SlideShare ist ein Scribd-Unternehmen logo

Ntlm Unsafe

G
Guang Ying Yuan
Technologie
1 von 28
Downloaden Sie, um offline zu lesen
NTLM Authentication  Unsafe Originally presented at Symposium on Security for Asia Network SyScAN '04 December 17th, 2004 – some updates for March 2005 Information Security Partners, LLC iSECPartners.com
https://www.isecpartners.com What you get for attending – An Outline • Demo of an easy‐to‐execute attack on NTLM – Works on majority of corporate networks. • How to harden against attack. • Enumeration of NTLM’s risks, so that you can justify the  deployment of potentially inconvenient settings and have a  clear understanding of the risks you must accept. • I will talk about other weaknesses of NTLM, including  password authenticators being password equivalents, what  that means, and demonstrate an iSEC tool for taking  advantage of it. • I will discuss authentication alternatives including SRP (a  zero‐knowledge proof of knowledge protocol)
https://www.isecpartners.com Agenda • Background on NTLM – What is NTLM – A little crypto  – Some observations • Password equivalence issues • Pre‐computed dictionary attacks – NTLMv2 as a solution • Middle person attack • Hardening against these issues • Questions
https://www.isecpartners.com What is NTLM? • An authentication protocol that supports Single Sign‐On primarily  used on Windows networks • Challenge ‐ Response based • Replaced a weaker protocol called “LAN Manager” • NTLM is “NT Lan Manager” • NTLM is NTLM version 1 or NTLMv1 • Still “on” by default in popular operating systems • Ubiquitous – Windows, Mac and Linux networks all commonly  deploy NTLM – Windows XP / Server 2003 / 2000 / NT  – Internet Explorer – Firefox – Samba – jCIFS – Mac OS X – WinCE  – Storage devices
https://www.isecpartners.com What is NTLM? • Used to authenticate – Web site users – share point, IIS, servlets with jCIFS – File share access – including default shares like c$ and admin$ – Printer access – DCE RPC calls – DCOM • Usually can be replaced with stronger Kerberos authentication – But active attackers can downgrade to NTLM – Users without  tickets, or with intermittent connectivity avoid Kerberos • Dictionary attacks have been demonstrated against NTLM – Cain and Abel, l0pht crack et al. perform password search against sniffed  NTLM authentications – These are not pre‐computed attacks – so they require very weak passwords
https://www.isecpartners.com NTLM Basics 1. Take a password 2. Calculate the MD4 of it ‐> 128 random bits or 16 bytes 3. Store this value – the “NTLM Hash” (aka the Authenticator) – this is different than the “LAN Man Hash” During Authentication 1. Get an 8 byte challenge 2. Divide the NTLM Hash (MD4 of password) into three pieces • 2 seven byte and one 2 byte (7 + 7 + 2 = 16 bytes) 3. DES encrypt the challenge with the three MD4 chunks 4. Concatenate the three cipher texts to make the “NTLM  response” 5. Send the “NTLM response” to the server
https://www.isecpartners.com NTLM Basics How an NTLM Hash & Challenge  NTLMv1 Response MD4 of password = 0x0123456789ABCDEFFEDCBA9876543210 Broken into three “Key Chunks” Key 1: 0123456789ABCD Key 2: EFFEDCBA987654 Key 3: 32100000000000 NTLM Response is the concatenation of the encryption  of the challenge with three separate keys =  DES(Challenge, Key1) + DES(Challenge, Key2) + DES(Challenge, Key 3)
https://www.isecpartners.com NTLM Basics • Response generation requires only the “NTLM Hash” (which  is the password authenticator). The server must store the  password authenticator to be able to authenticate users. • Unix password authenticators typically are non‐password‐ equivalent salted hashes so that exposure isn’t catastrophic. • Effort to try all DES keys: 2 x 2^56 + 2^16 ≅ 2^57 for all three  portions of the response • 10 character alphabetic mixed case password has about 2^57  possibilities
https://www.isecpartners.com NTLM Observations – What’s nice • NTLM provides a different response for every challenge, so  an attacker can’t pre‐compute a dictionary attack as the  challenge space is huge (2^128 is bigger than my golf score) • Doesn’t require a centralized server available at logon • Can “pass through” authorization to a domain controller or  other server • Passive attackers don’t see passwords • No replay attacks as the server is unlikely to ever reuse a  challenge (about 2^64 observations required for a collision) • MD4 of the password whitens it 
https://www.isecpartners.com NTLM Observations – What’s weak • The password authenticator is itself password equivalent • The authenticator is protected with the weak DES cipher • Machines can break DES – cost and speed are not public • DES cipher has an attack complexity of 2^56, which means for  [a‐z][A‐Z] passwords of length 10 or more it is fewer  operations to break DES then to brute force the password. • Passive adversaries get an offline dictionary attack on the  password which could compromise weak passwords (Cain  and Abel) • The protocol doesn’t protect against middle person attacks • Active attackers can provide known challenges and launch  pre‐computed dictionary attacks • Most of these would be fine if the communication was over a  secure SSL or TLS tunnel – The password equivalency of the authenticator would not
