home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
WINMX Assorted Textfiles
/
Ebooks.tar
/
Text - Tech - OS - NT - security guide 03.txt
< prev
next >
Wrap
Text File
|
2003-09-27
|
10KB
|
168 lines
NT security guideSection 03
Passwords
03-1. How do I access the password file in NT?
03-2. How do I crack NT passwords?
03-3. What is a "brute force" password cracker?
03-4. What is a "dictionary" password cracker?
03-5. Which method is best for cracking?
03-6. How does a Sys Admin enforce better passwords?
03-7. Can an Sys Admin prevent/stop SAM extraction?
03-1. How do I access the password file in NT?
The location of what you need is in \\WINNT\SYSTEM32\CONFIG\SAM which is the
location of the security database. This is usually world readable by default,
but locked since it is in use by system compotents. It is possible that there
are SAM.SAV files which could be readable. If so, these could be obtained for
the purpose of getting password info.
During the installation of NT a copy of the password database is put in
\\WINNT\REPAIR. Since it was just installed, only the Administrator and Guest
accounts will be there, but maybe Administrator is enough -- especially if the
Administrator password is not changed after installation.
If the Sys Admin updates their repair disks, or you get a hold of a copy of the
repair disks, you can get password database. The file is SAM._ in the ERD
directory.
If you are insane, you can go poking around in the SAM secret keys. First,
schedule service to logon as LocalSystem and allow it to interact with the
desktop, and then schedule an interactive regedt32 session. The regedt32 session
will be running as LocalSystem and you can play around in the secret keys.
However, if you change some stuff this might be very bad. You have to be
Administrator to do this, though, so for the hacker you need to walk up to the
machine while the Administrator is logged in and distract them by telling them
they're giving away Microsoft t-shirts in the lobby (this doesn't always work
;-).
03-2. How do I crack NT passwords?
First off, it should be explained that the passwords are technically not located
on the server, or in the password database. What IS located there is a one-way
hash of the password. Let me explain...
Two one-way hashes are stored on the server -- a Lan Manager password, and a
Windows NT password. Lan Manager uses a 14 byte password. If the password is
less than 14 bytes, it is concantenated with 0's. It is converted to upper case,
and split into 7 byte halves. An 8 byte odd parity DES key is constructed from
each 7 byte half. Each 8 byte DES key is encrypted with a "magic number"
(0x4B47532140232425 encrypted with a key of all 1's). The results of the magic
number encryption are concantenated into a 16 byte one way hash value. This
value is the Lan Manager "password".
A regular Windows NT password is derived by converting the user's password to
Unicode, and using MD4 to get a 16 byte value. This hash value is the NT
"password".
So to crack NT passwords, the username and the corresponding one way hashes (Lan
Man and NT) need to be extracted from the password database. Instead of going
out and writing some code to do this, simply get a copy of Jeremy Allison's
PWDUMP, which goes through SAM and gets the information for you. PWDUMP does
require that you are an Administrator to get stuff out of the registry, but if
you can get ahold of copies of the security database from another location (see
Section 03-1) you can use those.
Obviously from this point you can use one of several cracking utilities to
perform either a brute force or dictionary attack on either the Lan Man or NT
password. Several freeware products are available on the Internet. They include:
Cracker Author(s) Compiles on... Notes
---------------- ------------------- --------------- ----------------------
c50a-nt-0.20.tgz Bob Tinsley Unix Dictionary cracker, a
port of Alec Muffett's
Crack 5.0 for Unix.
lc15exe.zip Mudge and Weld Pond Unix, includes Best of the bunch, can
from the L0pht GUI NT version do brute force very
and DOS version quickly, also can use
a dictionary.
NTCrack.tar.gz Jonathan Wilkins Unix, includes Dictionary cracker, on
NT version it's second revision.
03-3. What is a "brute force" password cracker?
A brute force cracker simply tries all possible passwords from legal characters
until it gets the password. From a cracker perspective, this is usually very
time consuming. L0phtcrack 1.5, a brute force cracker, makes certain assumptions
and reduces this time down considerably.
