtains its revenue by coercion. - Murray Rothbard
Thanks for the informative info that you've so generously shared !!
Thanks again !!
Muchas Gracias, Señor Edward Snowden !
While the blog is interesting and useful all it does it reenforce what any windows network admin worth his salt has known and been told for years from Microsoft.
I've not seen a domain where that policylevel 3 (or higher) isn't force by gpo in a couple years, though no doubt I'm sure they're out there, the last case i did see involved a company that just refused to migrate two win2k boxes they were still using on their network for some other piece of software they refused to upgrade. If your company has competent admins and doesn't have a bunch of old win2k or not service packed win3k boxes you should already be set, and even if your not it's easy fix in most environments.
.
It is time to get with the times.
Yes, I worked in corporate I.T. before and know all the tired arguments. The OS will turn 13 years old later this year. 13 years?!
Not to mention XP SP 3 after 800 or so updates is slower and not the speed daemon it once was as 9 out of 10 CPU cycles are work around exploits. Stop defining yourselves and your ego on an OS made by the same people who wrote IE 6?
The idea for security in XP is from the last century where all you needed is a good password. It lacks things a modern internet enabled OS have today. It is not a trendmill at this point nor is MS being evil to the mean old beancounters who refuse to see hidden costs and just licensing on a spreadsheet in excel. This story, the one on IE 6-8 being vulnerably last week on slashdot, and many others stating XP is so primptive because it doesn't have protected mode, ASLR, are DEP fully (only a few things have that on XP).
If you ask this because your IT department has no plans to upgrade then another job who treat your profession and seriousness with respect.. They are incompetent and when shit hits the fan and social security numbers are stolen you will get the blame as the cost center and be let go anyway.
It is obvious with the latest security issues in IE6, IE 7-8 (in non protected mode), XP, and now this that it is time to let it go instead of workaround it. Investing time and money into it is like investing cash into a car with 200,000 miles.
These costs are real and so are the liabilities. Grow a pair and sell yourself the cheap asshats at your company? You are not saving anything by keeping an outdated insecure infrastructure and it is not unreasonable to upgrade to a 3 year old OS.
http://saveie6.com/
Why the fuck people still trust microsoft?
They keep coming up with more retarded, proprietary technologies that don't seem to solve any particular issue, and are solutions looking for a problem ... and eventually turn into huge problems themselves.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
It is a big problem if you are moving to WIndows 7 on the client side and they are trying to virtualize IE 6/XP/Server 2k3 for their apps. If you upgrade then the authentication will fail. Many are dragging their feet so they do not have to deal with this until 2014.
http://saveie6.com/
The most notable nike free 3.0 dame building cheap nike is Prince Lucien asics shoes Campbell Nike Free Shoes Hall, asics running shoes the nike free run tallest, ugliest building on nike free campus. cheap nike frees According to nike free kids legend, visit a grad student committed suicide by home jumping from click the Billige Nike Free Tilbud 8th floor. nike free running Veronica Lee welcome is really nike free 3.0 hot nike free norge and nike free run norge she used Nike Free Danmark to work in Prince Lucien Campbell Hall, nike free run womens she went nike free nz on jeopardy's nike free run dk college nike free 3 championships Nike Free Sko and lost.
Oh FUCK. ME. Sigh. "Guess I know what I'm doing tomorrow."
It's PENETRATION, not "Pentration" as you spell it on your resume, BOY -> http://www.linkedin.com/pub/jeremiah-cornelius-cissp-issap/2/620/a58
* So much for your "I am a black man" b.s. too (which also makes you a liar)...
Ah yes - NOW?
Now, I know who & WHAT you are, as well as where you are/from, too, you troll...
(A "San Fran Man" TOO I see, lol... you KNOW what they say about those, rotflmao!)
* Your location pretty much EXPLAINS why you act more like a WOMAN than a MAN then, & why you 'troll' others -> http://slashdot.org/comments.pl?sid=2238996&cid=36457426
(OH, don't worry - I took a screenshot of that, so that even AFTER you alter it for CORRECT SPELLING, I can laugh @ you about it too... HOW MANY YEARS HAVE YOU LEFT IT THAT WAY?)
