Security Basics mailing list archives

RE: RE: ADS Password Storage Protection

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Sat, 22 Jul 2006 08:42:17 -0400

There are several tools that will sniff Kerberos authentication traffic and extract the hashes, including Cain 
(www.oxid.it) and Kerbsniff/Kerbcrack. The hash is the NT hash, which is a tough nut to crack.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************

 

-----Original Message-----
From: Christian.Assfalg () bc boehringer-ingelheim com [mailto:Christian.Assfalg () bc boehringer-ingelheim com] 
Sent: Friday, July 21, 2006 11:52 AM
To: eric.baechle () dhs gov; security-basics () securityfocus com
Subject: AW: RE: ADS Password Storage Protection

Credential passing algorythms such as Kerberos, should use strong pre-shared or one-time keys for transmitting the 
passwords so they can't be sniffed.

I've been wondering about this... Is it really possible to sniff the password hash or whatever is needed to
authenticate with a modified smb client from the kerberos authentication traffic?

What about SSH?

Regards,
Christian Assfalg

-----Ursprüngliche Nachricht-----
Von: eric.baechle () dhs gov [mailto:eric.baechle () dhs gov]
Gesendet: Mittwoch, 19. Juli 2006 19:15
An: security-basics () securityfocus com
Betreff: Re: RE: ADS Password Storage Protection

With all due respect to all;

We've wandered way off the topic. The discussion was on "Active Directory Services (ADS) Storage Protection"
methodologies. Mathematics proves what password types are entrophically stronger, and proactive password auditing
proves what passwords are pratically stronger. The debate here is not length vs. complexity in passwords but the
succeptibility to password storage systems to attack.

Password length and complexity remains a very valid discussion. Password recovery plays an especially important part
in obtaining access to systems not connected to the originally compromised system. For example, if I use the same
password for my banking as I use for my computer at home; someone that cracked my home computer password now has
credentials for my bank web-account.

The important fact here is that regardless of my attempts to strengthen my password, someone that has the ability to
crack my password on my home computer has the ability to "recover" my password no matter how strong it is through means
other than cracking. Access to my system to recover the password hashes means that an intruder has the same level of
access required to install root kits and key-loggers.

In keeping with the discussion topic. If I obtained the password hashes using PWDUMP or other extraction tool, I have
all I need to be able to authenticate as any user including, Administrator using one of the modified open-source SMB
clients. Upon accessing the system as Administrator (SID 500 - to prevent trolls from starting arguments about
renaming accounts), I obtain access to all connected ADS systems (including the workstations). From this launchpad I
can install root-kits and key loggers on distributed client systems using ADS group-policy and pushing MSI packages.
And finally, I just wait for you to type your 200+ character pass-phrases.

Upon looking at the anatomy of an attack, the threat comes not from the ability to crack a "strong password" (however
you define strong=long, etc). Instead the origin of the attack comes from obtaining access to the password hash
database.

What I propose is that discussions on password length vs strength is purely academic rather than practical to system
security. Creating super-long passwords (more than 8 characters or so) does not provides a theoretical increase in
protection to systems but not a practical one. Credential passing algorythms such as Kerberos, should use strong
pre-shared or one-time keys for transmitting the passwords so they can't be sniffed.

So my question to you is, do you REALLY think your passwords are secure?

Sincerely,

Eric Baechle, CISSP/ISSEP, etc.

Senior INFOSEC/OPSEC Engineer

Department of Homeland Security

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

AW: RE: ADS Password Storage Protection Christian . Assfalg (Jul 21)
- RE: RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)