Penetration Testing mailing list archives
Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords"
From: "Miguel Dilaj" <mdilaj () nccglobal com>
Date: Mon, 26 Sep 2005 11:20:58 +0100
Hi all, I've been following both threads with much more interest than time to answer, so I'll spare a few minutes to produce a "digest" answer. Hope the moderators allow it ;-) Regarding "Whitespace in passwords", and as some people already mentioned, modern password cracking software (both commercial and free) can find non-printable chars, so space or ALT-whatever are going to be found anyway. Rainbow tables now tend to include space, but I still haven't heard of anyone producing a table for 0x00-0xff (0x0000-0xffff if you use extended unicode chars ;-) Applications CAN be broken by using strange characters, so YMMV. In not totally accurate chronological order: Craig Wright wrote on 19/09/05:
The success rate is 80.19% for "alpha numeric symbol 32 space" - this is
EVERYthing in NTLM - not just space or extended - the table is 53% derived- but if you read further - this
equates to an 80.19% crack rate.
That's not correct. That includes ONLY the charset A-Z{32 symbols}{space}. It has a few limitations that are not obvious for people unaware of how NTLM works: A) it is limited to 7 characters, when NTLM is up to 14 in older Windows, and (I think) up to 128 on newer ones. If you don't believe me, see the parameters they pass to rtgen: ntlm alpha-numeric-symbol32-space 1 7 0 9000 40000000 #15 Correlate with the syntax: algorithm charset minlength maxlength index chainlength chaincount comment Use a password of length 8, and you screwed them. B) it can't handle different case in the password. Their "alpha-whatever" tables cover A-Z{whatever}. Their "loweralpha-whatever" tables cover a-z{whatever}. The password "Admin" won't be cracked. You need to have "mixAlPhA{whatever}", covering A-Za-z{whatever} to crack such passwords. Using alpha tables only is fine for old LM, because the password is always translated to uppercase, but it won't work for all the case-sensitive algorithms. Craig Wright wrote on 20/09/05:
There is NTLM and not just lanman - even on the areas not completely
cracked - expect this to be a matter of weeks or months to complete and even with an incomplete table there is even
with "alpha numeric symbol 14" sets a 80+% crack rate. Further "alpha numeric symbol 5" does not mean the length is 5 chars - it
is still 14 chars in length. It refers to the symbol set not the length just as "alpha numeric symbol 14" again
refers to the symbol set used. (PS the complete lanman "alpha numeric
symbol 14" is available for purchase from the researcher on a set of DVD's now and 100% complete - just wait for the
post). Crack one table and get 1 weeks access (or there about) {snip} The Rainbow crack default tables are up to 14 chars. Any password of up to
14 chars (with the correct tables) No, RTFM of rtgen and check the syntax they use. < personal comment> I don't like the 1 week access/table they offer. I generated a couple tables, but the clock start ticking right after they submit the tables, and it can happen that your week expires before you need it. I would have prefer "n" usages with no time limitation, however, their tables have the flaws mentioned above. I also offered them big computing power in exchange for their LM set (no need to reinvent the wheel, isn't?), but they never answered my email, so I'm producing my own customized set of LM, and also some other customized (and case sensitive!) sets. </personal comment> Craig Wright wrote on 20/09/05:
The "14 character all lowercase passphrase with numbers" set is only 3gb
and it took me a week to generate - without dedicating the hosts - see lm configuration #5
at http://www.antsight.com/zsl/rainbowcrack/
Yeah... Check the link "table generation commands" and check the syntax. Those are up to 7, and you profit from the fact that LM is 2x7. But don't try to translate that into other algorithms. Tim wrote on 20/09/05:
A-z, 0-9 and all special characters is about 44GB and those go only to 7
characters for LanMan (why bother doing more the 7 characters on LanMan?). Define "all special characters". If you consider that probably 150 characters (normal, symbols and extended) can be used for LM, your tables up to length 7 with 99.0% success probability will be 13.113 GB (feel free to convert to TB), with the following generation syntax: lm test150space 1 7 0 9000 40000000 foobar If "all special characters" for you means 14 common symbols and space, yes, they will be 26.8 GB with 99.0% success probability. Craig Wright wrote on 21/09/05:
John was a tool which was good a decade ago
And is still the fastest bruteforcer. The "mangling" of dictionary words is also much better than other tools. Cedric Baechler asked on 20/09/05:
Does anyone know which 142-character set is used ? (for LM)
Cedric: I did a quick investigation on that some time ago, without too much success... I found an interesting reference (I think it was in an article in SecurityFocus, but I'm not sure) about the fact that some extended characters can be use in the command line, but not in the GUI (and probably the opposite as well). Sorry for not being of help, but that was my $0.01 contribution. Craig Wright wrote on 23/09/05:
I still say that Kerberos or IPsec based auth is the best policy in
windows. LanMan, NTLMv1 or V2 are vulnerable. Kerberos can be attacked as well, thanks to Microsoft who flawed the Kerberos implementation in Windows. Thor (Hammer of God) wrote on 25/09/05:
{one of the best answers in the thread, omitted for brevity}
MY answer to that: clap, clap, clap, clap! Craig Wright wrote on 23/09/05:
"Microsoft is banning certain cryptographic functions from new computer
code, citing increasingly sophisticated attacks that make them less secure, according to a company executive. The
Redmond, Wash., software company instituted a new policy for all
developers that bans functions using the DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm, which is
becoming "creaky at the edges," said Michael Howard, senior security
program manager at the company, Howard said."
