How I Cracked your Windows Password
Posted 16 September 2010 - 10:24 PM
Passwords tend to be our main and sometimes only line of defense against intruders. Even if attackers do not have physical access to a machine they can often access a server through the remote desktop protocol or authenticate to a service via an outward facing web application.
The purpose of this article is to educate you on how Windows creates and stores password hashes, and how those hashes are cracked. After demonstrating how to crack Windows passwords I will provide some tips for ensuring you are not vulnerable to these types of attacks.
How Windows Stores Passwords
Windows-based computers utilize two methods for the hashing of user passwords, both having drastically different security implications. These are LAN Manager (LM) and NT LAN Manager version 2 (NTLMv2). A hash is the result of a cryptographic function that takes an arbitrarily sized string of data, performs a mathematical encryption function on it, and returns a fixed-size string.
LM Password Hashes
The LAN Manager hash was one of the first password hashing algorithms to be used by Windows operating systems, and the only version to be supported up until the advent of NTLMv2 used in Windows 2000, XP, Vista, and 7. These newer operating systems still support the use of LM hashes for backwards compatibility purposes. However, it is disabled by default for Windows Vista and Windows 7.
The LM hash of a password is computed using a six step process:
1.The user’s password is converted into all uppercase letters
2.The password has null characters added to it until it equals 14 characters
3.The new password is split into two 7 character halves
4.These values are used to create two DES encryption keys, one from each half with a parity bit added to each to create 64 bit keys.
5.Each DES key is used to encrypt a preset ASCII string (KGS!@#$%), resulting in two 8-byte ciphertext values
6.The two 8-byte ciphertext values are combined to form a 16-byte value, which is the completed LM hash
In practice, the password “PassWord123” would be converted as follows:
3.PASSWOR and D123000
4.PASSWOR1 and D1230001
5.E52CAC67419A9A22 and 664345140A852F61
Figure 1: A password transformed into an LM hash
LM stored passwords have a few distinct disadvantages. The first of these is that the encryption is based on the Data Encyrption Standard (DES). DES originated from a 1970s IBM project that was eventually modified by NIST, sponsored by the NSA, and released as an ANSI standard in 1981. DES was considered secure for many years but came under scrutiny in the nineties due to its small key size of only 56-bits. This came to a head in 1998 when the Electronic Frontier Foundation was able to crack DES in about 23 hours. Since this, DES has been considered insecure and has since been replaced with Triple-DES and AES. In short, it’s another encryption standard that has fallen victim to modern computing power and can be cracked in no time at all.
Perhaps the biggest weakness in the LM hash is in the creation of the DES keys. In this process, a user supplied password is automatically converted to all uppercase, padded to fourteen characters (this is the max length for an LM hashed password), and split into two seven character halves. Consider that there are 95 to the power of 14different possible passwords made up of 14 printable ASCII characters, this decreases to 95 to the power of 7possible passwords when split into a 7 character half, and then decreases to 69 to the power of 7 possible passwords when you are only allowed uppercase ASCII characters. Essentially, this makes the use of varying character cases and increased password length nearly useless when the password is stored as an LM hash, which makes LM passwords incredibly vulnerable to brute force cracking attempts.
NTLMv2 Password Hashes
NT LAN Manager (NTLM) is the Microsoft authentication protocol that was created to be the successor of LM. Eventually enhanced, NTLMv2 was accepted as the new authentication method of choice and implemented with Windows NT 4.
The creation of an NTLMv2 hash (henceforth referred to as the NT hash) is actually a much simpler process in terms of what the operating system actually does, and relies on the MD4 hashing algorithm to create the hash based upon a series of mathematical calculations. The MD4 algorithm is used three times in order to produce the NT hash. In practice, the password “PassWord123” would be represented as an MD4 hash with “94354877D5B87105D7FEC0F3BF500B33”.
Figure 2: A password being transformed into an NTLMv2 hash
MD4 is considered to be significantly stronger than DES as it allows for longer password lengths, it allows for distinction between uppercase and lowercase letters and it does not split the password into smaller, easier to crack chunks.
Perhaps the biggest complaint with NTLMv2 created hashes is that Windows does not utilize a technique called salting. Salting is a technique in which a random number is generated in order to compute the hash for the password. This means that the same password could have two completely different hash values, which would be ideal.
With this being the case, it is possible for a user to generate what are called rainbow tables. Rainbow tables are not just coffee tables painted with bright colors; they are actually tables containing every single hash value for every possible password possibility up to a certain number of characters. Using a rainbow table, you can simply take the hash value you have extracted from the target computer and search for it. Once it is found in the table, you will have the password. As you can imagine, a rainbow table for even a small number of characters can grow to be very large, meaning that their generation, storage, and indexing can be quite a task.
I know you are here to kill me. Shoot, coward, you are only going to kill a man.
Thanked by 1 Member:
Posted 16 September 2010 - 10:34 PM
In the first part of this series we examined password hashes and the mechanisms Windows utilizes to create and store those values. We also touched upon the weaknesses of each method and possible avenues that can be used to crack those passwords. In the second and final article in this series I will actually walk you through the process of cracking passwords with different free tools and provide some tips for defending against having your password cracked.