https://www.isecpartners.com Password Equivalence of Authenticator • To demonstrate the password equivalence of the NTLM Hash  (MD4(password)) I modified the jCIFS “SmbShell” example  so that it would authenticate using username and NTLM Hash  instead of password. • This only works because of the “password equivalence” of the  NTLM Hash which is used as the “password authenticator”. • Attacker doesn’t have to use rainbow tables or brute force • Extracting hashes does require administrator access! • Often one time brief physical access can result in password  hash extraction
https://www.isecpartners.com Password Equivalence of Authenticator • Syskey helps protect windows machines that store these  authenticators (i.e. machines with passwords) • Local accounts are stored on workstations like this laptop • Local administrator accounts often have synchronized  passwords in corporate environments – while convenient for  administration, the password equivalence of these  authenticators represent an enormous risk!
https://www.isecpartners.com Password Equivalence of Authenticator • This equivalence is commonly misunderstood. • Many people assume the password hashes stored by Windows  are similar to the password hashes found in BSD or Linux  shadow files. However shadow hashes are generally not  password equivalents. • The equivalence is mentioned in the excellent book “Network  Security ‐ Private Communication in a public world” Second  Edition, Radia Perlman, Charlie Kaufman, Mike Speciner “the fact that the server stores a hash of the user’s password rather than the  actual password does not theoretically make the scheme more secure. A  modified version of the client software could impersonate the user if it  directly used the hash of the password rather than hashing the string the  user types.” – Page 622, 24.7.1 Lan Manager and NTLM • The modified client I present demonstrates the practical truth  of the above theoretical statement.
https://www.isecpartners.com NTLM Hash Authentication Shell Demonstration • java ‐jar SmbShell.jar • This shell is similar to the example in jCIFS except that it has  been modified to: – Login without passwords – Support deletion of files – Support uploading of files (put) – Support downloading of files (get) DEMO
https://www.isecpartners.com Protecting against authenticator password equivalence • Use Syskey with a password to keep workstations safer from  attackers who get them alone with a floppy or USB disk – Laptops or at‐risk workstations are particularly good candidates • Never synchronize local passwords between machines!  – Especially not local administrator passwords (where synchronization is common) • Use Secure Remote Password protocol (SRP http://srp.stanford.edu/)  for incompatible applications or systems that need to authenticate  users by password • Acknowledge and accept the risk Open Questions • Do you think NTLMv2 or SMB Signing resolve this?  – I don’t believe so. Although I am not demonstrating equivalence with NTLMv2 or  SMB Signing required. • Does Kerberos help? – I am not yet convinced, but at least it helps against these tools.
https://www.isecpartners.com Dictionary attacks Dictionary attacks come in three flavors • Online – almost useless against any but the weakest passwords – Hard to prevent, account lockout periods are commonly used to mitigate this minor  risk – Works well on passwords like “password”, “Jesse”, and “test” • Offline – useful against weak passwords – Real problem for obsolete “LAN Manager” protocol, not common against NTLM – Cain and Abel supports this kind of dictionary attack through monitoring of NTLM  Challenge‐Response pairs – Works well on passwords like “p0tat0”, “Cat2”, and “giantrobot” – Possible with a DES cracking oracle (targets recovery of the NTLM Hash) • Pre‐computed offline – Very effective against whole key spaces with  Time‐Space trade‐offs as seen in Rainbow Crack – Possible with an active attack on NTLM – Works well on passwords like “ydDKaEza”, “a39dAJ1z”, and “b@d00D!”
https://www.isecpartners.com Pre‐computed dictionary attacks on NTLM • By deciding on a standard “challenge” and computing the  dictionary, key space, or crack table based on that challenge  an attacker prepares to break a password • The attacker then impersonates a server – This can be very easy – IE will magically authenticate against a site with a Netbios name if directed  there with an iframe, link, or 302. – Firefox supports transparent authentication after the initial auth – initial  authentication prompts the user. • The attacker’s server uses the standard challenge that was  used to generate the dictionary, key space or crack table.
