Slashdot Mirror
NTLM 100% Broken Using Hashes Derived From Captures
New submitter uCallHimDrJ0NES writes "Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"
OK, I did the unthinkable and skimmed the actual article, but I still have no idea what NTLM does, why it was chosen for whatever task it does, or what the potential repercussions are now that it's broken. Even the "Reminder About the Downside of Doing Nothing" section, which I hoped would explain exactly what an attacker could do, was light on details. Something about sending passwords to a remote machine?
Can anyone shine some light on this?
This is one of the worst summaries I have ever read here. I can easily imagine the joy in the submitter as they are dancing to their own over the top writing style. NTLM is 100% broken. Oh no! Microsoft stopped recommending it and switched to Kerberos starting with Windows 2000. Who the hell cares that someone broke a protocol from 10+ years ago? If anything, it makes NTLM look really good. What sensationalist trash this is.
I'm been a victim of pass the hash attack... they can fuck you up pretty up pretty good.
Smoking hashes is bad for your windows?
KERNEL PANIC -SIGFAULT AT ADDRESS #51A54D07
We still have quite a number of XP machines in our front office.
How to harden those XP machines and make them use NTLM2 instead?
Thanks !!
Muchas Gracias, Señor Edward Snowden !
http://technet.microsoft.com/en-us/library/cc738867(v=ws.10).aspx
The crucial detail is whether the physical layer of the network can be trusted. If the physical layer is trusted, then NTLM works fine. Historically, lots of corporate networks controlled every computer on the office network, and air-gapped the internet.
Many modern networks, including wireless networks, have a non-trust worthy physical layer. In this case, only end-to-end encryption protects the network. Yes, the newer versions NTLM protect against the most obvious password scanning attacks. However, with a non-trust worthy physical layer, it is possible to simply scan all the network traffic and get the file contents from the network directly. Also, some (almost all?) ODBC and database servers send passwords in the clear. This makes it straightforward to do simple network traffic analysis attacks, and directly gather valuable information from the company network.
The bottom line is that only protocols like SSH work against a non-trustworthy physical layer.
>14 chars disables LM, but not NTLM.
>14 character passwords also disables some users.
Somebody needs to get with the last decade since MSFT made Kerberos the preferred authentication method waaaaay back in Win2K, so if you are still using NTLM for authentication after it has been depreciated for 13 years? I'd say you have bigger problems than NTLM being hacked.
ACs don't waste your time replying, your posts are never seen by me.
I'd say this affects Linux too - a bunch of machines with Samba are quite possibly vulnerable, and need a different settings change than what Windows does.
At a minimum, the following in the smb.conf
[global]
client ntlmv2 auth = yes
lanman auth = no
ntlm auth = no
For winbindd, a recompile might be required.
It is time to get with the times.
Yes, I worked in corporate I.T. before and know all the tired arguments. The OS will turn 13 years old later this year. 13 years?!
Not to mention XP SP 3 after 800 or so updates is slower and not the speed daemon it once was as 9 out of 10 CPU cycles are work around exploits. Stop defining yourselves and your ego on an OS made by the same people who wrote IE 6?
The idea for security in XP is from the last century where all you needed is a good password. It lacks things a modern internet enabled OS have today. It is not a trendmill at this point nor is MS being evil to the mean old beancounters who refuse to see hidden costs and just licensing on a spreadsheet in excel. This story, the one on IE 6-8 being vulnerably last week on slashdot, and many others stating XP is so primptive because it doesn't have protected mode, ASLR, are DEP fully (only a few things have that on XP).
If you ask this because your IT department has no plans to upgrade then another job who treat your profession and seriousness with respect.. They are incompetent and when shit hits the fan and social security numbers are stolen you will get the blame as the cost center and be let go anyway.
It is obvious with the latest security issues in IE6, IE 7-8 (in non protected mode), XP, and now this that it is time to let it go instead of workaround it. Investing time and money into it is like investing cash into a car with 200,000 miles.
These costs are real and so are the liabilities. Grow a pair and sell yourself the cheap asshats at your company? You are not saving anything by keeping an outdated insecure infrastructure and it is not unreasonable to upgrade to a 3 year old OS.
http://saveie6.com/
I already replied to someone saying the best way to harden XP is called Windows 7.
I do not understand the strange obsession of keeping XP. Does it save money. No.
Geeks with aspergers lack the social skills to grow a pair and tell the cost accountants they are morons as if these companies who handle customer social security numbers, credit numbers, and other things with their billing department are ripe pickings with XP.
