NTLM Passwords: Can’t Crack it? Just Pass it!

In my prior article, “Cracking 14 Character Complex Passwords in 5 Seconds” we looked at how safe Windows LM based passwords were. But what about NTLM based Passwords?

Windows systems usually store the NTLM hash right along with LM hash, the NT hash being more secure.

What many readers wanted to know is how much longer would it take to access the user account, if only the NTLM hash was available?

This is a great question, and the answer is, if certain circumstances are met and a certain technique is used, it could take the same amount of time. Even more shocking is the fact that it may actually be quicker.

Let me explain, if you can retrieve the LM or NT hashes from a computer, you do not need to crack them. There is really no need. Sometimes you can simply take the hash as-is and use it as a token to access the system. This technique is called “Pass the Hash”.

Several programs exist that perform “Pass the Hash” type attacks. In this example I used the “Pass the Hash” capability of Backtrack 4. What is nice about this is that once you retrieve the hash, you can copy the hash and place it right into Backtrack 4’s “Pass the Hash” routine.

I will not show the step by step process, but will show you the passwords used and the outcome. The password hashes are taken from an updated Windows XP SP3 system and a Windows 7 system. Without further ado, let’s see this in action.

First we will try feeding the XP hash for the 17 character password %P”m<[87cR?^)+=Tu into the “Pass the Hash” program, and see if we can log in with it.

But before we do, let’s make sure the Objectif’s Online XP Scanner can’t crack it:

Hash: aad3b435b51404eeaad3b435b51404ee:473f053cd2e842a2faacff9d4888f051
Password:  LM hash empty, NT Hash cannot be cracked by this table.”

OK, so we know that we only have an NT hash. Let’s see if we can get into the system by just passing the hash.

Placing the hash into the program, a few seconds later we get this:

 

 

 

 

 

 

Process 3540 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

An open session with the PC and a remote shell. Looks like it worked…

Now let’s try the same 17 character complex password on the Windows 7 PC.

Placing the Windows 7 hash into the program, we get this:

Process 3392 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright © 2009 Microsoft Corporation. All Rights reserved.

C:\WINDOWS\system32>

A Windows 7 remote shell. Wow, that worked too.

Let’s try one last one:

Long pass phrases with multiple words are more secure right?

Password:  TheQuickBrownFoxJumpsOverTheLazyD0g!

And the results? A Windows 7 remote command prompt.

Does the password length make any difference at all? Using this technique the answer is no. The password length or complexity made no discernable difference at all, because we are just passing the hash as-is and not cracking it.

What can be done to prevent this type of attack? Using the built in Windows firewall with the Windows 7 machine was a hindrance.  

I also found that this attack would not work at all on Windows 7 if the User Account Control (UAC) setting  was turned on to any level except “Do Not Notify Me”. The utility that many complained about in Windows Vista (and turned off!) actually does improve the security of your system.

Additionally, turning off LM and NTLM altogether and enabling NTLMv2 thwarted this attack. This was accomplished by setting the authentication level to “Send NTLMv2 response only\refuse LM & NTLM” in the security policy.

Next, one would wonder about just using Kerberos authentication. From what I saw, there seems to be no sure fire way to force Kerberos across the board. Also, Infoworld released an interesting article in April called “Don’t count on Kerberos to thwart pass-the-hash attacks”.

Kind of makes multiple authentication methods look pretty enticing doesn’t it?

Advertisements

Persistent Cross-Site Scripting (XSS) Demo

If you ever wanted to know how cross-site scripting works, look no further. The video was created by Aleksander Gorkowienko, a database and application security expert with the company 7safe.

In “Cross-Site Scripting Explained”, Aleksander simulates an XSS attack against a fictitious online financial company. He demonstrates how a hacker could jump from one authenticated user (using a password and a PIN) to another using PHP Session cookies.

In the attack, Aleksander uses the Browser Exploitation Framework (BeEF), JavaScript and the Web Application security testing platform Burp Suite. I haven’t played with BeEF in a while, so it was good to see it in action again.

