This page has moved to a new address.

NTLM Passwords: Can’t Crack it? Just Pass it!

body { background:#aba; margin:0; padding:20px 10px; text-align:center; font:x-small/1.5em "Trebuchet MS",Verdana,Arial,Sans-serif; color:#333; font-size/* */:/**/small; font-size: /**/small; } /* Page Structure ----------------------------------------------- */ /* The images which help create rounded corners depend on the following widths and measurements. If you want to change these measurements, the images will also need to change. */ @media all { #content { width:740px; margin:0 auto; text-align:left; } #main { width:485px; float:left; background:#fff url("") no-repeat left bottom; margin:15px 0 0; padding:0 0 10px; color:#000; font-size:97%; line-height:1.5em; } #main2 { float:left; width:100%; background:url("") no-repeat left top; padding:10px 0 0; } #main3 { background:url("") repeat-y; padding:0; } #sidebar { width:240px; float:right; margin:15px 0 0; font-size:97%; line-height:1.5em; } } @media handheld { #content { width:90%; } #main { width:100%; float:none; background:#fff; } #main2 { float:none; background:none; } #main3 { background:none; padding:0; } #sidebar { width:100%; float:none; } } /* Links ----------------------------------------------- */ a:link { color:#258; } a:visited { color:#666; } a:hover { color:#c63; } a img { border-width:0; } /* Blog Header ----------------------------------------------- */ @media all { #header { background:#456 url("") no-repeat left top; margin:0 0 0; padding:8px 0 0; color:#fff; } #header div { background:url("") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #header { background:#456; } #header div { background:none; } } #blog-title { margin:0; padding:10px 30px 5px; font-size:200%; line-height:1.2em; } #blog-title a { text-decoration:none; color:#fff; } #description { margin:0; padding:5px 30px 10px; font-size:94%; line-height:1.5em; } /* Posts ----------------------------------------------- */ .date-header { margin:0 28px 0 43px; font-size:85%; line-height:2em; text-transform:uppercase; letter-spacing:.2em; color:#357; } .post { margin:.3em 0 25px; padding:0 13px; border:1px dotted #bbb; border-width:1px 0; } .post-title { margin:0; font-size:135%; line-height:1.5em; background:url("") no-repeat 10px .5em; display:block; border:1px dotted #bbb; border-width:0 1px 1px; padding:2px 14px 2px 29px; color:#333; } a.title-link, .post-title strong { text-decoration:none; display:block; } a.title-link:hover { background-color:#ded; color:#000; } .post-body { border:1px dotted #bbb; border-width:0 1px 1px; border-bottom-color:#fff; padding:10px 14px 1px 29px; } html>body .post-body { border-bottom-width:0; } .post p { margin:0 0 .75em; } { background:#ded; margin:0; padding:2px 14px 2px 29px; border:1px dotted #bbb; border-width:1px; border-bottom:1px solid #eee; font-size:100%; line-height:1.5em; color:#666; text-align:right; } html>body { border-bottom-color:transparent; } em { display:block; float:left; text-align:left; font-style:normal; } a.comment-link { /* IE5.0/Win doesn't apply padding to inline elements, so we hide these two declarations from it */ background/* */:/**/url("") no-repeat 0 45%; padding-left:14px; } html>body a.comment-link { /* Respecified, for IE5/Mac's benefit */ background:url("") no-repeat 0 45%; padding-left:14px; } .post img { margin:0 0 5px 0; padding:4px; border:1px solid #ccc; } blockquote { margin:.75em 0; border:1px dotted #ccc; border-width:1px 0; padding:5px 15px; color:#666; } .post blockquote p { margin:.5em 0; } /* Comments ----------------------------------------------- */ #comments { margin:-25px 13px 0; border:1px dotted #ccc; border-width:0 1px 1px; padding:20px 0 15px 0; } #comments h4 { margin:0 0 10px; padding:0 14px 2px 29px; border-bottom:1px dotted #ccc; font-size:120%; line-height:1.4em; color:#333; } #comments-block { margin:0 15px 0 9px; } .comment-data { background:url("") no-repeat 2px .3em; margin:.5em 0; padding:0 0 0 20px; color:#666; } .comment-poster { font-weight:bold; } .comment-body { margin:0 0 1.25em; padding:0 0 0 20px; } .comment-body p { margin:0 0 .5em; } .comment-timestamp { margin:0 0 .5em; padding:0 0 .75em 20px; color:#666; } .comment-timestamp a:link { color:#666; } .deleted-comment { font-style:italic; color:gray; } .paging-control-container { float: right; margin: 0px 6px 0px 0px; font-size: 80%; } .unneeded-paging-control { visibility: hidden; } /* Profile ----------------------------------------------- */ @media all { #profile-container { background:#cdc url("") no-repeat left bottom; margin:0 0 15px; padding:0 0 10px; color:#345; } #profile-container h2 { background:url("") no-repeat left top; padding:10px 15px .2em; margin:0; border-width:0; font-size:115%; line-height:1.5em; color:#234; } } @media handheld { #profile-container { background:#cdc; } #profile-container h2 { background:none; } } .profile-datablock { margin:0 15px .5em; border-top:1px dotted #aba; padding-top:8px; } .profile-img {display:inline;} .profile-img img { float:left; margin:0 10px 5px 0; border:4px solid #fff; } .profile-data strong { display:block; } #profile-container p { margin:0 15px .5em; } #profile-container .profile-textblock { clear:left; } #profile-container a { color:#258; } .profile-link a { background:url("") no-repeat 0 .1em; padding-left:15px; font-weight:bold; } ul.profile-datablock { list-style-type:none; } /* Sidebar Boxes ----------------------------------------------- */ @media all { .box { background:#fff url("") no-repeat left top; margin:0 0 15px; padding:10px 0 0; color:#666; } .box2 { background:url("") no-repeat left bottom; padding:0 13px 8px; } } @media handheld { .box { background:#fff; } .box2 { background:none; } } .sidebar-title { margin:0; padding:0 0 .2em; border-bottom:1px dotted #9b9; font-size:115%; line-height:1.5em; color:#333; } .box ul { margin:.5em 0 1.25em; padding:0 0px; list-style:none; } .box ul li { background:url("") no-repeat 2px .25em; margin:0; padding:0 0 3px 16px; margin-bottom:3px; border-bottom:1px dotted #eee; line-height:1.4em; } .box p { margin:0 0 .6em; } /* Footer ----------------------------------------------- */ #footer { clear:both; margin:0; padding:15px 0 0; } @media all { #footer div { background:#456 url("") no-repeat left top; padding:8px 0 0; color:#fff; } #footer div div { background:url("") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #footer div { background:#456; } #footer div div { background:none; } } #footer hr {display:none;} #footer p {margin:0;} #footer a {color:#fff;} /* Feeds ----------------------------------------------- */ #blogfeeds { } #postfeeds { padding:0 15px 0; }