https://www.isecpartners.com Pre‐computed dictionary attacks on NTLM • NTLMv2 is specifically designed to eliminate the possibility  of pre‐computed dictionary attacks – Uses client nonce in addition to server nonce / challenge in calculation of  response  – An additional fix in NTLMv2 reduces the risk of middle person attacks – Additional nonce changes the size of the response breaking many  implementations • NTLMv2 is probably an acknowledgement of the pre‐ computed dictionary weakness in NTLM • It has been mentioned before online – as a letter in  Christopher R. Hertel’s online book “Implementing CIFS – The Common Internet File System” reads: “you talk about the quot;client challengequot; a bit, but miss the point of it: the client nonce (as it should really more correctly be called) is there to prevent precomputed dictionary attacks by the server ” ‐ Ronald Tschalär to Chris Hertel, in Implementing CIFS http://ubiqx.org/cifs/SMB.html#SMB.8
https://www.isecpartners.com Pre‐computed dictionary attacks on NTLM • This servlet negotiates NTLM authentication against browsers • Always serves the challenge: byte[] ISEC_CHALL = { (byte) 'i', (byte) 'S', (byte) 'E', (byte) 'C', 0, 0x15, (byte) 0xEC, 0 }; • In hex: 695345430015EC00 • Under NTLM each password maps to one NTLM response • Under NTLMv2 each password maps to many NTLMv2  responses DEMO
https://www.isecpartners.com Protecting against pre‐computed dictionary attacks • Require only NTLMv2 or LMv2 on all servers and  workstations • Negotiating NTLMv2 does nothing to protect you, the active  attack requires an active adversary and active adversaries can  easily downgrade. • Change the settings from default – this ships vulnerable
https://www.isecpartners.com Middle person attacks on NTLM • NTLM doesn’t protect against Middle Person attacks • The most common tool for demonstrating middle person  attacks on NTLM is SMBRelay • SMBRelay is complicated, and works when people connect to  shares • I decided to exploit the willingness of browsers to  transparently authenticate with local machines to connect  back over SMB. • Browser’s are used very frequently, not a lot of waiting for  share connecting
https://www.isecpartners.com Middle person attacks on NTLM • This means I am using NTLM over HTTP authentication to  access an NTLM protected SMB resource (a share) • People use web browsers as administrator frequently, and it’s  easy to tell when they are doing it – for example going to  windows update is a give away. • My code speaks HTTP and SMB – thanks to jCIFS!
https://www.isecpartners.com NTLM middle person attack explained • Attacker may do DNS or Netbios response forging to acquire victims • Victim connects to a local “attack web server” over HTTP • Victim sees attack server as in the “Local Intranet Zone” – Allows automatic NTLM authentication • Attack server connects to victim or target resource over SMB – Victim must have file sharing accessible, be logged in as an account with access,  support NTLM and not require SMB signing • Attack server gets a challenge from the victim • Attack server demands NTLM authentication and reflects the  challenge to the victim • Victim responds correctly to the challenge  • Attack server provides the victim’s response and authenticates • Attack server copies the backup SAM or does whatever else it likes • Attack server serves a page to the victim or redirects them
https://www.isecpartners.com NTLM middle person attack explained I have two versions • One grabs the backup SAM from admin$/repair/sam – It often contains the NTLM Hash for the administrator  – It is often useable on other machines on the network – It can be used directly to authenticate with the tool I demoed earlier • The other connects and launches my “modified SmbShell” The second version is more fun to watch, and is more flexible in terms of exploit potential DEMO
https://www.isecpartners.com Protecting against NTLM middle person attacks • Use NTLM authentication on web servers only with SSL • Disable automatic NTLM authentication in browsers • Setting must be to “always” use SMB Signing. Negotiating  signing does nothing to protect you. Exploiting this  vulnerability requires an active attacker, and active attackers  will just downgrade if they have the option. Change the  settings from default – this ships vulnerable
https://www.isecpartners.com Take away’s I hope you agree that • NTLM is too dangerous to use on your network – Use NTLMv2 or Kerberos, and set them to “always”, otherwise attackers just  downgrade – Use SMB Signing to prevent middle person attacks – Only use NTLM or NTLMv2 auth on websites when using HTTPS • IE should be set not to automatically NTLM authenticate • Never use identical administrator passwords across machines as they  are stored in password equivalent form • Samba shares are no less vulnerable than Windows • Sorry, but I don’t have a solution for Mac OS X ‐ ADmitMac (http://www.thursby.com/) has one I haven’t tried • Future authentication protocols should use Zero‐Knowledge Proof of  Knowledge techniques like SRP does. • iSEC Partners has cool, unique tools to clearly demonstrate the  practical importance of common risks.
https://www.isecpartners.com Questions?
https://www.isecpartners.com Shameless plug Information Security Partners can help your  organization understand and mitigate its  application or network security risks. We perform protocol, application, and network penetration testing, training and complimentary security services.  See iSEC Partners online at  https://www.isecpartners.com Or talk to the author: Jesse Burns, Principal Partner Email: Jesse at iSECPartners dot com