This demonstrates why it is important to test web applications for vulnerabilities like XSS.  The video is definitely a must see!

For more information, check out Aleksander’s website IT Security Lab.

F-117A Nighthawk in China?

I was checking out Sean Lawson, Ph.D.’s blog and found an interesting link to IMINT & Analysis – “Open source military analysis, strategic thinking, and Google Earth imagery interpretation.”

I really enjoy open source intelligence and all things military, so you know I just had to investigate. And here is what caught my eye immediately:

F-117A MOCKUP IN CHINA
The image above, captured in March of 2010, depicts an F-117A mockup. Normally, a mockup of the F-117A wouldn’t be a very big deal, but this one is in the middle of Luoyang, China. First spotted by the intrepid members of the China Defense Forum, the mockup appears to be partially completed, apparently missing the forward fuselage.

Now what would an F-117A Stealth Fighter be doing in China? According to the article, the F-117A mockup is sitting at the Electro-Optical Technology Development Center in Luoyang, China. Apparently the center does R&D for Chinese air-to-air missiles.

Check out the IMINT & Analysis site for more information.

The picture above is from Google Earth. You can still see the stealth fighter  at coordinates 34.662363′ Lat, 112.429356′ Long.

Cyber Arms Intelligence Report for October 26th, 2010

Stuxnet and Wikileaks were the top news last week. Questions still abound as to who created Stuxnet. Many believe that it was Israel, but now some are saying that it could be China.

And the intended target was not an Iranian power plant, but India’s space program

The question remains though if Stuxnet attacks Windows based vulnerabilities, how is Iran even using the software, if Microsoft can’t export to Iran?

But what most experts will agree that the sophistication of Stuxnet fairly limits the country source of origin. Computer Security company Eset Security released an in-depth technical analysis (PDF format) of the cyber weapon called “Stuxnet Under the Microscope”.

Wikileaks does it again. But this time they released nearly 400,000 classified reports on the Iraq war. Wired.com had some great articles on the release. Superbombs and Secret Jails: What to Look for in WikiLeaks’ Iraq Docs talks about Iran’s involvement in the Iraq war. And thanks to Wikileaks, we now have proof that there were Weapons of Mass Destruction found in Iraq.

One would wonder how Wikileaks could get away with taunting the United States. In the past, Wikileaks used servers in a converted Swedish cold war nuclear bunker to host their data. But in a brazen move, recently used mirrors in not only Ireland and France, but also used Amazon.com in the US. The document release was not without incident though. According to one report, Wikileaks was hacked by a very skilled hacker prior to the publication.

Lastly, should cyber-attacks against a NATO nation trigger a physical response? If they are included in Article 5 of the North Atlantic Treaty they could, according to a Miller-Mccune article. NATO countries will discuss this next month at its annual conference. I just hope they take Russian Col. Anatoly Tsyganok comments to heart when they do, “These attacks have been quite successful, and today the alliance has nothing to oppose Russia’s virtual attacks.

Other Top Stories from Around the Web:

Iranian Cyber Army providing botnet for rent
It appears the group of cyber attackers who recently went after Twitter and Baidu are running a for-rent botnet.

Google admits to accidentally collecting e-mails, URLs, passwords
According to Google, data was mistakenly collected in more than 30 countries, including the United States, Canada, Mexico, some of Europe, and parts of Asia.

Federal government grapples with cybersecurity staff shortage
The US federal government is facing a severe shortage of cybersecurity staff, according to a panel of cybersecurity experts.

Cyber Crime and Information Warfare: A 30-Year History
What follows are some highlights in the 30-year history of hacking and information warfare.

Firesheep addon allows the clueless to hack Facebook, Twitter over Wi-Fi
Now any person, or idiot, can use Firesheep to scan local Wi-Fi networks and find users who are logged into Facebook, Twitter, Amazon, Google, FourSquare, Dropbox, Hacker News, Windows Live, Cisco, Evernote, WordPress, Flickr, bit.ly and many other services.