Tuesday, November 2, 2010

NTLM Passwords: Can’t Crack it? Just Pass it!

In my prior article, “Cracking 14 Character Complex Passwords in 5 Seconds” we looked at how safe Windows LM based passwords were. But what about NTLM based Passwords?

Windows systems usually store the NTLM hash right along with LM hash, the NT hash being more secure. What many readers wanted to know is how much longer would it take to access the user account, if only the NTLM hash was available?

This is a great question, and the answer is, if certain circumstances are met and a certain technique is used, it could take the same amount of time. Even more shocking is the fact that it may actually be quicker.

Let me explain, if you can retrieve the LM or NT hashes from a computer, you do not need to crack them. There is really no need.

Sometimes you can simply take the hash as-is and use it as a token to access the system. This technique is called “Pass the Hash”.

Several programs exist that perform “Pass the Hash” type attacks. In this example I used the “Pass the Hash” capability of Backtrack 4.

What is nice about this is that once you retrieve the hash, you can copy the hash and place it right into Backtrack 4’s “Pass the Hash” routine.

I will not show the step by step process, but will show you the passwords used and the outcome. The password hashes are taken from an updated Windows XP SP3 system and a Windows 7 system.

Without further ado, let’s see this in action.

First we will try feeding the XP hash for the 17 character password %P”m<[87cR?^)+=Tu into the “Pass the Hash” program, and see if we can log in with it.

But before we do, let’s make sure the Objectif’s Online XP Scanner can’t crack it:

Hash: aad3b435b51404eeaad3b435b51404ee:473f053cd2e842a2faacff9d4888f051
Password:  LM hash empty, NT Hash cannot be cracked by this table.”


OK, so we know that we only have an NT hash. Let’s see if we can get into the system by just passing the hash.

Placing the hash into the program, a few seconds later we get this:


Process 3540 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.


An open session with the PC and a remote shell. Looks like it worked…

Now let’s try the same 17 character complex password on the Windows 7 PC.

Placing the Windows 7 hash into the program, we get this:


Process 3392 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright © 2009 Microsoft Corporation. All Rights reserved.


A Windows 7 remote shell. Wow, that worked too.

Let’s try one last one:

Long pass phrases with multiple words are more secure right?

Password:  TheQuickBrownFoxJumpsOverTheLazyD0g!

And the results? A Windows 7 command prompt.

Does the password length make any difference at all? Using this technique the answer is no. The password length or complexity made no discernable difference at all, because we are just passing the hash as-is and not cracking it.

What can be done to prevent this type of attack? Using the built in Windows firewall with the Windows 7 machine was a hindrance.  

I also found that this attack would not work at all on Windows 7 if the User Account Control (UAC) setting  was turned on to any level except “Do Not Notify Me”.

The utility that many complained about in Windows Vista (and turned off!) actually does improve the security of your system.

Additionally, turning off LM and NTLM altogether and enabling NTLMv2 thwarted this attack.

This was accomplished by setting the authentication level to “Send NTLMv2 response only\refuse LM & NTLM” in the security policy.

Next, one would wonder about just using Kerberos authentication. From what I saw, there seems to be no sure fire way to force Kerberos across the board.

Also, Infoworld released an interesting article in April called “Don’t count on Kerberos to thwart pass-the-hash attacks”.

Kind of makes multiple authentication methods look pretty enticing doesn’t it?

Cross-posted from Cyber Arms

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , ,


Post a Comment

Feel Free to Leave Your Comments/Thoughts Below

Links to this post:

Create a Link

<< Home