Empfohlen

NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptographyRAMPRAKASHT1
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3Siddhartha Rao
 
Transposition Cipher
Transposition CipherTransposition Cipher
Transposition Cipherdaniyalqureshi712
 
Network security chapter 1
Network security chapter 1Network security chapter 1
Network security chapter 1osama elfar
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 

Empfohlen

NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptographyRAMPRAKASHT1
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3Siddhartha Rao
 
Transposition Cipher
Transposition CipherTransposition Cipher
Transposition Cipherdaniyalqureshi712
 
Network security chapter 1
Network security chapter 1Network security chapter 1
Network security chapter 1osama elfar
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 
Cryptography
CryptographyCryptography
CryptographyKalyani Government Engineering College
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmJoon Young Park
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzJorge Orchilles
 
Cryptography Intro
Cryptography IntroCryptography Intro
Cryptography IntroChristopher Martin
 
Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptxsamimaqbol
 
2.3 criptografia
2.3 criptografia2.3 criptografia
2.3 criptografiajorgecan91
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Encryption and Key Distribution Methods
Encryption and Key Distribution MethodsEncryption and Key Distribution Methods
Encryption and Key Distribution MethodsGulcin Yildirim Jelinek
 
Cryptography
CryptographyCryptography
CryptographyDarshini Parikh
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptxSou Jana
 
Acl avancée
Acl avancéeAcl avancée
Acl avancéeKawtar Zerhouni
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerMuhammad Moinur Rahman
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security EngineeringMd. Hasan Basri (Angel)
 

Weitere ähnliche Inhalte

Was ist angesagt?

(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzJorge Orchilles
 
Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptxsamimaqbol
 
2.3 criptografia
2.3 criptografia2.3 criptografia
2.3 criptografiajorgecan91
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptxSou Jana
 

Was ist angesagt? (20)

(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 
Cryptography
CryptographyCryptography
Cryptography
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim Schulz
 
Cryptography Intro
Cryptography IntroCryptography Intro
Cryptography Intro
 
Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptx
 
2.3 criptografia
2.3 criptografia2.3 criptografia
2.3 criptografia
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Encryption and Key Distribution Methods
Encryption and Key Distribution MethodsEncryption and Key Distribution Methods
Encryption and Key Distribution Methods
 
Cryptography
CryptographyCryptography
Cryptography
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptx
 
Acl avancée
Acl avancéeAcl avancée
Acl avancée
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 

Ähnlich wie Ntlm Unsafe

Attacking XML Security
Attacking XML SecurityAttacking XML Security
Attacking XML SecurityYusuf Motiwala
 
New Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersEric Vétillard
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception saconPriyanka Aash
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczPaula Januszkiewicz
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore apponix123
 
LF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiazznate
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for ComplianceDataStax
 

Ähnlich wie Ntlm Unsafe (20)

FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
Online Authentication
Online AuthenticationOnline Authentication
Online Authentication
 
Attacking XML Security
Attacking XML SecurityAttacking XML Security
Attacking XML Security
 
New Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web Servers
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Breaking ssl
Breaking sslBreaking ssl
Breaking ssl
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
 
LF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death Star
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
 

Mehr von Guang Ying Yuan

【职场女性领导力】《向前一步》
【职场女性领导力】《向前一步》【职场女性领导力】《向前一步》
【职场女性领导力】《向前一步》Guang Ying Yuan
 
Android vs i os features
Android vs i os featuresAndroid vs i os features
Android vs i os featuresGuang Ying Yuan
 
Designing and implementing high performance rule based applications
Designing and implementing high performance rule based applicationsDesigning and implementing high performance rule based applications
Designing and implementing high performance rule based applicationsGuang Ying Yuan
 
