1 / 15

NT Password Security

NT Password Security TSM 352 System Security Where are Passwords Stored in NT/2k? The ‘SAM’ (Security Account Manager) Windows-directorysystem32configSAM Permissions are ‘world-readable’ Not normally accessible while the system is running since it is locked by the system kernel

Download Presentation

NT Password Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NT Password Security TSM 352 System Security

  2. Where are Passwords Stored in NT/2k? • The ‘SAM’ (Security Account Manager) • Windows-directory\system32\config\SAM • Permissions are ‘world-readable’ • Not normally accessible while the system is running since it is locked by the system kernel

  3. How to access the SAM file • Cannot be accessed once NT/2K is up and running • Sometimes it has been backed up • A copy is also put on the ‘Emergency Repair Disk’ • Boot the system with a floppy into DOS or Linux and access the file • Use a utility running on the NT system, such as L0phtcrack or pwdump

  4. How does NT Encrypt Passwords? • Uses two hash algorithms • One for the regular NT hash. • Converts password to Unicode • Then runs it through an MD4 algorithm to obtain a 16-byte value • One for the LANMAN hash. • Pads the password with 0’s until it has a length of 14 characters. • Then converts to uppercase and split into two 7-character pieces. • An 8-byte odd parity DES key is calculated from each half, and then the DES keys are encrypted and combined to get a 16-byte, one-way hash.

  5. LAN Manager Hashes (LM) • LAN Manager was the predecessor to NT – appeared in the late 80’s. • Machines then were slow. • Still needed, since NT is designed to be backward compatible with earlier versions of Windows • Dividing into two 7-byte chunks makes NT passwords easier to crack. • A 14-byte password takes incredibly longer time to crack than two 7-byte passwords. • Two separated ones can be cracked in parallel. • It is not case-sensitive which considerably reduces the guessing ‘set’. • Since numbers usually appear at the end of a password, crackers are more likely to be able to crack the first half quicker if they start with letters only. • Once one half is known, the other half is often easier to guess • No Salts used – the same clear text password encrypts the same way • With no salt being used.. an attacker can calculate a hash and compare it to the entire list. So, what might have taken 5 days for a single user is now 5 days for an entire list of users.

  6. What is the math? • <number of possible characters> Raised to the Power <number of character positions> • Compare two 7-character with one 14-character • Assume 40 possible characters • 2 x 40^7 = 3.2 E^11 • 1 x 40^14 = 2.7 E^22 • @ 1 million tries/second, two 7-character will take about 53 minutes (doing them both separately) • @ 1 million tries/second, a 14-character will take about 860 million years

  7. L0phtcrack • “Password Auditing Tool” • 15-day demo free for download, but must pay for the ‘brute force’ capability ($100) • Has a number of additional capabilities • Password cracking • Extracting hashes from the password registry (admin privileges required) • Loading the passwords from a file • Sniffing passwords off the network • Choice of brute force, dictionary, hybrid, or any combination • Custom character set for foreign languages • Cole’s Experience with L0phtcrack: • Cracks 90% of corporation’s password in under 5 hours • 18% in under 5 minutes • Most domain admin accounts cracked • Most companies have a 8 character min policy, but no other restrictions

  8. NTSweep • Another password cracker that uses a different approach • Based on the DC function which allows any user to change a password if the original password is known. • NTSweep takes a guessed password and tries it on all of the accounts on the domain. It then changes the password to the same thing – the only result being that it finds a user account that goes with the password. • If this ‘change’ works, then the password has been discovered • Interesting method, since it does not require access to ‘administratively-controlled’ files, such as the registry or the SAM. The operation it is trying is absolutely ‘legal’. • Some Issues • It uses a broadcast to discover the domain users, so obviously it cannot be a remote attack. • It is very slow. • The operation is logged – including all the failed attempts. • User accounts might be set up so that they cannot change their passwords.

  9. Protection against Password Crackers • No way to completely prevent password cracking. • The goal is to make it much harder. • Disable LAN manager (LM) authentication • Enforce strong passwords – with a policy • Implement SYSKEY • Use one-time passwords • Use Biometric authentication where feasible • Audit access to key files • Scan for cracking tools • Keep inventory of active accounts • Limit who has domain admin access

  10. Disable LM Authentication • Have to account for older clients that may use LM. • If you have at least win98 and NT you are ok, since there is a patch that updates them to use NTLM. • If you do not upgrade, then your password security has not improved

  11. Enforcing Strong Passwords • NT and 2k have some mechanisms to help • The most important mechanism is account policies, under User Manager • NT SP 2 introduced a password filter called passflt.dll, which enforces the following: • Minimum 6 characters • Must contain 3 of the following categories: Uppercase, lowercase, numbers, and special characters. • Password cannot contain the user id • Another way to enforce strong passwords is to use ‘passprop’, which comes with the Resource Kit. • Enforces same as passfilt, but is easier to set up.

  12. Strong Password Policy • Minimum of 8; 10 is better • Change every 45 days • Lockout at 3 tries in 5 hours, and lockout for 3 hours • At least one alpha, one number, and one special • Cannot reuse previous 5 passwords

  13. Implement Syskey • Available with SP3 for NT, automatic with 2K. • Allows 128-bit encryption of the SAM • Prevents L0phtcrack from extracting hashes • Implemented by running syskey.exe – careful it cannot be reversed. • Beware of 3rd party authentication systems that are not compatible with syskey

  14. Use One-time Passwords • Password changes each time the user logs on • There are no passwords to guess. • Downside: cost, complexity • Most common form are ‘smart cards’. • The device is time-triggered so the password changes every minute • When user wants to logon, they read the display of the smart card. • This system can be used in conjunction with standard passwords – maybe only used on the ‘road’

  15. Some Additional Tips • Audit Access to Key Files • Watch out for access of the SAM database • Use programs such as tripwire to watch over your files • Scan for Cracking Tools • Watch out for programs on your systems • Again, tripwire can be useful to monitor directory contents • Keep Inventory of Active Accounts • Watch for past employees accounts. • Remove accounts that should no longer be active • Monitor accounts, looking for new ones, or accounts whose privileges have changed. • Still not enough? • Use Biometrics

More Related