Re: BoS: NT Password Cracker

[k-hamer () ntx1 cso uiuc edu (Kenneth L. Hamer)]

Yes, and no.  The following is my understanding of how NT passwords are
stored - this information was imparted to me verbally by a friend who
has contact with Microsoft's programmers ("I know this guy...") so you
are welcome to treat it is highly suspect if you like.

> From what I understand, the actual NT passwords (and I use that term
advisedly, since the published specs (KB Article Q102716) show that the
passwords themselves are _not_ stored, rather hashes are.) are stored on
disk in a file which is hidden by the NT operating system.  This file
(or set of files) cannot be seen by any program which uses NT's API,
although the system itself can obviously access the file. You can of
course use NT's API to test passwords against the data contained in this
file, but cannot read the file itself.

The keys in the secutiry registry point the system to specific entries
in this file, but to not themselves contain the "passwords".  Thus, you
can't get at them with the registry editor.

If the hard drive is examined from outside of Windows NT, you can
presmably find this data.  An obvious method would be to use NT to get a
complete listing of all files on the system, and then compare that with
a listing generated with a non-NT custom NTFS reader.  It might also be
possible to get NTFS to spit up the raw data by installing custom
filesystem drivers.

Once you have the raw hash data used to authenticate users, cracking a
password becomes a simple matter of a dictionary attack.  By avoiding
NT's authentication subsystem entirely and using custom code you can
probably speed up the process.  Having 4 P6-200s chewing on _one_
account, the administrator account, should not take that long.

Also, you can perform a dictionary attack against the administrator
account using NT's own APIs, since the adminsitrator account cannot be
configured with a multiple-failure lockout.  This is a choice made by
Microsoft - the ability to make the administrator password lock out
after N failures would make it vulnerable to a denial-of-service attack.
 A dictionary attack is often fruitful, since people insist on using
crappy passwords.  *Any* reusable password system will be vulnerable to
a dictionary attack.

This does not mean that NT's password system is weaker than that found
in UNIX.  DES encryption rounds are quite inexpensive these days, and
that is the basis for the UNIX encryption scheme.  The process Microsoft
describes in the aforementioned KB document is certainly more expensive,
and thus more difficult to attack.  Add in the fact that the actual
authentication data used by NT is much harder to obtain that that used
in UNIX, and it seems reasonable to say that NT is a harder nut to
crack.

I regularly crack passwords on my UNIX systems (as a preventative
measure).  A typical round takes about four hours, to investigate 400
passwords (and picks up bad ones often).  With the NT attack you are
only investigating one - the Administrator password.

- Ken

> ----------
> From:  Bernd Lehle[SMTP:Bernd.Lehle () RUS Uni-Stuttgart DE]
> Sent:  Thursday, November 14, 1996 7:50 AM
> To:    Multiple recipients of list BUGTRAQ
> Subject:       BoS:      NT Password Cracker
>
> Hi there,
>
> http://www.omna.com/Yes/MWC/PRS-index.htm MWC offers a commercial
> service to "recover" a lost Windows NT (all Versions) administrator
> password at "Any level of the Password Complexity".
>
> The whole thing takes four hours on four Pentium-200s and costs about
> $US 4,500.
>
> Comparing this against my experiences with Crack and crypt on UNIX-
> platforms, I have to conclude that NT password encryption must be
> ridiculous if this offer is true.
>
> Does anybody have details ?