Slashdot Mirror
NTLM 100% Broken Using Hashes Derived From Captures
New submitter uCallHimDrJ0NES writes "Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"
NTLM stands for Windows NT Lan Manager. Is was used in earlier Windows from NT 3.1 (yes THAT old) up til Win 2K3 IIRC.
Users would authenticate their login credentials to the system. NTLM is the sub-system that does that authentication.
For more details see wikipedia: http://en.wikipedia.org/wiki/NTLM
NTLM, you COULD go to Wikipedia - failing all else.
This is the name for Microsoft's 2nd generation authentication protocol - for issuing challenges and responses related to encrypted passwords as a shared secret. The passwords are hashed with a salt, and the value compared with the known password, by the authentication service. This is a variant introduced by Windows NT on the LAN Manger scheme - cooked up in the remote past by MS and IBM, based on Ungerman-Bass software.
This is important, because LM and NTLM are trivial to ether crack or spoof. Backwards compatbility was the bugbear for NTLM. v2 addresses many of the issues - but is relatively recent. Every XP / Server 2003 era machine sends the old-style hashes, as a part of Auth handshake sequences.
It's now been demonstrated that this is not a trivial matter - that the hash may be derived simply by performing computation on the artifacts for challenge and response. Then a legitimate hash can be injected by an attacker, in standard "pass-the-hash" fashion.
"Flyin' in just a sweet place,
Never been known to fail..."
This is one of the worst summaries I have ever read here. I can easily imagine the joy in the submitter as they are dancing to their own over the top writing style. NTLM is 100% broken. Oh no! Microsoft stopped recommending it and switched to Kerberos starting with Windows 2000. Who the hell cares that someone broke a protocol from 10+ years ago? If anything, it makes NTLM look really good. What sensationalist trash this is.
I distinctly remember using NTLMv2 in both NT 4.0 and Win2K, for a product I was developing for those platforms. NTLMv2 was an option. You could also choose whether the negotiation could downgrade to NTLM if the other side didn't support NTLMv2, or if the negotiation would insist on NTLMv2. But NTLMv2 didn't become the default until Vista -- the first version of Windows that strongly emphasized security.
We still have quite a number of XP machines in our front office.
How to harden those XP machines and make them use NTLM2 instead?
Thanks !!
Muchas Gracias, Señor Edward Snowden !
http://technet.microsoft.com/en-us/library/cc738867(v=ws.10).aspx
The crucial detail is whether the physical layer of the network can be trusted. If the physical layer is trusted, then NTLM works fine. Historically, lots of corporate networks controlled every computer on the office network, and air-gapped the internet.
Many modern networks, including wireless networks, have a non-trust worthy physical layer. In this case, only end-to-end encryption protects the network. Yes, the newer versions NTLM protect against the most obvious password scanning attacks. However, with a non-trust worthy physical layer, it is possible to simply scan all the network traffic and get the file contents from the network directly. Also, some (almost all?) ODBC and database servers send passwords in the clear. This makes it straightforward to do simple network traffic analysis attacks, and directly gather valuable information from the company network.
The bottom line is that only protocols like SSH work against a non-trustworthy physical layer.
In fact, I think he may have been penetrated via a back-door.
Tubal-Cain smokes the white owl.
>14 chars disables LM, but not NTLM.
>14 character passwords also disables some users.
Somebody needs to get with the last decade since MSFT made Kerberos the preferred authentication method waaaaay back in Win2K, so if you are still using NTLM for authentication after it has been depreciated for 13 years? I'd say you have bigger problems than NTLM being hacked.
ACs don't waste your time replying, your posts are never seen by me.
I'd say this affects Linux too - a bunch of machines with Samba are quite possibly vulnerable, and need a different settings change than what Windows does.
At a minimum, the following in the smb.conf
[global]
client ntlmv2 auth = yes
lanman auth = no
ntlm auth = no
For winbindd, a recompile might be required.
XP and 2000 can be made to use NTLMv2 but you have to either use Group Policy or set it in Local Security Policy. I don't know /why/ Microsoft didn't make it default to at least use v2 if both ends agreed, but they wouldn't have forced it on because of back compatibility with NT4 domains.
Hail Eris, full of mischief...
E pluribus sanguinem
It is time to get with the times.
Yes, I worked in corporate I.T. before and know all the tired arguments. The OS will turn 13 years old later this year. 13 years?!
Not to mention XP SP 3 after 800 or so updates is slower and not the speed daemon it once was as 9 out of 10 CPU cycles are work around exploits. Stop defining yourselves and your ego on an OS made by the same people who wrote IE 6?