It is always crucial to note that the techniques shown here are strictly for educational purposes and should not be used against systems for which you do not have authorization for.
Obtaining Password Hashes
In order to crack passwords you must first obtain the hashes stored within the operating system. These hashes are stored in the Windows SAM file. This file is located on your system at C:\Windows\System32\config but is not accessible while the operating system is booted up. These values are also stored in the registry at HKEY_LOCAL_MACHINE\SAM, but again this area of the registry is also not accessible while the operating system is booted.
There are a few different options here depending on the level of access you have to the machine you are auditing.
If you have physical access, one of the most effective methods is to boot the computer into a different operating system. If you are comfortable using Linux then this means you can simply boot to a Linux live CD that is capable of reading NTFS drives, mount the Windows partition, and copy the SAM file to external media.
If you are not quite comfortable doing this, you can use P. Nordahl’s famed Offline NT Password Editor, available here. This is a bootable Linux distribution designed to aid system users who have forgotten their passwords by allowing them to reset them. The software takes the users input, creates a valid hash, and replaces the old hash in the SAM file with the new one. This is useful to us because we can also use the distribution to simply read the SAM file and get the hash data.
In order to do this, boot from the CD image and select your system partition, the location of the SAM file and registry hives, choose the password reset option , launch the built in registry editor , browse to SAM\Domain\Account\Users, browse to the directory of the user you wish to access, and use the cat command to view the hash contained in the files. The output will be in hex format, but it works with a simple conversion.
Figure 1: Hex output of the SAM hash
Before using the Offline NT Password Editor to actually reset a password, be sure that you are not using Encrypted File System (EFS) on anything released after Windows XP/2003. If you do this, it will cause the operating system to lose its EFS keys, resulting in more problems than just a forgotten password.
If you are performing password auditing activities without physical access to the device in question, but you still have console access through remote desktop or VNC, then you can obtain password hashes through the use Fizzgig’s fgdump utility, obtainable here.
Once you have downloaded fgdump to host you can simply run it with no options to create a dump of the local machine SAM file.
Figure 2: Confirmation the Fgdump Utility Ran Correctly
Once this is completed, a file will be generated in the same directory the utility was launched from that contains a list of all user accounts, their LM hashes, and their NTLMv2 hashes.
Figure 3: Password Hashes Output by Fgdump
Finally, if you do not have any interactive access to the machine that has the hashes you want, your best bet is to attempt to sniff the hashes as they travel across the network during the authentication process. Of course, this will only work if the client is authenticating to a domain controller or accessing resources on another client, otherwise, you are more out of luck than a one armed man in a paper hanging contest.
If you are on the same network segment as the target client you can use the Cain and Abel program to intercept the password hashes as they are transmitted between devices. Cain and Abel is a free utility downloadable from here.
http://www.oxid.it/cain.htmlUsing Cain and Abel you can initiate a process called ARP cache poisoning, which is a man in the middle attack that takes advantage of the ARP protocol to route the traffic between two hosts through your computer. While ARP cache poisoning is active you can use Cain and Abel’s built in network sniffer, making it possible for you to intercept NTLM password hashes that are being communicated between the poisoned hosts. The theory behind ARP cache poisoning and how to do it are another lesson in itself and a bit beyond the scope of this article, but if you wish to learn more about ARP cache poisoning you can do so here.
Cracking Passwords Using Cain and Abel
Now that we actually have password hashes we can try to crack them. If you have already downloaded and installed Cain & Abel then you are already a step ahead because we will be using it to crack our sample LM passwords.
If you have not yet installed Cain and Abel you can download it from here.
http://www.oxid.it/cain.htmlThe installation is just a matter of hitting next a few times. If you do not already have it installed, you will also be prompted to install the WinPCap packet capture driver used for Cain and Abel’s sniffing features. Once installed you can launch the program and click on the Cracker tab near the top of the screen. After doing this, click on the LM & NTLM Hashes header in the pane on the left, right click in the blank area in the center of the screen, and select Add to List.
Cain will not accept a simple copy and paste of the password hash, so you will have to place the hash in a text file formatted a special way. If you extracted your hashes using fgdump then you should already have the text file you need, which contains hashes on a line by line format.
Figure 4: Accepted Formatting of Passwords Hashes
If you extracted your password hashes manually you will need to create a file with a line entry for every user account. Each line should contain the username, the relative identifier (RID) portion of the users SID, and the hashes. The format of these elements should be:
Browse to this file, select it, and click next to import the hashes into Cain and Abel. Once this is done, you can right click the account whose password you want to crack, select the Brute Force Attack option, and choose LM hashes. The brute force attack method attempts every possible password combination against the hash value until it finds a match. On the screen that follows you can select the characters you want to use for the brute force attack and the minimum and maximum password lengths. Notice that the character set is automatically configured to use only uppercase characters and number with a maximum length of 7, due to the characteristics of LM hashes.
In our example scenario where we have a password of PassWord123 we will see immediate partial results as the program returns that “Plaintext of 664345140A852F61 is D123”. We have already cracked the second half of the password hash. On a modern computer, going through every single possible password combination should take no longer than 2 ½ to 3 hours, guaranteeing an eventual success.