螃蟹、猫头鹰和蝙蝠
螃蟹、猫头鹰和蝙蝠 螃蟹、猫头鹰和蝙蝠
螃蟹、猫头鹰和蝙蝠 Guang Ying Yuan
 
2010 06 28_2357_savor_the_blue_volume_ii_my
2010 06 28_2357_savor_the_blue_volume_ii_my2010 06 28_2357_savor_the_blue_volume_ii_my
2010 06 28_2357_savor_the_blue_volume_ii_myGuang Ying Yuan
 
Agile Software Development Overview 1231560734008086 2
Agile Software Development Overview 1231560734008086 2Agile Software Development Overview 1231560734008086 2
Agile Software Development Overview 1231560734008086 2Guang Ying Yuan
 
Java面试题解惑系列
Java面试题解惑系列Java面试题解惑系列
Java面试题解惑系列Guang Ying Yuan
 
Smart+Shanghai+2008 09 05
Smart+Shanghai+2008 09 05Smart+Shanghai+2008 09 05
Smart+Shanghai+2008 09 05Guang Ying Yuan
 
Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Guang Ying Yuan
 

Mehr von Guang Ying Yuan (20)

【职场女性领导力】《向前一步》
【职场女性领导力】《向前一步》【职场女性领导力】《向前一步》
【职场女性领导力】《向前一步》
 
Pulic Speaking
Pulic SpeakingPulic Speaking
Pulic Speaking
 
Jmeter
Jmeter Jmeter
Jmeter
 
Android vs i os features
Android vs i os featuresAndroid vs i os features
Android vs i os features
 
Designing and implementing high performance rule based applications
Designing and implementing high performance rule based applicationsDesigning and implementing high performance rule based applications
Designing and implementing high performance rule based applications
 
螃蟹、猫头鹰和蝙蝠
螃蟹、猫头鹰和蝙蝠 螃蟹、猫头鹰和蝙蝠
螃蟹、猫头鹰和蝙蝠
 
girl
girlgirl
girl
 
Lombardi intro full
Lombardi intro full Lombardi intro full
Lombardi intro full
 
2010 06 28_2357_savor_the_blue_volume_ii_my
2010 06 28_2357_savor_the_blue_volume_ii_my2010 06 28_2357_savor_the_blue_volume_ii_my
2010 06 28_2357_savor_the_blue_volume_ii_my
 
德勤工作手册
德勤工作手册德勤工作手册
德勤工作手册
 
IBM certification
IBM certificationIBM certification
IBM certification
 
Agile Software Development Overview 1231560734008086 2
Agile Software Development Overview 1231560734008086 2Agile Software Development Overview 1231560734008086 2
Agile Software Development Overview 1231560734008086 2
 
Java面试题解惑系列
Java面试题解惑系列Java面试题解惑系列
Java面试题解惑系列
 
Abap codebook
Abap codebookAbap codebook
Abap codebook
 
64 Interview Questions
64 Interview Questions64 Interview Questions
64 Interview Questions
 
Filenet API PDF
Filenet API PDFFilenet API PDF
Filenet API PDF
 
Smart+Shanghai+2008 09 05
Smart+Shanghai+2008 09 05Smart+Shanghai+2008 09 05
Smart+Shanghai+2008 09 05
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
 
Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1
 
Nw2004s What Is New
Nw2004s What Is NewNw2004s What Is New
Nw2004s What Is New
 

Kürzlich hochgeladen

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Kürzlich hochgeladen (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Ntlm Unsafe