XP has been proven time and time again to be old, insecure, and has security features from a different era. It comes with IE 6. I mean did MS really make it that secure? Oh it is password protected. THat is good enough ... check.
IE 6 - 8 are being exploited right now under XP because it lacks protected mode and even the Mr. Fixit from that exploit has already been circumvented. But those on XP claim they are saving money and how great and secure their OS is that wont listen. Just because it runs on machines with 256 megs of ram doesn't mean it is supperiorly coded and of high quality. THe misinformation many supposedly IT professionals are astounding.
I should start bookmarking these so when someone mods me down and says how great XP is and why change to an inferior bloated OS like win 7 I can cite this and the IE 6 -8 hole links?
http://saveie6.com/
lol. Yeah, wikipedia said it, it has to be true. Oh, wait... you didn't even read the complete subsection of the wikipedia article. Your position in IT management awaits.
Although GP is flamebait at best.. Because when LM and original NTLM were created it was an issue, and in 2003 compatibility was an issue, is why it is still around.
That said, I will say that for most people's needs there are plenty of adequate solutions. I find that LibreOffice(and OOo) do a decent job. PostgreSQL in many ways exceeds what MS-SQL does, and there are some decent integrated mail/calendar servers... I do think that Exchange is to this day best in it's class, and there are some features of MS Office that will lock some in. However, the fact is, most people don't need any MS software.
NOTE: I make my living doing software dev in an MS centered environment.
Michael J. Ryan - tracker1.info
Just because it runs on machines with 256 megs of ram doesn't mean it is supperiorly coded and of high quality.
XP SP3 doesn't even cut that anymore. A bare installation hovers around 384 megs already.
So why do home users use Windows?
Because they don't want to deal with stuff like this just to get sound working.
https://wiki.archlinux.org/index.php/Advanced_Linux_Sound_Architecture
Holy SHIT!
I have been noticing this a lot lately but I decided to offer this friendly little help to you:
depreciated is not the word you are wanting to use. The word that you actually want is deprecated.
http://en.wikipedia.org/wiki/Depreciation
http://en.wikipedia.org/wiki/Deprecation
Cheers :)
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
Win is great for business, just turn off every bells and whistle and you will have an XP like experience.
OpenSUSE is better IMHO, but win7 should not be overlooked.
Recently did some work on a pristine Win8. It works just like Unity..
Defining Statistics and Social Research
Who would've thought a day would come when W3-schools is used as a reference in a non-humorous way?
I remember trying most of the relevant stuff on that page on archlinux and still not getting the sound to work properly.
9 out of 10 CPU cycles are work around exploits
No.
Yes it is more bloated now than the initial release and slower as a result, not helped by all the stuff installed on it now which uses more CPU than an equivalent program would have used 15 years ago, plus your AV program probably is checking every file/web access (but not Windows itself). But...
It isn't consuming most of its time actively running additional code to prevent exploits. Almost every exploit is corrected by correcting the original code to fix the bug that allows a buffer/integer overflow etc. Not by keeping the original code and installing extra code to filter the inputs to it.
you may have worked in corporate IT but you have no clue. What is your source for wild ass claims like "9 out of 10 CPU cycles are work around exploits"? Oh, right, you pulled that out of your ass -- an invented statistic to try and make XP look bad. The problem with that claim is that it is patently false as is obvious not only to anyone with a clue about CPUs, application execution, or anything related -- but even to anyone who gives it a passing thought (for one, your assertion implies 1/10 the performance of an unpatched XP box). Someone who runs XP and installs Vista, Win7 or Win8 is (very likely*) going to experience a slow down, not a speed up. In general, people are aware that XP is "faster" than its successors and when you use lies to bolster your case you actually weaken it.
The claim that "security in XP is from the last century where all you needed is a good password" also shows your utter and complete ignorance of XP and security architectures. Of course, you don't offer a single item to backup your claim. It would be hard to, unless you made it up on the spot like your statistic from above, as it simply isn't true.
That isn't to say that people shouldn't be moving off of XP. But they should do it for real reasons, not some made up crap, and posting obvious lies only weakens that case.
Its amazing that such a stupid post got modded insightful. Then again, this *is* slashdot...