APK
P.S.=>
"Used to do pen/vuln. No more." - by Jeremiah Cornelius (137) on Tuesday January 08, @09:32PM (#42527343) Homepage
So you're also MERELY A USER OF TOOLS THAT GUYS LIKE MYSELF WROTE FOR YOU TO "USE"... nothing more - figures!
That's ALL THAT TYPE IS - even the CISSP's I've met as well!
I also saw a LOT of "consultant" in there too - the BULLSHITTERS of the INDUSTRY, no questions asked, lol!
(Fact, because WITHOUT those tools? You couldn't do a DAMNED THING!)...
... apk
Holy SHIT!
Win is great for business, just turn off every bells and whistle and you will have an XP like experience.
OpenSUSE is better IMHO, but win7 should not be overlooked.
Recently did some work on a pristine Win8. It works just like Unity..
Defining Statistics and Social Research
Who would've thought a day would come when W3-schools is used as a reference in a non-humorous way?
You worked in corp IT and you think it is as easy as flipping a switch to make the change? Unlike the home enthusiast who doesn't mind learning the in/outs of a new OS many corporate users are task focused. The computer is a tool the same as a phone. For better/worse those users have no more interest in how the computer works than I have in the innards of my car's manual transmission. As long as it works I'm happy. If it doesn't I see an expert. You may consider the change from Win XP to Win 7 to be minor but for millions of corporate users any change can be huge and require training which is a double whammie of cost and lost productivity time. From a TCO perspective it is much cheaper to patch and manage than upgrade. The benefits of Win 7 are intangible to the end corporate users.
9 out of 10 CPU cycles are work around exploits
No.
Yes it is more bloated now than the initial release and slower as a result, not helped by all the stuff installed on it now which uses more CPU than an equivalent program would have used 15 years ago, plus your AV program probably is checking every file/web access (but not Windows itself). But...
It isn't consuming most of its time actively running additional code to prevent exploits. Almost every exploit is corrected by correcting the original code to fix the bug that allows a buffer/integer overflow etc. Not by keeping the original code and installing extra code to filter the inputs to it.
Trying to "hide this" Jeremiah Cornelius? LMAO -> http://slashdot.org/comments.pl?sid=3368135&cid=42529887 via downmods?
Yes - that's YOUR STYLE, bullshit artist troll that you are. YOU CAN'T EVEN SPELL WHAT IT IS YOU CLAIM TO DO RIGHT, lol, for Pete's sake!
Jeremiah Cornelius = 'evangelist/consultant' (bullshitters), & yes, troll too (by his OWN admission quoted in the link above). CISSP? Bah - CHUMP work (you merely use tools guys like MYSELF, actual coders, produce for you to USE, user!).
* YOU have been trolled - you like?
(You, your pals webmistressrachel, countertrolling, gmhowell, & the LONG NOW GONE Barbara, not Barbie alias tomhudson MULTIPLE ACCOUNT USING TROLL I busted & ran off sure like to dish it out, but you can't TAKE IT in return...)
APK
P.S.=> No, like I said, for all of you trolling me for years here? I am going to do it back to YOU, so you & yours learn a lesson!
(I already took care of webmistressrachel, & tomhudson/Barbara, not Barbie (showing them BOTH terribly technically weak in computing MANY times) - & I told you YOU were next - just to teach YOU & YOURS ala trolltalk.com a lesson... here 'tis, & it's JUST THE START! Payback is a BITCH, troll!)
... apk
you may have worked in corporate IT but you have no clue. What is your source for wild ass claims like "9 out of 10 CPU cycles are work around exploits"? Oh, right, you pulled that out of your ass -- an invented statistic to try and make XP look bad. The problem with that claim is that it is patently false as is obvious not only to anyone with a clue about CPUs, application execution, or anything related -- but even to anyone who gives it a passing thought (for one, your assertion implies 1/10 the performance of an unpatched XP box). Someone who runs XP and installs Vista, Win7 or Win8 is (very likely*) going to experience a slow down, not a speed up. In general, people are aware that XP is "faster" than its successors and when you use lies to bolster your case you actually weaken it.
The claim that "security in XP is from the last century where all you needed is a good password" also shows your utter and complete ignorance of XP and security architectures. Of course, you don't offer a single item to backup your claim. It would be hard to, unless you made it up on the spot like your statistic from above, as it simply isn't true.
