150 likes | 682 Views
NT Password Security TSM 352 System Security Where are Passwords Stored in NT/2k? The ‘SAM’ (Security Account Manager) Windows-directorysystem32configSAM Permissions are ‘world-readable’ Not normally accessible while the system is running since it is locked by the system kernel
E N D
NT Password Security TSM 352 System Security
Where are Passwords Stored in NT/2k? • The ‘SAM’ (Security Account Manager) • Windows-directory\system32\config\SAM • Permissions are ‘world-readable’ • Not normally accessible while the system is running since it is locked by the system kernel
How to access the SAM file • Cannot be accessed once NT/2K is up and running • Sometimes it has been backed up • A copy is also put on the ‘Emergency Repair Disk’ • Boot the system with a floppy into DOS or Linux and access the file • Use a utility running on the NT system, such as L0phtcrack or pwdump
How does NT Encrypt Passwords? • Uses two hash algorithms • One for the regular NT hash. • Converts password to Unicode • Then runs it through an MD4 algorithm to obtain a 16-byte value • One for the LANMAN hash. • Pads the password with 0’s until it has a length of 14 characters. • Then converts to uppercase and split into two 7-character pieces. • An 8-byte odd parity DES key is calculated from each half, and then the DES keys are encrypted and combined to get a 16-byte, one-way hash.
LAN Manager Hashes (LM) • LAN Manager was the predecessor to NT – appeared in the late 80’s. • Machines then were slow. • Still needed, since NT is designed to be backward compatible with earlier versions of Windows • Dividing into two 7-byte chunks makes NT passwords easier to crack. • A 14-byte password takes incredibly longer time to crack than two 7-byte passwords. • Two separated ones can be cracked in parallel. • It is not case-sensitive which considerably reduces the guessing ‘set’. • Since numbers usually appear at the end of a password, crackers are more likely to be able to crack the first half quicker if they start with letters only. • Once one half is known, the other half is often easier to guess • No Salts used – the same clear text password encrypts the same way • With no salt being used.. an attacker can calculate a hash and compare it to the entire list. So, what might have taken 5 days for a single user is now 5 days for an entire list of users.
What is the math? • <number of possible characters> Raised to the Power <number of character positions> • Compare two 7-character with one 14-character • Assume 40 possible characters • 2 x 40^7 = 3.2 E^11 • 1 x 40^14 = 2.7 E^22 • @ 1 million tries/second, two 7-character will take about 53 minutes (doing them both separately) • @ 1 million tries/second, a 14-character will take about 860 million years
L0phtcrack • “Password Auditing Tool” • 15-day demo free for download, but must pay for the ‘brute force’ capability ($100) • Has a number of additional capabilities • Password cracking • Extracting hashes from the password registry (admin privileges required) • Loading the passwords from a file • Sniffing passwords off the network • Choice of brute force, dictionary, hybrid, or any combination • Custom character set for foreign languages • Cole’s Experience with L0phtcrack: • Cracks 90% of corporation’s password in under 5 hours • 18% in under 5 minutes • Most domain admin accounts cracked • Most companies have a 8 character min policy, but no other restrictions
NTSweep • Another password cracker that uses a different approach • Based on the DC function which allows any user to change a password if the original password is known. • NTSweep takes a guessed password and tries it on all of the accounts on the domain. It then changes the password to the same thing – the only result being that it finds a user account that goes with the password. • If this ‘change’ works, then the password has been discovered • Interesting method, since it does not require access to ‘administratively-controlled’ files, such as the registry or the SAM. The operation it is trying is absolutely ‘legal’. • Some Issues • It uses a broadcast to discover the domain users, so obviously it cannot be a remote attack. • It is very slow. • The operation is logged – including all the failed attempts. • User accounts might be set up so that they cannot change their passwords.
Protection against Password Crackers • No way to completely prevent password cracking. • The goal is to make it much harder. • Disable LAN manager (LM) authentication • Enforce strong passwords – with a policy • Implement SYSKEY • Use one-time passwords • Use Biometric authentication where feasible • Audit access to key files • Scan for cracking tools • Keep inventory of active accounts • Limit who has domain admin access
Disable LM Authentication • Have to account for older clients that may use LM. • If you have at least win98 and NT you are ok, since there is a patch that updates them to use NTLM. • If you do not upgrade, then your password security has not improved
Enforcing Strong Passwords • NT and 2k have some mechanisms to help • The most important mechanism is account policies, under User Manager • NT SP 2 introduced a password filter called passflt.dll, which enforces the following: • Minimum 6 characters • Must contain 3 of the following categories: Uppercase, lowercase, numbers, and special characters. • Password cannot contain the user id • Another way to enforce strong passwords is to use ‘passprop’, which comes with the Resource Kit. • Enforces same as passfilt, but is easier to set up.
Strong Password Policy • Minimum of 8; 10 is better • Change every 45 days • Lockout at 3 tries in 5 hours, and lockout for 3 hours • At least one alpha, one number, and one special • Cannot reuse previous 5 passwords
Implement Syskey • Available with SP3 for NT, automatic with 2K. • Allows 128-bit encryption of the SAM • Prevents L0phtcrack from extracting hashes • Implemented by running syskey.exe – careful it cannot be reversed. • Beware of 3rd party authentication systems that are not compatible with syskey
Use One-time Passwords • Password changes each time the user logs on • There are no passwords to guess. • Downside: cost, complexity • Most common form are ‘smart cards’. • The device is time-triggered so the password changes every minute • When user wants to logon, they read the display of the smart card. • This system can be used in conjunction with standard passwords – maybe only used on the ‘road’
Some Additional Tips • Audit Access to Key Files • Watch out for access of the SAM database • Use programs such as tripwire to watch over your files • Scan for Cracking Tools • Watch out for programs on your systems • Again, tripwire can be useful to monitor directory contents • Keep Inventory of Active Accounts • Watch for past employees accounts. • Remove accounts that should no longer be active • Monitor accounts, looking for new ones, or accounts whose privileges have changed. • Still not enough? • Use Biometrics