  • 1. NTLM Authentication  Unsafe Originally presented at Symposium on Security for Asia Network SyScAN '04 December 17th, 2004 – some updates for March 2005 Information Security Partners, LLC iSECPartners.com
  • 2. https://www.isecpartners.com What you get for attending – An Outline • Demo of an easy‐to‐execute attack on NTLM – Works on majority of corporate networks. • How to harden against attack. • Enumeration of NTLM’s risks, so that you can justify the  deployment of potentially inconvenient settings and have a  clear understanding of the risks you must accept. • I will talk about other weaknesses of NTLM, including  password authenticators being password equivalents, what  that means, and demonstrate an iSEC tool for taking  advantage of it. • I will discuss authentication alternatives including SRP (a  zero‐knowledge proof of knowledge protocol)
  • 3. https://www.isecpartners.com Agenda • Background on NTLM – What is NTLM – A little crypto  – Some observations • Password equivalence issues • Pre‐computed dictionary attacks – NTLMv2 as a solution • Middle person attack • Hardening against these issues • Questions
  • 4. https://www.isecpartners.com What is NTLM? • An authentication protocol that supports Single Sign‐On primarily  used on Windows networks • Challenge ‐ Response based • Replaced a weaker protocol called “LAN Manager” • NTLM is “NT Lan Manager” • NTLM is NTLM version 1 or NTLMv1 • Still “on” by default in popular operating systems • Ubiquitous – Windows, Mac and Linux networks all commonly  deploy NTLM – Windows XP / Server 2003 / 2000 / NT  – Internet Explorer – Firefox – Samba – jCIFS – Mac OS X – WinCE  – Storage devices
  • 5. https://www.isecpartners.com What is NTLM? • Used to authenticate – Web site users – share point, IIS, servlets with jCIFS – File share access – including default shares like c$ and admin$ – Printer access – DCE RPC calls – DCOM • Usually can be replaced with stronger Kerberos authentication – But active attackers can downgrade to NTLM – Users without  tickets, or with intermittent connectivity avoid Kerberos • Dictionary attacks have been demonstrated against NTLM – Cain and Abel, l0pht crack et al. perform password search against sniffed  NTLM authentications – These are not pre‐computed attacks – so they require very weak passwords
  • 6. https://www.isecpartners.com NTLM Basics 1. Take a password 2. Calculate the MD4 of it ‐> 128 random bits or 16 bytes 3. Store this value – the “NTLM Hash” (aka the Authenticator) – this is different than the “LAN Man Hash” During Authentication 1. Get an 8 byte challenge 2. Divide the NTLM Hash (MD4 of password) into three pieces • 2 seven byte and one 2 byte (7 + 7 + 2 = 16 bytes) 3. DES encrypt the challenge with the three MD4 chunks 4. Concatenate the three cipher texts to make the “NTLM  response” 5. Send the “NTLM response” to the server
  • 7. https://www.isecpartners.com NTLM Basics How an NTLM Hash & Challenge  NTLMv1 Response MD4 of password = 0x0123456789ABCDEFFEDCBA9876543210 Broken into three “Key Chunks” Key 1: 0123456789ABCD Key 2: EFFEDCBA987654 Key 3: 32100000000000 NTLM Response is the concatenation of the encryption  of the challenge with three separate keys =  DES(Challenge, Key1) + DES(Challenge, Key2) + DES(Challenge, Key 3)
  • 8. https://www.isecpartners.com NTLM Basics • Response generation requires only the “NTLM Hash” (which  is the password authenticator). The server must store the  password authenticator to be able to authenticate users. • Unix password authenticators typically are non‐password‐ equivalent salted hashes so that exposure isn’t catastrophic. • Effort to try all DES keys: 2 x 2^56 + 2^16 ≅ 2^57 for all three  portions of the response • 10 character alphabetic mixed case password has about 2^57  possibilities
  • 9. https://www.isecpartners.com NTLM Observations – What’s nice • NTLM provides a different response for every challenge, so  an attacker can’t pre‐compute a dictionary attack as the  challenge space is huge (2^128 is bigger than my golf score) • Doesn’t require a centralized server available at logon • Can “pass through” authorization to a domain controller or  other server • Passive attackers don’t see passwords • No replay attacks as the server is unlikely to ever reuse a  challenge (about 2^64 observations required for a collision) • MD4 of the password whitens it 
  • 10. https://www.isecpartners.com NTLM Observations – What’s weak • The password authenticator is itself password equivalent • The authenticator is protected with the weak DES cipher • Machines can break DES – cost and speed are not public • DES cipher has an attack complexity of 2^56, which means for  [a‐z][A‐Z] passwords of length 10 or more it is fewer  operations to break DES then to brute force the password. • Passive adversaries get an offline dictionary attack on the  password which could compromise weak passwords (Cain  and Abel) • The protocol doesn’t protect against middle person attacks • Active attackers can provide known challenges and launch  pre‐computed dictionary attacks • Most of these would be fine if the communication was over a  secure SSL or TLS tunnel – The password equivalency of the authenticator would not