* except for blind fans of Microsoft, it is apparent that the successors of XP require more resources. This really shouldn't come as a surprise to anyone, but one consequence is that a system spec'd for XP is going to be under spec for Vista/Win7/Win8 and run slower. Potentially a lot slower (particularly dependent on how much RAM they have). Of course, MS has managed to shave a little off of boot time and there are other minor improvements such as the infinitesimal gain from disabling recording of access times (on a local file system of decent design -- which NTFS has -- there is no perceptible improvement).
of course, anyone taking your advice has their head screwed on wrong. Maybe your going about your advice wrong. First, try to learn something about the topic on which you want to give advice. Second, don't insult the people you are talking to at every turn. You really like the phrase "grow a pair", for example. Grow up.
Of course, the same criticism could be leveled at this post. Except I'm not trying to give you advice, just pointing out why your "sage advice" is falling on deaf ears.
Anyone have a Gibberish-English dictionary?
Gamingmuseum.com: Give your 3D accelerator a rest.
See https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#NTLMAUTH
If you set ntlm auth = no, then Samba will reject plain NTLM and require either NTLM v2 (the normal case) or LANMAN (if you have bizzarely backdated your XP box). There is a risk that some software w2ill fail, so it's probably best if you create a pair of virtual servers, and set one up to use NTLMv2. As you find out what fails, you can move the unbroken services to the v2 server.
--dave
davecb@spamcop.net
"The claim that "security in XP is from the last century where all you needed is a good password" also shows your utter and complete ignorance of XP and security architectures"
Right, you mean how in XP there is an IMPERSONATION SERVICE where a user mode program can run with kernel mode priveldges and impersonate a critical service?!
No ASLR, limited DEP, no priveldge seperation in the code. Yeah, XP is last century security wise which is fine as other operating systems from the 20th century lacked those as well.
"you may have worked in corporate IT but you have no clue. What is your source for wild ass claims like "9 out of 10 CPU cycles are work around exploits"? Oh, right, you pulled that out of your ass -- an invented statistic to try and make XP look bad"
Yeah, I am making it look bad because in 2013 it is bad. You are telling me after 1,000+ exploits there is no performance penalty or advanced filtering for every input and i/o after 12 years? THe fact of the matter is XP ran good on 128 megs of ram on a Pentium II 300 mhz in 2001. Why can't I run it like this. The answer is because of +700 patches.
I look at XP like a boat with holes all over encased with 3 feet of bandaids. I have not looked at hte source code and neither have you. I do not have to rely on fake statistics. Look at the evidence of it today? I can not see how it is possible to fix all the exploits without breaking apps.
My only explanaition is double the code size and filtering out every i/o and input due to the architecture not being able to withstand the malware we have today. NTLM is yet another example, while IE 6 - 8 while still being patched is not being hacked as I typed this because it can not run in protected mode in XP.
http://saveie6.com/
You worked in corp IT and you think it is as easy as flipping a switch to make the change? Unlike the home enthusiast who doesn't mind learning the in/outs of a new OS many corporate users are task focused. The computer is a tool the same as a phone. For better/worse those users have no more interest in how the computer works than I have in the innards of my car's manual transmission. As long as it works I'm happy. If it doesn't I see an expert. You may consider the change from Win XP to Win 7 to be minor but for millions of corporate users any change can be huge and require training which is a double whammie of cost and lost productivity time. From a TCO perspective it is much cheaper to patch and manage than upgrade. The benefits of Win 7 are intangible to the end corporate users.
13 years is not the same timeframe as flipping a switch. From a TCO being hacked is very high as well as all sorts of security issues and not being able to log onto vendor/client portals, not being able to read Photoshop, autocad, and office 2013 files from users and other vendors, suppliers, and customers. XP already is getting more expensive to maintain than to keep current and it will get worse and worse.
As an IT professional it is your responsibility to keep your infrastructure secure and up to date. If shit happens from this exploit (one out of other examples) whose head will be on the chopping block? YOU!
THerefore, it is your job to go over the risks and do not tell me users do not know how to use Windows 7? It is similiar to XP, and users have been using it at home now and its Vista cousin for years as well. Do your job!
http://saveie6.com/
Another thing about XP - any computer purchased in the past ~3 years is going to come with Windows 7. You can get Core i5 Lenovo laptops with 8gb ram for ~$600-$700. Yes, it costs money, but if your org is running computers from 2005, it's probably worth upgrading anyway, unless you have a valid reason for sticking with XP (e.g. your users run software that requires XP and won't run on Win7).