That isn't to say that people shouldn't be moving off of XP. But they should do it for real reasons, not some made up crap, and posting obvious lies only weakens that case.
Its amazing that such a stupid post got modded insightful. Then again, this *is* slashdot...
* except for blind fans of Microsoft, it is apparent that the successors of XP require more resources. This really shouldn't come as a surprise to anyone, but one consequence is that a system spec'd for XP is going to be under spec for Vista/Win7/Win8 and run slower. Potentially a lot slower (particularly dependent on how much RAM they have). Of course, MS has managed to shave a little off of boot time and there are other minor improvements such as the infinitesimal gain from disabling recording of access times (on a local file system of decent design -- which NTFS has -- there is no perceptible improvement).
Anyone have a Gibberish-English dictionary?
Gamingmuseum.com: Give your 3D accelerator a rest.
See https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#NTLMAUTH
If you set ntlm auth = no, then Samba will reject plain NTLM and require either NTLM v2 (the normal case) or LANMAN (if you have bizzarely backdated your XP box). There is a risk that some software w2ill fail, so it's probably best if you create a pair of virtual servers, and set one up to use NTLMv2. As you find out what fails, you can move the unbroken services to the v2 server.
--dave
davecb@spamcop.net
"The claim that "security in XP is from the last century where all you needed is a good password" also shows your utter and complete ignorance of XP and security architectures"
Right, you mean how in XP there is an IMPERSONATION SERVICE where a user mode program can run with kernel mode priveldges and impersonate a critical service?!
No ASLR, limited DEP, no priveldge seperation in the code. Yeah, XP is last century security wise which is fine as other operating systems from the 20th century lacked those as well.
"you may have worked in corporate IT but you have no clue. What is your source for wild ass claims like "9 out of 10 CPU cycles are work around exploits"? Oh, right, you pulled that out of your ass -- an invented statistic to try and make XP look bad"
Yeah, I am making it look bad because in 2013 it is bad. You are telling me after 1,000+ exploits there is no performance penalty or advanced filtering for every input and i/o after 12 years? THe fact of the matter is XP ran good on 128 megs of ram on a Pentium II 300 mhz in 2001. Why can't I run it like this. The answer is because of +700 patches.
I look at XP like a boat with holes all over encased with 3 feet of bandaids. I have not looked at hte source code and neither have you. I do not have to rely on fake statistics. Look at the evidence of it today? I can not see how it is possible to fix all the exploits without breaking apps.
My only explanaition is double the code size and filtering out every i/o and input due to the architecture not being able to withstand the malware we have today. NTLM is yet another example, while IE 6 - 8 while still being patched is not being hacked as I typed this because it can not run in protected mode in XP.
http://saveie6.com/
You worked in corp IT and you think it is as easy as flipping a switch to make the change? Unlike the home enthusiast who doesn't mind learning the in/outs of a new OS many corporate users are task focused. The computer is a tool the same as a phone. For better/worse those users have no more interest in how the computer works than I have in the innards of my car's manual transmission. As long as it works I'm happy. If it doesn't I see an expert. You may consider the change from Win XP to Win 7 to be minor but for millions of corporate users any change can be huge and require training which is a double whammie of cost and lost productivity time. From a TCO perspective it is much cheaper to patch and manage than upgrade. The benefits of Win 7 are intangible to the end corporate users.
13 years is not the same timeframe as flipping a switch. From a TCO being hacked is very high as well as all sorts of security issues and not being able to log onto vendor/client portals, not being able to read Photoshop, autocad, and office 2013 files from users and other vendors, suppliers, and customers. XP already is getting more expensive to maintain than to keep current and it will get worse and worse.
As an IT professional it is your responsibility to keep your infrastructure secure and up to date. If shit happens from this exploit (one out of other examples) whose head will be on the chopping block? YOU!
THerefore, it is your job to go over the risks and do not tell me users do not know how to use Windows 7? It is similiar to XP, and users have been using it at home now and its Vista cousin for years as well. Do your job!
http://saveie6.com/
Trying to "hide this" Jeremiah Cornelius? LMAO -> http://slashdot.org/comments.pl?sid=3368135&cid=42529887 via downmods?