As pointed out in section 03-2, the Lan Manager password concantenated to 14
bytes, and split in half. The halves can be worked on individually. If the
password was originally only 7 characters or less, that second half is always
0xAAD3B435B51404EE. To further ease brute force cracking, since a substantial
reduction in bits occurs during the deriving of the 8 byte DES key from the 7
byte key, less keys have to be tried. Also since the password is converted to
upper case before one way encrypting it, Lan Manager password cracking does not
have to take into consideration the possibility of lower case letters.
L0phtcrack incorporates techniques to exploit all of these possibilities.
By cracking the Lan Manager password first, the NT password can be brute forced
to determine the proper case of each alpha character.
Initital tests of L0phtcrack show its brute force capability to be quite
admirable. A brute force of Administrator on the NMRC dedicated cracking machine
took 7 days (some Unix passwords have been worked on for 3 weeks before being
cracked). The NMRC dedicated cracking machine is running Slackware on a 486
DX50, so this is quite quite fast by NMRC standards.
The latest version, L0phtCrack 1.5, is even faster.
03-4. What is a "dictionary" password cracker?
All three of the password crackers listed in section 03-2 can do dictionary
attacks. A dictionary attack is simply takes a list of dictionary words, and one
at a time encrypts them using the same encryption algorithm NT uses to check and
see if they encrypt to the same one way hash. If the hashes are equal, the
password is considered cracked. The best of these dictionary crackers is the
Crack 5.0 NT port, namely because of the strength of the mutation filters. These
filters allow you to change "idiot" to "1d10t" and other advanced variations to
get the most from a word list.
Although L0phtcrack doesn't do the permutations like Crack, there are several
ways you can "pre-treat" a word list, in particular you can use the DOS-based
TPU. This utility does a number of filter operations, so with the right amount
of creativity you can create a pretty substantial list.
03-5. Which method is best for cracking?
Actually it depends on your resources and your needs. If you simply need to
crack a password and there is no real time limit (just raw CPU to waste) then
brute force is the way to go. If you need a password quickly, using a wordlist
might shorten your time. In general, a swipe with a couple of decent word lists
will get some, permutations can get a few more, and the rest can be simply brute
forced. Watch what the cracked passwords are. If you can spot a pattern, such as
all lower case with 2 numbers at least six characters long, this may give you
some clues for what to feed your brute forcer.
03-6. How does a Sys Admin enforce better passwords?
There are several freeware utilities that allow for password changing with rules
enforced. These range from the simple passwd utility by Alex Frink to
Microsoft's own utilities. The NT Server 4.0 Resource Kit has a utility called
Passprop that enforces random passwords. Also on Service Pack 2 is a DLL called
PASSFILT that will does basically the same thing.
03-7. Can an Sys Admin prevent/stop SAM extraction?
As long as you can get in as Administrator, you are basically vulnerable.
Microsoft has gradually increased its security for the SAM files and the hashes,
but as things like L0phtCrack are quickly improved and Microsoft insists on
backward compatibility with LAN Manager-style logins, things will be vulnerable.
In fact, the latest L0phtCrack can take input from stored sniffer traces to use
as the source for its password cracking. So for you sys admins out there, keep
absolutely current of Service Packs and Hot Fixes. For you hackers out there,
well, it's a big bright world ;-)
03-8. How is password changing related to "last login time"?
Let's say an admin is checking the last time certain users have logged in by
doing a NET USER /DOMAIN. Is the info accurate? Most of the time it will NOT be.
Most users do not login directly to the Primary Domain Controller (PDC), they
login to a Backup Domain Controller (BDC). BDCs do NOT contain readonly versions
of SAM, they contain read-write versions. To keep the already ungodly amount of
network traffic down, BDCs do not tell the PDC that they have an update of the
last login time until a password change has been done. And the NET USER /DOMAIN
command checks the PDC, so last login time returned from this command could be
wildly off (it could even show NEVER).
As a hacker, if you happen to know that password aging is not enforced, then you
can bet that last login times will probably not be very accurate.