03/03/2012

Windows Password?

Windows password world 

Long time ago I was doing a penetration test and I started wondering what is the windows password format and how is it stored? And after some research I came up with the proper information I was so viciously looking for....

Windows Lan Manager (LM) and NT LAN Manager (NTLM) Passwords 

The LM hash is the old style hash used in Microsoft OS before NT 3.1 ; NT 3.1 to XP SP2 supports LM hashes for backward compatibility and is enabled by default. Vista and Seven support LM hash but is disabled by default. NTLM was introduced in NT 3.1, and supports password lengths greater than 14.

If LM hashes are enabled on your system (Win XP and lower), a hash dump will look like:

Administrator:500:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537:::
If LM hashes are disabled on your system (Win Vista, 7+), a hash dump will look like:

Administrator:500:NO PASSWORD***********:0CB6948805F797BF2A82807973B89537:::

The first field is the username. The second field is the unique Security IDentifier for that username. The third field is the LM hash and the forth is the NTLM hash.  

How LM hash is computed

   1. The user’s ASCII password is converted to uppercase.

   2. This password is null-padded to 14 bytes.

   3. The “fixed-length” password is split into two seven-byte halves.

   4. These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a null bit after every seven bits (so 1010100 becomes 01010100). This generates the 64 bits needed for a DES key. (A DES key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. The null bits added in this step are later discarded.)

   5. Each of the two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values. The DES CipherMode should be set to ECB, and PaddingMode should be set to NONE.

   6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

XP Cached Credentials

The username is appended to the NTLM hash of the password and then that value is hashed using 

MD4 : MD4(username + MD4(password).

Note: Notice that no salt is used for the cached xp passwords, which means that same user-name password pairs have the same password cache dump!!

Vista/Seven Cached Credentials

Uses same process to create the cached credential that XP uses, except it applies PBKDF2 as well. PBKDF2 takes the SHA1 cryptographic hash function and applies it to the XP cached credential salting it with the lower case username, repeating this for the specified number of iterations (1024).

PBKDF2 (Password-Based Key Derivation Function) is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It replaces an earlier standard, PBKDF1, which could only produce derived keys up to 160 bits long.

PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching. When the standard was written in 2000, the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. Having a salt added to the password reduces the ability to use a precomputed dictionary to attack a password (such as rainbow tables) and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.

About NTLM 

NTLM is widely deployed, but it remains vulnerable to a credentials forwarding attack, which is a variant on the reflection attack which was addressed by Microsoft security update MS08-068. Both attacks were discovered by Dominique Brezinski in 1997. For example, Metasploit can be used in many cases to obtain credentials from one machine which can be used to gain control of another machine. The Squirtle toolkit can be used to leverage web site cross-site scripting attacks into attacks on nearby assets via NTLM.

In February 2010, Amplia Security discovered several flaws in the Windows implementation of the NTLM authentication mechanism which completely broke the security of the protocol allowing attackers to gain read/write access to files and remote code execution. One of the attacks presented included the ability to predict pseudo-random numbers/challenges/nonces generated by the protocol. These flaws had been present in all versions of Windows for 17 years. The security advisory explaining the issues found included different fully working proof-of-concept exploits. All flaws were fixed by MS10-012.

References:

http://www.onlinehashcrack.com/how_to_crack_lsa_cached_credentials.php
http://www.onlinehashcrack.com/how_to_crack_lsa_cached_credentials.php
http://en.wikipedia.org/wiki/PBKDF2
http://en.wikipedia.org/wiki/NTLM
http://en.wikipedia.org/wiki/LM_hash