Yes - that's YOUR STYLE, bullshit artist troll that you are. YOU CAN'T EVEN SPELL WHAT IT IS YOU CLAIM TO DO RIGHT, lol, for Pete's sake!
Jeremiah Cornelius = 'evangelist/consultant' (bullshitters), & yes, troll too (by his OWN admission quoted in the link above). CISSP? Bah - CHUMP work (you merely use tools guys like MYSELF, actual coders, produce for you to USE, user!).
* YOU have been trolled - you like?
(You, your pals webmistressrachel, countertrolling, gmhowell, & the LONG NOW GONE Barbara, not Barbie alias tomhudson MULTIPLE ACCOUNT USING TROLL I busted & ran off sure like to dish it out, but you can't TAKE IT in return...)
APK
P.S.=> No, like I said, for all of you trolling me for years here? I am going to do it back to YOU, so you & yours learn a lesson!
(I already took care of webmistressrachel, & tomhudson/Barbara, not Barbie (showing them BOTH terribly technically weak in computing MANY times) - & I told you YOU were next - just to teach YOU & YOURS ala trolltalk.com a lesson... here 'tis, & it's JUST THE START! Payback is a BITCH, troll!)
... apk
You would have to be on the network to capture the packets in the first place. Security starts with the door.
He's from San Francisco! Men there know anal penetration, hahaha.
ROTFLMAO. Not exactly on his resume but makes sense. He's a San Fran man.
"The claim that "security in XP is from the last century where all you needed is a good password" also shows your utter and complete ignorance of XP and security architectures"
Right, you mean how in XP there is an IMPERSONATION SERVICE where a user mode program can run with kernel mode priveldges and impersonate a critical service?!
No ASLR, limited DEP, no priveldge seperation in the code. Yeah, XP is last century security wise which is fine as other operating systems from the 20th century lacked those as well.
"you may have worked in corporate IT but you have no clue. What is your source for wild ass claims like "9 out of 10 CPU cycles are work around exploits"? Oh, right, you pulled that out of your ass -- an invented statistic to try and make XP look bad"
Yeah, I am making it look bad because in 2013 it is bad. You are telling me after 1,000+ exploits there is no performance penalty or advanced filtering for every input and i/o after 12 years? THe fact of the matter is XP ran good on 128 megs of ram on a Pentium II 300 mhz in 2001. Why can't I run it like this. The answer is because of +700 patches.
I look at XP like a boat with holes all over encased with 3 feet of bandaids. I have not looked at hte source code and neither have you. I do not have to rely on fake statistics. Look at the evidence of it today? I can not see how it is possible to fix all the exploits without breaking apps.
My only explanaition is double the code size and filtering out every i/o and input due to the architecture not being able to withstand the malware we have today. NTLM is yet another example, while IE 6 - 8 while still being patched is not being hacked as I typed this because it can not run in protected mode in XP.
XP never once ran good on 128mb's of ram. Window 98 maybe, but not 2000 or XP. 512MB minimum for solid performance.
No ASLR, limited DEP, no priveldge seperation in the code. Yeah, XP is last century security wise which is fine as other operating systems from the 20th century lacked those as well.
ASLR was first implemented in July 2001, as part of the pax patch for linux... So it's about as old as XP.
The idea of DEP was partially implemented much earlier, SunOS 4.x and Digital Unix 3.x had non executable stack areas, Linux had a patch to implement such too, it wasn't until much later that AMD implemented direct hardware support for non executable pages on x86, but it was effectively emulated in software long before that.
The idea of layers of filtering slowing down XP is ridiculous, that would be such a ridiculous kludge that i don't believe even microsoft would implement things that way...
On the other hand if they intentionally slow down XP with updates, then it makes subsequent versions more attractive. Users have long criticised MS for new versions being significantly slower and more bloated than old ones, so i wouldn't be surprised to see them using underhanded tactics to distort this perception.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
So GP's post was badly spelled, poorly worded -- and also factually wrong. When you read his paragraphs you can almost feel him think how hard it is to keep a coherent thought in his head for long enough to type it out. You can see him failing at that. Yet, somehow, he got 5, insightful. It's time for some reflection, Slashdot.