At my last job, cost was one of the barriers to upgrading to Win7. But we pitched it as a hardware upgrade - moving from slow Core Duo 1.8 ghz desktops with 2 GB ram to the Lenovos I described above. It was a huge win for us all around - we migrated to Win7 and upgraded the hardware in one shot, while improving everyone's workflow by moving from desktops to laptops.
rooooar
"The claim that "security in XP is from the last century where all you needed is a good password" also shows your utter and complete ignorance of XP and security architectures"
Right, you mean how in XP there is an IMPERSONATION SERVICE where a user mode program can run with kernel mode priveldges and impersonate a critical service?!
No ASLR, limited DEP, no priveldge seperation in the code. Yeah, XP is last century security wise which is fine as other operating systems from the 20th century lacked those as well.
"you may have worked in corporate IT but you have no clue. What is your source for wild ass claims like "9 out of 10 CPU cycles are work around exploits"? Oh, right, you pulled that out of your ass -- an invented statistic to try and make XP look bad"
Yeah, I am making it look bad because in 2013 it is bad. You are telling me after 1,000+ exploits there is no performance penalty or advanced filtering for every input and i/o after 12 years? THe fact of the matter is XP ran good on 128 megs of ram on a Pentium II 300 mhz in 2001. Why can't I run it like this. The answer is because of +700 patches.
I look at XP like a boat with holes all over encased with 3 feet of bandaids. I have not looked at hte source code and neither have you. I do not have to rely on fake statistics. Look at the evidence of it today? I can not see how it is possible to fix all the exploits without breaking apps.
My only explanaition is double the code size and filtering out every i/o and input due to the architecture not being able to withstand the malware we have today. NTLM is yet another example, while IE 6 - 8 while still being patched is not being hacked as I typed this because it can not run in protected mode in XP.
XP never once ran good on 128mb's of ram. Window 98 maybe, but not 2000 or XP. 512MB minimum for solid performance.
Actually its worse than that Billy as XP still has the old WinNT 4 memory manager which frankly was designed in an era when memory was worth its weight in gold so it'll pimpslap the living hell out of swap LONG before you've even used half the RAM in the system. So in actuality you aren't saving any memory, you are just swapping more. Compare this to Win 7 where I have 500MB of my 8GB free right now, am I running something intensive? Nope its merely caching all my most used programs and Windows features so if I click on them its instant. if I do launch something intensive like my shooters Win 7 will just dump the cache and hand it over and when finished it refills the cache which is a MUCH smarter and saner design choice. Now anything I use day to day loads with ZERO disc access, just click and done.
So if you look at the internals of WinXP there really isn't much they can do to make it run any better or safer, like that 7 year old graphics card every drop of performance has done been squeezed out and you can't fix it, the lack of non admin users, the lack of low rights mode, the inability to protect the memory or keep it from using swap when you have memory free, these things are part of the core and just can't be fixed without dumping the whole, they just can't do it.
Win 7 is supported until 2020 at the very least (since it has become the new XP I have a feeling it'll get an extension or two) and HAS all the extra security and core OS features that make it capable of handling the multiple cores and multiGB of RAM we have today. When XP was released I can tell you the average system was a 300MHz PII with 64MB-128MB of RAM, hell those $50 cheap tablets have better specs than high end PCs ran under XP RTM. Its time to let the old thing go, like Win9X it served its purpose at the time but now it should just rest in peace and everyone move on. Even XP X64 (in reality 2K3 Workstation 64) had lousy memory management, it could take a lot of memory but it was up to the individual programs to use it wisely.
ACs don't waste your time replying, your posts are never seen by me.
Ah, you are right. That's why MySQL has a bigger marketshare than mssql, all serious mailservers use either sendmail, postfix or qmail, and LibreOffice is close to a 25% market share.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
I love how lately saying the truth is flamebaiting/trolling.
What issue was there back in 2003?
Microsoft tried to steer the market away from TCP/IP. It took them ages to get proper TCP/IP support, and when they did, they stole most of it from BSD (this was proven in the famous windows 2k code leak). They hate standards because it makes it harder to lock in their customers. NTLM is nothing but crapware designed to lock-in people. Really, explain WHAT exactly is it that NTLM solves/fixes, now or 10 years ago?
WTF am I doing replying to an AC at 5 A.M on a Friday night?
NTLM is a bit more than 10 years old... Hell v2 which addressed most of the OP issues is older than that. LM was created in the late 80s iirc. As for the BSD code in the NT network stack, that had been known for long before the code leak... It's been noted in license documents for over a decade. Why because BSD coffee is allowed in closed source programs. The post I referred to is flame bait because it is... Your post wasn't about truth, it's about hate. I don't love Microsoft, but I certainly don't hate them. Maybe you should double check what you think you know before spouting off.