Figure 5: Cain Successfully Cracks the LM Password Hash
Cracking Passwords Using John the Ripper
Cain and Abel does a good job of cracking LM passwords but it is a bit slow and its functionality for cracking NTLMv2 hashes is even slower. If you are comfortable using the command line for your password cracking activities, then John the Ripper is one of the fastest and most highly preferred cracking engines.
You can download John the Ripper from here.
http://www.openwall.com/john/Once you have extracted the contents of the file you will find the john-386.exe executable in the /run subdirectory. John has a few different modes it can be run in, but to run it in its default mode all you have to do is supply the file containing the password hash as an argument when you run the executable from a command prompt.
Figure 6: John the Ripper Attempting to Crack a Password
Once it has completed, John the Ripper displays the cracked passwords and stores the results in its john.pot file. In most situations the default cracking mode is fine, but John the Ripper also has these cracking modes available:
Single Crack Mode – Uses variations of the account name
Wordlist Mode – Relies on a dictionary for password guesses
Incremental Mode – Relies on a brute-force style attack
External Mode – Relies on another (user supplied) application for password guessing
John is very efficient in all of its cracking modes and is my typical program of choice for password cracking.
Cracking Passwords Using Rainbow Tables
When you suspect an NTLMv2 password of being highly complex and in turn being too time consuming to crack, the only logical resolution is the use of rainbow tables. A rainbow table is a lookup table consisting of password hashes for every possible password combination given the encryption algorithm used. As you can imagine, rainbows tables can take up quite a bit of storage space. In the past these tables were far too processor and storage space intensive to create and store, but with the advances of modern computing its becoming more and more common for both ethical penetration testers and malicious hackers to keep external hard drives containing sets of rainbow tables.
Finding a place to generate or download a set of rainbow tables is just a Google search away if you prefer to do that, but there are better methods for the “casual” password cracker. One such method is by using a web service containing its own set of rainbow tables. One such web service is this. This site maintains multiple sets of rainbow tables for which you can submit password hashes for cracking, along with a list of recently cracked passwords for efficiency.
In order to submit hashes to plain-text.info you can simply click the Add Hashes link to specify the hash and encryption mode. If this hash has already been cracked then you will be displayed results, and if not this will submit the hash into the queue. You can monitor the queue status by going to the Search link and searching for the hash, which will tell you its queue position. Complex passwords can often taken some time via this method, but it is typically quicker than allowing your own hardware to do the work.
Defending Against Password Cracking
People tend to think that the goal of encryption is to make encrypted text to where nobody can ever decipher it, but this is a bit of an ill conceived notion. That thought relies on the belief that computers are able to generate random numbers for the purposes of encryption, but in all honestly computers don’t do “random” so well, as “random” is completely reliant upon programmed logic. As a result of this, the real goal of encryption is to make the encrypted text so hard to crack that the amount of time it would take to crack outweighs the benefit of doing so.
With this in mind, there are a few things that can be done on a windows system to prevent your password from being cracked.
Use Complex and Changing Passwords
The most logical way to prevent people from cracking your password is to make it incredibly complex. If your password contains lowercase letters, uppercase letters, numbers, special symbols, and is fairly long, it won’t be able to be cracked in any reasonable amount of time. In order to given things an added degree of complexity, changing your password frequently means that when an attacker cracks your password it will have already been changed. There is no single greater defense than using a strong password that is changed frequently.
Disable LM Hashing
By now you should be thoroughly versed on the weaknesses of LM hashes. The good thing for us is that we do not have to use them anymore. Modern Windows operating systems can be configured to use NTLMv2 exclusively with a few registry modifications.
You can disable the storage of LM hashes by browsing to HKLM\System\CurrentControlSet\Control\LSA in the registry. Once there, create a DWORD key named NoLMHash, with a value of 1.
Another step is to disable LM authentication across the network. Once again, browse to HKLM\CurrentControlSet\Control\LSA. Once there, locate the key named LMCompatibiltyLevel. This can be set to 3 to send NTLMv2 authentication only which is a great setting for domain clients. The alternative is to set this value to 5 which configured the device to only accept NTLMv2 authentication requests, which is great for servers.
The only instance in which these settings might cause an issue are cases in which you have Windows NT 4 and older client on your network. However, in all honesty, if you still have those types of systems on your network then getting rid of them is the best security device I can give you.
SYSKEY is a Windows feature which can be implemented to add an extra 128 bits of encryption to the SAM file. SYSKEY works by the use of a user created key which is used to encrypt the SAM file. Once enabled, SYSKEY cannot be disabled.
It’s important to keep in mind that SYSKEY only protects the SAM file itself, securing it against being copied. SYSKEY does NOT protect against tools which extract hashes from running memory, such as Cain and fgdump.
You can read more about SYSKEY at:
I know you are here to kill me. Shoot, coward, you are only going to kill a man.
Thanked by 3 Members:
Posted 17 September 2010 - 06:40 AM
Cheers mate :-)
Thanked by 1 Member:
Thanked by 1 Member:
Thanked by 1 Member:
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users