  • 11. https://www.isecpartners.com Password Equivalence of Authenticator • To demonstrate the password equivalence of the NTLM Hash  (MD4(password)) I modified the jCIFS “SmbShell” example  so that it would authenticate using username and NTLM Hash  instead of password. • This only works because of the “password equivalence” of the  NTLM Hash which is used as the “password authenticator”. • Attacker doesn’t have to use rainbow tables or brute force • Extracting hashes does require administrator access! • Often one time brief physical access can result in password  hash extraction
  • 12. https://www.isecpartners.com Password Equivalence of Authenticator • Syskey helps protect windows machines that store these  authenticators (i.e. machines with passwords) • Local accounts are stored on workstations like this laptop • Local administrator accounts often have synchronized  passwords in corporate environments – while convenient for  administration, the password equivalence of these  authenticators represent an enormous risk!
  • 13. https://www.isecpartners.com Password Equivalence of Authenticator • This equivalence is commonly misunderstood. • Many people assume the password hashes stored by Windows  are similar to the password hashes found in BSD or Linux  shadow files. However shadow hashes are generally not  password equivalents. • The equivalence is mentioned in the excellent book “Network  Security ‐ Private Communication in a public world” Second  Edition, Radia Perlman, Charlie Kaufman, Mike Speciner “the fact that the server stores a hash of the user’s password rather than the  actual password does not theoretically make the scheme more secure. A  modified version of the client software could impersonate the user if it  directly used the hash of the password rather than hashing the string the  user types.” – Page 622, 24.7.1 Lan Manager and NTLM • The modified client I present demonstrates the practical truth  of the above theoretical statement.
  • 14. https://www.isecpartners.com NTLM Hash Authentication Shell Demonstration • java ‐jar SmbShell.jar • This shell is similar to the example in jCIFS except that it has  been modified to: – Login without passwords – Support deletion of files – Support uploading of files (put) – Support downloading of files (get) DEMO
  • 15. https://www.isecpartners.com Protecting against authenticator password equivalence • Use Syskey with a password to keep workstations safer from  attackers who get them alone with a floppy or USB disk – Laptops or at‐risk workstations are particularly good candidates • Never synchronize local passwords between machines!  – Especially not local administrator passwords (where synchronization is common) • Use Secure Remote Password protocol (SRP http://srp.stanford.edu/)  for incompatible applications or systems that need to authenticate  users by password • Acknowledge and accept the risk Open Questions • Do you think NTLMv2 or SMB Signing resolve this?  – I don’t believe so. Although I am not demonstrating equivalence with NTLMv2 or  SMB Signing required. • Does Kerberos help? – I am not yet convinced, but at least it helps against these tools.
  • 16. https://www.isecpartners.com Dictionary attacks Dictionary attacks come in three flavors • Online – almost useless against any but the weakest passwords – Hard to prevent, account lockout periods are commonly used to mitigate this minor  risk – Works well on passwords like “password”, “Jesse”, and “test” • Offline – useful against weak passwords – Real problem for obsolete “LAN Manager” protocol, not common against NTLM – Cain and Abel supports this kind of dictionary attack through monitoring of NTLM  Challenge‐Response pairs – Works well on passwords like “p0tat0”, “Cat2”, and “giantrobot” – Possible with a DES cracking oracle (targets recovery of the NTLM Hash) • Pre‐computed offline – Very effective against whole key spaces with  Time‐Space trade‐offs as seen in Rainbow Crack – Possible with an active attack on NTLM – Works well on passwords like “ydDKaEza”, “a39dAJ1z”, and “b@d00D!”
  • 17. https://www.isecpartners.com Pre‐computed dictionary attacks on NTLM • By deciding on a standard “challenge” and computing the  dictionary, key space, or crack table based on that challenge  an attacker prepares to break a password • The attacker then impersonates a server – This can be very easy – IE will magically authenticate against a site with a Netbios name if directed  there with an iframe, link, or 302. – Firefox supports transparent authentication after the initial auth – initial  authentication prompts the user. • The attacker’s server uses the standard challenge that was  used to generate the dictionary, key space or crack table.