Michael J. Ryan - tracker1.info
Looks like LM 1.0 was released in 1987, and NTLM in 1993...
Michael J. Ryan - tracker1.info
No ASLR, limited DEP, no priveldge seperation in the code. Yeah, XP is last century security wise which is fine as other operating systems from the 20th century lacked those as well.
ASLR was first implemented in July 2001, as part of the pax patch for linux... So it's about as old as XP.
The idea of DEP was partially implemented much earlier, SunOS 4.x and Digital Unix 3.x had non executable stack areas, Linux had a patch to implement such too, it wasn't until much later that AMD implemented direct hardware support for non executable pages on x86, but it was effectively emulated in software long before that.
The idea of layers of filtering slowing down XP is ridiculous, that would be such a ridiculous kludge that i don't believe even microsoft would implement things that way...
On the other hand if they intentionally slow down XP with updates, then it makes subsequent versions more attractive. Users have long criticised MS for new versions being significantly slower and more bloated than old ones, so i wouldn't be surprised to see them using underhanded tactics to distort this perception.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
This "Strange obsession" is called backwards compatibility...
Companies have lots and lots of very poorly written software which was designed to run on XP, and doesn't work (the same) on anything else. The reasons why it doesn't work are varied, some just refuses to run when it detects a version it doesn't recognise while others depend on the weaker security model of XP or other such things, while some software mostly works but some features are broken or behave differently.
The cost of testing all this software, and replacing what doesn't work is HUGE both in terms of money and man hours.
Some of the software may not be easily replaceable, i have encountered many companies locked in to closed source software where the original vendor has gone bankrupt, leaving them with an old version, no source code, no specifications on how the data is stored etc.
Besides, if you're going to make the huge investment of moving to a different system, it would make more sense to move to Linux... At least then you will significantly decrease your long term costs.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The cost of testing all this software, and replacing what doesn't work is HUGE both in terms of money and man hours.
Eventually the cost of cleaning up the messes script kiddies make every time they pwn one of your XP machines (and lost business that comes with constantly sending out those "sorry, our security sucks, and now your name, password, credit card numbers, and social security number are on pastebin." messages to customers) will be HUGE-er.
0 1 - just my two bits
Riiight, Linux is gonna save you money long term....how exactly? Lets look at the OS breaking moves just in the past 5 years, ALSA for a broken Pulse, KDE 3 and Gnome 2 just getting really good and stable....only to get shitcanned for alpha quality replacements, oh and lets not forget all the kernel twiddling by Linus "I'm an arrogant ass" Torvalds and the entire WiFi subsystem getting a serious rewrite that broke as much as it fixed. Quick, what do BSD, OSX,iOS,Windows,Solaris and even OS/2 have in common that Linux DON'T? A stable driver ABI so when one subsystem gets futzed with the whole thing don't shit itself and die, that's what.
As for backwards compatibility...uhhh, hello? XP Mode? Comes with Win 7 Pro? Lets you make a nice little locked down XP install while still having all the security and benefits like a better memory subsystem that is Windows 7? I've set up several businesses on Win 7 with XP Mode and frankly it runs great, the employee just clicks the desktop link just like they would have in XP and the VM runs the program easy peasy. the ONLY thing its not good for I've found is graphics heavy stuff like gaming which lets face it most businesses aren't gonna be allowing you to run your old Win9X games anyway. ironically I've not had a bit of trouble running ALL my win9X games on win 7 X64...as long as I pirate them thanks to the old shitty 16 bit DRM they used to use. But the games themselves? Run fine.
But its really not hard for a business to set up a test bed with Win 7 and XP Mode to test their old software, hell you can get dual core machines now for less than $200 so there really is no excuse not to have a test bed and the things gained by switching, better security, faster workflow (jumplists and breadcrumbs...I still don't know how we lived without those) a MUCH better and actually sane memory subsystem that will have all the programs they use daily loaded into RAM and ready to go when they are, and finally the frankly insane amount of money you are pissing away by hanging onto those old P4s and CRT monitors, I've had business owners tell me that after I switched over their office their electric bill went down a good 35% just from not blowing all the juice on feeding and cooling those old power hogs. It just doesn't make any kind of sense, not from a security, economic, nor business sense, to keep old hardware.
ACs don't waste your time replying, your posts are never seen by me.
What the fuck are you talking about, you retard?
WTF am I doing replying to an AC at 5 A.M on a Friday night?