The idea for security in XP is from the last century where all you needed is a good password. It lacks things a modern internet enabled OS have today. It is not a trendmill at this point nor is MS being evil to the mean old beancounters who refuse to see hidden costs and just licensing on a spreadsheet in excel. This story, the one on IE 6-8 being vulnerably last week on slashdot, and many others stating XP is so primptive because it doesn't have protected mode, ASLR, are DEP fully (only a few things have that on XP).
If you ask this because your IT department has no plans to upgrade then another job who treat your profession and seriousness with respect.. They are incompetent and when shit hits the fan and social security numbers are stolen you will get the blame as the cost center and be let go anyway.
It is obvious with the latest security issues in IE6, IE 7-8 (in non protected mode), XP, and now this that it is time to let it go instead of workaround it. Investing time and money into it is like investing cash into a car with 200,000 miles.
These costs are real and so are the liabilities. Grow a pair and sell yourself the cheap asshats at your company? You are not saving anything by keeping an outdated insecure infrastructure and it is not unreasonable to upgrade to a 3 year old OS.
http://saveie6.com/
I already replied to someone saying the best way to harden XP is called Windows 7.
I do not understand the strange obsession of keeping XP. Does it save money. No.
Geeks with aspergers lack the social skills to grow a pair and tell the cost accountants they are morons as if these companies who handle customer social security numbers, credit numbers, and other things with their billing department are ripe pickings with XP.
XP has been proven time and time again to be old, insecure, and has security features from a different era. It comes with IE 6. I mean did MS really make it that secure? Oh it is password protected. THat is good enough ... check.
IE 6 - 8 are being exploited right now under XP because it lacks protected mode and even the Mr. Fixit from that exploit has already been circumvented. But those on XP claim they are saving money and how great and secure their OS is that wont listen. Just because it runs on machines with 256 megs of ram doesn't mean it is supperiorly coded and of high quality. THe misinformation many supposedly IT professionals are astounding.
I should start bookmarking these so when someone mods me down and says how great XP is and why change to an inferior bloated OS like win 7 I can cite this and the IE 6 -8 hole links?
http://saveie6.com/
I have a friend who is a retired newspaper journalist. I wonder if I could interest him in devising some guidelines for ShashDot postings that even amateurs could apply with some improvement to the quality of their posts. Anyone enthusiastic about this?
This will remain irrelevant until the editors do some editing rather than accepting article submissions that are no more than the output of a script that scrapes an RSS feed.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
So why do home users use Windows?
Because they don't want to deal with stuff like this just to get sound working.
https://wiki.archlinux.org/index.php/Advanced_Linux_Sound_Architecture
Win is great for business, just turn off every bells and whistle and you will have an XP like experience.
OpenSUSE is better IMHO, but win7 should not be overlooked.
Recently did some work on a pristine Win8. It works just like Unity..
Defining Statistics and Social Research
Pah. You should have left it at 4 points.
Do paragraphing not often, but only as often as makes sense. One-sentence paragraphs are for those with grade 2 reading and writing level.
See Anna Merkin.
See Anna Merkin paragraph.
Paragraph, Anna Merkin, paragraph.
And commit Strunk and White to the *bin*, not to memory. See the many comments by Pullum on Language Log and elsewhere, for example, for reasons why. Pay special attention to the fact that White apparently doesn't even know what the passive voice is before deciding you should follow anything he recommends.
Also FatPhil on SoylentNews, id 863
I found the following on the MS site:
Export restrictions screw you again!
Great minds think alike; fools seldom differ.
I wonder if I could interest him in devising some guidelines for ShashDot postings that even amateurs could apply with some improvement to the quality of their posts. Anyone enthusiastic about this?
Not in the slightest. I am, in fact, enthusiastically unenthusiastic about bringing the assumption that your reader needs all the 'the five Ws' answered or technical background spoon-fed to him onto the web.
Newspaper style guides were written for a time when a person who didn't understand the technical background had to pedal down to the library and find a book on the subject, read it, and come back to finish the story days or weeks later. It was better to give them a layman's understanding of the science than hope he would come back. Those assumptions don't hold when we have tabbed browsers and wikipedia.
0 1 - just my two bits
See https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#NTLMAUTH
If you set ntlm auth = no, then Samba will reject plain NTLM and require either NTLM v2 (the normal case) or LANMAN (if you have bizzarely backdated your XP box). There is a risk that some software w2ill fail, so it's probably best if you create a pair of virtual servers, and set one up to use NTLMv2. As you find out what fails, you can move the unbroken services to the v2 server.
--dave
davecb@spamcop.net