Penetration Testing mailing list archives
RE: Sniffing a windows domain authentication
From: "Navroz Shariff" <nshariff () americanbible org>
Date: Fri, 17 Mar 2006 11:01:05 -0500
Carlos, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory. The LM hash is relatively weak compared to the NT hash, and it is therefore prone to fast brute force attack. The NTLM authentication package in Windows 2000 supports three methods of challenge/response authentication: LAN Manager (LM). This is the least secure form of challenge/response authentication. It is available so that computers running Windows 2000 Professional can connect in share level security mode to file shares on computers running Microsoft(r) Windows(r) for Workgroups, Windows 95, or Windows 98. NTLM version 1. This is more secure than LM challenge/response authentication. It is available so that clients running Windows 2000 Professional can connect to servers in a Windows NT domain that has at least one domain controller that is running Windows NT 4.0 Service Pack 3 or earlier. NTLM version 2. This is the most secure form of challenge/response authentication. It is used when clients running Windows 2000 Professional connect to servers in a Windows NT domain where all domain controllers have been upgraded to Windows NT 4.0 Service Pack 4 or later. It is also used when clients running Windows 2000 connect to servers running Windows NT in a Windows 2000 domain. By default, all three challenge/response mechanisms are enabled. You can disable authentication using weaker variants by setting the LAN Manager authentication level security option in local security policy for the computer. Since the days of Windows NT, Microsoft has upgraded its default authentication protocol to Kerberos, a considerably more secure option than NTLM. Every Windows 2000, Windows XP and Windows Server 2003 OS platform includes a client Kerberos authentication provider. Kerberos is considered a strong authentication protocol -- considerably stronger than NTLM and it was designed to thwart many known attacks on authentication systems. Windows 2000-based servers and Windows Server 2003-based servers can authenticate users who connect from computers that are running all earlier versions of Windows. However, versions of Windows earlier than Windows 2000 do not use Kerberos for authentication. For backward compatibility, Windows 2000 and Windows Server 2003 support LAN Manager (LM) authentication, Windows NT (NTLM) authentication, and NTLM version 2 (NTLMv2) authentication. The NTLM, NTLMv2, and Kerberos all use the NT hash, also known as the Unicode hash. The LM authentication protocol uses the LM hash. Authentication in Windows 2000 Windows 2000 supports several protocols for verifying the identities of users who claim to have accounts on the system, including protocols for authenticating dial-up connections and protocols for authenticating external users who access the network over the Internet. But there are only two choices for network authentication within Windows 2000 domains: * Kerberos Version 5. The Kerberos version 5 authentication protocol is the default for network authentication on computers with Windows 2000. * Windows NT LAN Manager (NTLM). The NTLM protocol was the default for network authentication in the Windows NT(r) 4.0 operating system. It is retained in Windows 2000 for compatibility with downlevel clients and servers. NTLM is also used to authenticate logons to standalone computers with Windows 2000. If your going to try and crack the NTLM password hash, I suggest you research and utilize Rainbow Tables. In the limited amount of time that I had, it is all I came up with and I hope it of some use to you. -Nav -----Original Message----- From: l00t3r [mailto:l00t3r () gmail com] Sent: Thursday, March 16, 2006 6:43 PM To: spambox () barrossecurity com Cc: pen-test () securityfocus com Subject: Re: Sniffing a windows domain authentication LC5 might do what your looking for. I know they have an option to import network sniffer files but not sure if it will actually crack what your looking to do. Might be worth looking into. Ryan On 16 Mar 2006 16:32:32 -0000, spambox () barrossecurity com <spambox () barrossecurity com> wrote:
Hello list! Sometime ago I was wondering if it is possible to capture the authentication packets sent from a Windows Workstation to
the PDC and then crack the password. I've setup this scenario in the lab environment and sniffer these packets, but did'n find any referece about cracking the password.. Any one knows how the authentication works, and if it can be broken??
best regards Carlos Barros http://www.barrossecurity.com/ ---------------------------------------------------------------------- -------- This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an
enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ---------------------------------------------------------------------- --------
------------------------------------------------------------------------ ------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------ ------ ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------------
Current thread:
- Sniffing a windows domain authentication spambox (Mar 16)
- Re: Sniffing a windows domain authentication l00t3r (Mar 16)
- RE: Sniffing a windows domain authentication Andy Meyers (Mar 18)
- Re: Sniffing a windows domain authentication Facekhan (Mar 18)
- <Possible follow-ups>
- RE: Sniffing a windows domain authentication Navroz Shariff (Mar 18)
- RE: Sniffing a windows domain authentication Strand, John (Mission Systems) (Mar 18)
- Re: Re: Sniffing a windows domain authentication spambox (Mar 18)
- Re: Sniffing a windows domain authentication Miguel Dilaj (Mar 19)
- RE: Re: Sniffing a windows domain authentication jeremiah (Mar 19)
- Re: RE: Sniffing a windows domain authentication spambox (Mar 20)
- Re: Sniffing a windows domain authentication l00t3r (Mar 16)