  • 18. https://www.isecpartners.com Pre‐computed dictionary attacks on NTLM • NTLMv2 is specifically designed to eliminate the possibility  of pre‐computed dictionary attacks – Uses client nonce in addition to server nonce / challenge in calculation of  response  – An additional fix in NTLMv2 reduces the risk of middle person attacks – Additional nonce changes the size of the response breaking many  implementations • NTLMv2 is probably an acknowledgement of the pre‐ computed dictionary weakness in NTLM • It has been mentioned before online – as a letter in  Christopher R. Hertel’s online book “Implementing CIFS – The Common Internet File System” reads: “you talk about the quot;client challengequot; a bit, but miss the point of it: the client nonce (as it should really more correctly be called) is there to prevent precomputed dictionary attacks by the server ” ‐ Ronald Tschalär to Chris Hertel, in Implementing CIFS http://ubiqx.org/cifs/SMB.html#SMB.8
  • 19. https://www.isecpartners.com Pre‐computed dictionary attacks on NTLM • This servlet negotiates NTLM authentication against browsers • Always serves the challenge: byte[] ISEC_CHALL = { (byte) 'i', (byte) 'S', (byte) 'E', (byte) 'C', 0, 0x15, (byte) 0xEC, 0 }; • In hex: 695345430015EC00 • Under NTLM each password maps to one NTLM response • Under NTLMv2 each password maps to many NTLMv2  responses DEMO
  • 20. https://www.isecpartners.com Protecting against pre‐computed dictionary attacks • Require only NTLMv2 or LMv2 on all servers and  workstations • Negotiating NTLMv2 does nothing to protect you, the active  attack requires an active adversary and active adversaries can  easily downgrade. • Change the settings from default – this ships vulnerable
  • 21. https://www.isecpartners.com Middle person attacks on NTLM • NTLM doesn’t protect against Middle Person attacks • The most common tool for demonstrating middle person  attacks on NTLM is SMBRelay • SMBRelay is complicated, and works when people connect to  shares • I decided to exploit the willingness of browsers to  transparently authenticate with local machines to connect  back over SMB. • Browser’s are used very frequently, not a lot of waiting for  share connecting
  • 22. https://www.isecpartners.com Middle person attacks on NTLM • This means I am using NTLM over HTTP authentication to  access an NTLM protected SMB resource (a share) • People use web browsers as administrator frequently, and it’s  easy to tell when they are doing it – for example going to  windows update is a give away. • My code speaks HTTP and SMB – thanks to jCIFS!
  • 23. https://www.isecpartners.com NTLM middle person attack explained • Attacker may do DNS or Netbios response forging to acquire victims • Victim connects to a local “attack web server” over HTTP • Victim sees attack server as in the “Local Intranet Zone” – Allows automatic NTLM authentication • Attack server connects to victim or target resource over SMB – Victim must have file sharing accessible, be logged in as an account with access,  support NTLM and not require SMB signing • Attack server gets a challenge from the victim • Attack server demands NTLM authentication and reflects the  challenge to the victim • Victim responds correctly to the challenge  • Attack server provides the victim’s response and authenticates • Attack server copies the backup SAM or does whatever else it likes • Attack server serves a page to the victim or redirects them
  • 24. https://www.isecpartners.com NTLM middle person attack explained I have two versions • One grabs the backup SAM from admin$/repair/sam – It often contains the NTLM Hash for the administrator  – It is often useable on other machines on the network – It can be used directly to authenticate with the tool I demoed earlier • The other connects and launches my “modified SmbShell” The second version is more fun to watch, and is more flexible in terms of exploit potential DEMO
  • 25. https://www.isecpartners.com Protecting against NTLM middle person attacks • Use NTLM authentication on web servers only with SSL • Disable automatic NTLM authentication in browsers • Setting must be to “always” use SMB Signing. Negotiating  signing does nothing to protect you. Exploiting this  vulnerability requires an active attacker, and active attackers  will just downgrade if they have the option. Change the  settings from default – this ships vulnerable
  • 26. https://www.isecpartners.com Take away’s I hope you agree that • NTLM is too dangerous to use on your network – Use NTLMv2 or Kerberos, and set them to “always”, otherwise attackers just  downgrade – Use SMB Signing to prevent middle person attacks – Only use NTLM or NTLMv2 auth on websites when using HTTPS • IE should be set not to automatically NTLM authenticate • Never use identical administrator passwords across machines as they  are stored in password equivalent form • Samba shares are no less vulnerable than Windows • Sorry, but I don’t have a solution for Mac OS X ‐ ADmitMac (http://www.thursby.com/) has one I haven’t tried • Future authentication protocols should use Zero‐Knowledge Proof of  Knowledge techniques like SRP does. • iSEC Partners has cool, unique tools to clearly demonstrate the  practical importance of common risks.
  • 28. https://www.isecpartners.com Shameless plug Information Security Partners can help your  organization understand and mitigate its  application or network security risks. We perform protocol, application, and network penetration testing, training and complimentary security services.  See iSEC Partners online at  https://www.isecpartners.com Or talk to the author: Jesse Burns, Principal Partner Email: Jesse at iSECPartners dot com