Slashdot Mirror

← Back to Stories (view on slashdot.org)

NTLM 100% Broken Using Hashes Derived From Captures

Posted by Soulskill on from the progress-bar-complete dept.

New submitter uCallHimDrJ0NES writes "Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"

14 of 155 comments (clear)

  1. Re:And this is important because? by UnknownSoldier · · Score: 5, Informative

    NTLM stands for Windows NT Lan Manager. Is was used in earlier Windows from NT 3.1 (yes THAT old) up til Win 2K3 IIRC.

    Users would authenticate their login credentials to the system. NTLM is the sub-system that does that authentication.

    For more details see wikipedia: http://en.wikipedia.org/wiki/NTLM

  2. Re:And this is important because? by Curate · · Score: 3, Informative

    I distinctly remember using NTLMv2 in both NT 4.0 and Win2K, for a product I was developing for those platforms. NTLMv2 was an option. You could also choose whether the negotiation could downgrade to NTLM if the other side didn't support NTLMv2, or if the negotiation would insist on NTLMv2. But NTLMv2 didn't become the default until Vista -- the first version of Windows that strongly emphasized security.

  3. Secure Networks vs. Insecure Networks by Cassini2 · · Score: 4, Insightful

    The crucial detail is whether the physical layer of the network can be trusted. If the physical layer is trusted, then NTLM works fine. Historically, lots of corporate networks controlled every computer on the office network, and air-gapped the internet.

    Many modern networks, including wireless networks, have a non-trust worthy physical layer. In this case, only end-to-end encryption protects the network. Yes, the newer versions NTLM protect against the most obvious password scanning attacks. However, with a non-trust worthy physical layer, it is possible to simply scan all the network traffic and get the file contents from the network directly. Also, some (almost all?) ODBC and database servers send passwords in the clear. This makes it straightforward to do simple network traffic analysis attacks, and directly gather valuable information from the company network.

    The bottom line is that only protocols like SSH work against a non-trustworthy physical layer.

    1. Re:Secure Networks vs. Insecure Networks by greg1104 · · Score: 3, Informative

      Also, some (almost all?) ODBC and database servers send passwords in the clear.

      Many database servers allow encrypted passwords, but there are surely a lot of database installations that don't take advantage of it. In PostgreSQL you can use SSL for the client network connection, which ODBC passes through. Setup SSL as the only way to connect, and encryption has to happen before it hits the wire. MySQL has a similar trick. Both are just using the OpenSSL library under the hood to encrypt the network traffic.

      On the commercial side, Oracle does the same thing with ORA_ENCRYPT_LOGIN. SQL Server has client and server settings that enforce encryption. Basically, if your database traffic isn't encrypted, it's more likely because someone didn't think that was important than because it was impossible. It's a simple checkbox to add to database selection requirements, and it's not hard to find a DBMS that has the capability.

      I find people who just stuff user passwords into the database (which can be the same passwords as other services) rather than putting password encryption into their application can also leak data. In PostgreSQL using the built-in pgcrypto makes that easy. You also have to be careful to use the same network encryption approach for any replication client, or it's possible to just sniff that instead to get the data. In Postgres those connect with the same encryption possible options as any other client. Most of the tutorials on setting up replication don't cover this though.

  4. Re:How to harden an XP machine ? by Dr.Who · · Score: 5, Informative

    The Microsoft article http://support.microsoft.com/kb/2793313 referenced above points to http://technet.microsoft.com/library/cc960646.aspx

  5. Re:How to harden an XP machine ? by yuhong · · Score: 5, Informative

    You can also use Group Policy:
    http://technet.microsoft.com/en-us/library/cc738867(v=ws.10).aspx

  6. Re:How to harden an XP machine ? by Anonymous Coward · · Score: 5, Funny

    How to harden those XP machines and make them use NTLM2 instead?

    My blanket recommendation for hardening XP machines is to encase them in concrete.

