1 / 22

Windows Password Handling and Security Faults

Windows Password Handling and Security Faults. Nate Prosser Lenny Calabrese Travis Stitt. Windows Password Algorithms. LAN Manager (LM) “Hashes” NT Hashes Cached Credentials. LAN Manager Hash. Password must be less than or equal to 14 characters in length

shel
Download Presentation

Windows Password Handling and Security Faults

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Password Handling and Security Faults Nate Prosser Lenny Calabrese Travis Stitt

  2. Windows Password Algorithms • LAN Manager (LM) “Hashes” • NT Hashes • Cached Credentials

  3. LAN Manager Hash • Password must be less than or equal to 14 characters in length • If less, it is NULL padded to 14 characters long • Uses only the ASCII character set: 142 unique characters This scheme allows for 6.8x10^12 unique passwords

  4. LM Hash (continued) • 14 character string broken into 2 7-character strings • Each separate string is encoded with DES • Final output: 128 bits – looks like 16 “random” characters

  5. NT Hash • Password must be less than or equal to 127 characters in length • Uses full Unicode character set: 65,535 unique characters 14 characters used: allows for 2.7x10^67 unique passwords 127 characters used: allows for 4.9x10^611 unique passwords

  6. NT Hash (continued) • Entire password encrypted with MD4 • Stored as unicode Password MD4 Long Unicode Hash

  7. Which versions use which algorithms? • LM Hashes: -Authentication to LM servers-Locally on Windows 9x and ME with share-level access-Authentication from any Windows 3.x or CE • NT Hashes:-Locally on Windows NT, 2000, and XP-Authentication from Windows 9x and ME with user-level access

  8. Where are they stored? • NT Hashes (locally)C:\WINDOWS\system32\config\SAMC:\WINDOWS\system32\config\SECURITYC:\WINDOWS\system32\config\SYSTEM • LM Hashes“.pwl” (password list) files-Username -> usern001.pwl

  9. Cached Credentials • Enhanced security for network authentication • Combination of several pieces of data used for the final hash • Encrypted with MD5 NT Password Hash MD5 Domain concatenate Cached Credentials Username

  10. Authentication • WINLOGON is accessed by using the CTRL+ALT+DELTE combination (secure attention sequence) • User inputs username and account • Information is passed to the Local Security authority subsystem (LSASS) • Local or remote access is determined

  11. Access Location • Local: • Username and password is compared to local values • Network: • Uses a network authentication protocol to establish a secure connection and login • LM/NTLM/v2 • Kerberos

  12. LM/NTLM/v2 • New Technology/LAN Manager • Used for LAN Server Authentication • Windows 3.x/CE/9x • Used LM and NT hashes • Now called Integrated Windows Authentication • Used with web services

  13. Kerberos • Developed at MIT • Provides mutual authentication • Prevents eavesdropping and replay attacks • Maintains data integrity • Default for Windows 2000,XP, and Server 2003

  14. Policy Solutions • Nothing easy to guess • Minimum character requirement • Use of pass phrases • Password expiration • No password reuse

  15. Technology Solutions • Disable LM hashes • Password filter • Account lockout • Use of anti-virus and spyware detection software

  16. What are Rainbow Tables? • Passwords stored in computers are changed from their plain text form to an encrypted value. • These values are called hashes, and there is a unique plain text value for every hash. • An example of different hashes can be see below:

  17. What Are Rainbow Tables? • A Rainbow Table is a table of all of the possible hashes from a certain cipher. • Brute Force attacks are time and resource consuming. In many cases, the dictionary cracking method requires an enormous list(s) to be effective. One gigabyte of dictionary passwords might be able to yield a 40 to 50 percent compromise of a set of hashes. • The same set of hashes with a complete set of Rainbow Tables properly implemented and utilized could effectively compromise 90 to 95 percent of the hashes in less than 25% of the time.

  18. Generating Rainbow Tables • There are several programs that generate Rainbow Tables on your home computer along with companies that for a small fee allow you to use their pre-generated Rainbow Tables. • Rainbow Table Generation is time and resource consuming. • It take 13.2 hours on a 666 MHz CPU to produce the 610 MB complete alphabetical character set LM hash table. Keep in mind that the LM has is the simplest and least complex one way hash. • Once the table is sorted a non-salted LM hash value can be cracked in matter of seconds (avg. 3.7841 sec) with a success rate of 99.9%

  19. Generating Rainbow Tables • Most hashes though contain more than just an alphabetical character set. They are constructed of a character set with letters, numbers, and symbols. • To construct an alpha-numeric symbolic character set LM hash it takes 119 GB of disk space and 2354 days on a 666 MHz. On faster machines is takes about 261 days to construct. • However a table of this size is rarely ever used for most software does not support the characters which can be used in a password of this size. • However, it was discovered that some of the best hackers have constructed the complete Rainbow Tables of the most popular one-way hashes and had them running and stored on several different computers in their houses upon government raids.

  20. Beating Rainbow Tables • There are several easy ways to beat Rainbow Tables and make their usage impossible • Salting • Force the amount of time to create the table or run cryptanalysis so long that hackers won’t attempt to crack the hash • Salting is taking random bits and inserting them in certain spots of the plaintext. This way when the hash is performed the hashes will not match the Rainbow Tables • Ways of increasing the table production time and cryptanalysis time is to: • Force password changes every 30 days • Make all password at least 15 characters long • Use pass phrases • Make all network control device at least 25 characters long • Force password complexity to require the use of at least the following: Upper case Alpha, lower case alpha, a number, and at least one symbol.

  21. Demo • Congratulations you have been hired by the Dúmbáss Corporation and you are required to created a new password for your user account. • Since the company does not hire RIT trained network administrators they require that your password be 10 characters or less and can only use letters and numbers. • Please change the password on the laptop in front of you and write it down on a piece of paper (never do this in reality just for this demonstration incase something goes wrong). • Watch as the password is destroyed.

  22. Bibliography • Operating System Concepts (Our textbook) • Windows Passwords, Everything You Need to Know • By Steve Riley, Security Program Manager Microsoft Corporation • http://www.antsight.com/zsl/rainbowcrack/ • http://www.securityfocus.com/infocus/1554 • http://en.wikipedia.org • For definitions in less complex language • http://news.com.com/2100-1009_3-5053063.html

More Related