"All three algorithms show signs of 'extreme weakness' and have been
banned, Howard said. Microsoft is recommending using the Secure Hash Algorithm (SHA)256 encryption algorithm and AES
(Advanced Encryption Standard) cipher instead, he said.
Well... I hope my rant below is not taking anyone at Microsoft or here by surprise. ANY function like: h = f(P) In which the universe of h is of limited size and the universe of P is infinite (that includes ALL hashing functions, a lot of encryption functions, etc) will have infinite collisions. Take for example any 16-byte hash, like MD2, MD4, MD5, NTLM, etc. You've 0xffffffffffffffffffffffffffffffff (+1, to include the all-zeroes hash) different hashes, BUT YOU HAVE INFINITE POSSIBLE PLAINTEXTS (P in the equation above). That means that you don't only have collisions. You don't only have a big number of collisions. YOU HAVE AN INFINITE NUMBER OF COLLISIONS. Take whatever hashing algorithm you want, for example SHA-2 (512), you'll have 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffff (+1 ;-) hashes, but still infinite P. Paraphrasing late Dr. Carl Sagan in his book "Cosmos": that big number is not even close to the idea of infinite. It is EXACTLY at the same distance of infinite than number zero. Being a humble pentester, I'll leave the honour of discovery to the mathematicians out there ;-) Any hashed static password can be attacked after someone finds colliding vectors. Regarding article referenced by Mr. Wright: http://www.codeproject.com/useritems/HackingMd5.asp The article is very interesting, it shows two vectors that produce the same MD5 hash, and gives the explanation on how to expand the vectors adding the same payload to both of them to keep having the same MD5 hash. Full stop. The overall idea discussed in the paper is flawed because an attacker still needs to replace the installer.exe It will be MUCH BETTER (er... For attackers!) if two vectors starting like an .exe, with a jump instruction past the length of the vector are found. Then the vector can be padded with zeroes up to the destination of the jump instruction, and a payload added that contains: 1) the check of the flag byte to execute evil or good code 2) evil code 3) good code THEN, we'll be in serious problems... And that hashing will have to be dropped instantly ;-) Final rant, other attacks on passwords... Let's suppose that you use a devilish complex password. 1) An attacker with remote administrative access can install a kernel-level keylogger in your machine. 2) An attacker with remote non-administrative access can modify VeoVeo can install it on your machine to use the keylogging functionality only, and not showing the icon in the tray bar (http://usuarios.lycos.es/n3kr0m4nc3r/tools/ for a hasty English translation, Spanish original in www.hackindex.org). 3) An attacker with physical access can plug one of those (or similar) between your keyboard and your desktop machine: http://www.keyghost.com/products.htm There's even a version of a hardware keylogger that's a chip that sits INSIDE your keyboard ;-) Enter PKI authentication... You need your certificate and the password of your private key. The certificate will typically reside on a private network drive, to be covered by backup, but even if it's in your local disk, someone with "password power" level of access (see 3 points above if cracking fails) can obtain it. Most users will have the same password for Windows logon and their private key. If not, use the keylogging stuff mentioned in the 3 points above ;-) Last rant: Are you sure you like your XYZ application using Single Sign On relying on Windows passwords? (I've seen examples...) Someone mentioned One Time Passwords, and I tend to agree. Using OTPs have some practical disadvantages (applications not supporting them, etc.), but is much more secure than static passwords. Probably smart cards will do the trick. Well... I think that this email is long enough for people avoid reading it, so I'll put just an additional tiny bit of info ;-) In a forthcoming FIST Conference (hopefully in Manchester, UK, provided I can get a venue for it) I'll discuss the technology we are using to generate 200+ tables in under 3 weeks (and counting!). I'll announce it in due time on www.oissg.org, and probably here as well. Gosh... I've to WORK! Cheers, Miguel *********************************************************************************************************** DISCLAIMER: This e-mail contains proprietary information, some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you may not use, disclose, distribute, copy, print or rely on this e-mail. *********************************************************************************************************** ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- MSFT Bans insecure hashes - was"Passwords with Lan Manager (LM) under Windows" Craig Wright (Sep 23)
- Re: MSFT Bans insecure hashes - was"Passwords with Lan Manager (LM) under Windows" Thor (Hammer of God) (Sep 24)
- Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords" Miguel Dilaj (Sep 26)
- Re: MSFT Bans insecure hashes - was"Passwords with Lan Manager (LM) under Windows" Thor (Hammer of God) (Sep 24)