  7. Re:How to harden an XP machine ? by rb12345 · · Score: 3, Informative

    By default, XP allows inbound NTLMv2 authentication from remote clients but does not use it outbound to authenticate to remote servers. The same setting that makes XP refuse LM/NTLM also enables outbound NTLMv2.

  8. Re:A very real attack by Aardpig · · Score: 4, Funny

    In fact, I think he may have been penetrated via a back-door.

    --
    Tubal-Cain smokes the white owl.
  9. Re:Thanks alot.... by hairyfeet · · Score: 3, Insightful

    Somebody needs to get with the last decade since MSFT made Kerberos the preferred authentication method waaaaay back in Win2K, so if you are still using NTLM for authentication after it has been depreciated for 13 years? I'd say you have bigger problems than NTLM being hacked.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  10. Re:Here's why by arth1 · · Score: 5, Informative

    I'd say this affects Linux too - a bunch of machines with Samba are quite possibly vulnerable, and need a different settings change than what Windows does.
    At a minimum, the following in the smb.conf

    [global]
        client ntlmv2 auth = yes
        lanman auth = no
        ntlm auth = no

    For winbindd, a recompile might be required.

  11. Re:It is called WIndows 7 by Billly+Gates · · Score: 5, Insightful

    It is time to get with the times.

    Yes, I worked in corporate I.T. before and know all the tired arguments. The OS will turn 13 years old later this year. 13 years?!

    Not to mention XP SP 3 after 800 or so updates is slower and not the speed daemon it once was as 9 out of 10 CPU cycles are work around exploits. Stop defining yourselves and your ego on an OS made by the same people who wrote IE 6?

    The idea for security in XP is from the last century where all you needed is a good password. It lacks things a modern internet enabled OS have today. It is not a trendmill at this point nor is MS being evil to the mean old beancounters who refuse to see hidden costs and just licensing on a spreadsheet in excel. This story, the one on IE 6-8 being vulnerably last week on slashdot, and many others stating XP is so primptive because it doesn't have protected mode, ASLR, are DEP fully (only a few things have that on XP).

    If you ask this because your IT department has no plans to upgrade then another job who treat your profession and seriousness with respect.. They are incompetent and when shit hits the fan and social security numbers are stolen you will get the blame as the cost center and be let go anyway.

    It is obvious with the latest security issues in IE6, IE 7-8 (in non protected mode), XP, and now this that it is time to let it go instead of workaround it. Investing time and money into it is like investing cash into a car with 200,000 miles.

    These costs are real and so are the liabilities. Grow a pair and sell yourself the cheap asshats at your company? You are not saving anything by keeping an outdated insecure infrastructure and it is not unreasonable to upgrade to a 3 year old OS.

    --
    http://saveie6.com/
  12. Re:Thanks alot.... by Billly+Gates · · Score: 4, Insightful

    I already replied to someone saying the best way to harden XP is called Windows 7.

    I do not understand the strange obsession of keeping XP. Does it save money. No.

    Geeks with aspergers lack the social skills to grow a pair and tell the cost accountants they are morons as if these companies who handle customer social security numbers, credit numbers, and other things with their billing department are ripe pickings with XP.

    XP has been proven time and time again to be old, insecure, and has security features from a different era. It comes with IE 6. I mean did MS really make it that secure? Oh it is password protected. THat is good enough ... check.

    IE 6 - 8 are being exploited right now under XP because it lacks protected mode and even the Mr. Fixit from that exploit has already been circumvented. But those on XP claim they are saving money and how great and secure their OS is that wont listen. Just because it runs on machines with 256 megs of ram doesn't mean it is supperiorly coded and of high quality. THe misinformation many supposedly IT professionals are astounding.

    I should start bookmarking these so when someone mods me down and says how great XP is and why change to an inferior bloated OS like win 7 I can cite this and the IE 6 -8 hole links?

    --
    http://saveie6.com/
  13. Re:And the big question is ... by BradleyUffner · · Score: 3, Insightful

    So why do home users use Windows?

    Because they don't want to deal with stuff like this just to get sound working.
    https://wiki.archlinux.org/index.php/Advanced_Linux_Sound_Architecture