NTLM Passwords: Can’t Crack it? Just Pass it!

In my prior article, “Cracking 14 Character Complex Passwords in 5 Seconds” we looked at how safe Windows LM based passwords were. But what about NTLM based Passwords?

Windows systems usually store the NTLM hash right along with LM hash, the NT hash being more secure.

What many readers wanted to know is how much longer would it take to access the user account, if only the NTLM hash was available?

This is a great question, and the answer is, if certain circumstances are met and a certain technique is used, it could take the same amount of time. Even more shocking is the fact that it may actually be quicker.

Let me explain, if you can retrieve the LM or NT hashes from a computer, you do not need to crack them. There is really no need. Sometimes you can simply take the hash as-is and use it as a token to access the system. This technique is called “Pass the Hash”.

Several programs exist that perform “Pass the Hash” type attacks. In this example I used the “Pass the Hash” capability of Backtrack 4. What is nice about this is that once you retrieve the hash, you can copy the hash and place it right into Backtrack 4’s “Pass the Hash” routine.

I will not show the step by step process, but will show you the passwords used and the outcome. The password hashes are taken from an updated Windows XP SP3 system and a Windows 7 system. Without further ado, let’s see this in action.

First we will try feeding the XP hash for the 17 character password %P”m<[87cR?^)+=Tu into the “Pass the Hash” program, and see if we can log in with it.

But before we do, let’s make sure the Objectif’s Online XP Scanner can’t crack it:

Hash: aad3b435b51404eeaad3b435b51404ee:473f053cd2e842a2faacff9d4888f051
Password:  LM hash empty, NT Hash cannot be cracked by this table.”

OK, so we know that we only have an NT hash. Let’s see if we can get into the system by just passing the hash.

Placing the hash into the program, a few seconds later we get this:

 

 

 

 

 

 

Process 3540 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

An open session with the PC and a remote shell. Looks like it worked…

Now let’s try the same 17 character complex password on the Windows 7 PC.

Placing the Windows 7 hash into the program, we get this:

Process 3392 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright © 2009 Microsoft Corporation. All Rights reserved.

C:\WINDOWS\system32>

A Windows 7 remote shell. Wow, that worked too.

Let’s try one last one:

Long pass phrases with multiple words are more secure right?

Password:  TheQuickBrownFoxJumpsOverTheLazyD0g!

And the results? A Windows 7 remote command prompt.

Does the password length make any difference at all? Using this technique the answer is no. The password length or complexity made no discernable difference at all, because we are just passing the hash as-is and not cracking it.

What can be done to prevent this type of attack? Using the built in Windows firewall with the Windows 7 machine was a hindrance.  

I also found that this attack would not work at all on Windows 7 if the User Account Control (UAC) setting  was turned on to any level except “Do Not Notify Me”. The utility that many complained about in Windows Vista (and turned off!) actually does improve the security of your system.

Additionally, turning off LM and NTLM altogether and enabling NTLMv2 thwarted this attack. This was accomplished by setting the authentication level to “Send NTLMv2 response only\refuse LM & NTLM” in the security policy.

Next, one would wonder about just using Kerberos authentication. From what I saw, there seems to be no sure fire way to force Kerberos across the board. Also, Infoworld released an interesting article in April called “Don’t count on Kerberos to thwart pass-the-hash attacks”.

Kind of makes multiple authentication methods look pretty enticing doesn’t it?

Cracking 14 Character Complex Passwords in 5 Seconds

There has been a lot of talk recently in the security community about high speed GPU (video card) processors being able to crack passwords very quickly.

But there is a technology that can crack them even faster. A Swiss security company called Objectif Sécurité has created a cracking technology that uses rainbow tables on SSD drives.

Apparently it is the hard drive access time and not the processor speed that slows down cracking speed. So using SSD drives can make cracking faster, but just how fast?

One article in March of this year stated that the technique using SSD drives could crack passwords at a rate of 300 billion passwords a second, and could decode complex password in under 5.3 seconds. So, how long would a long complex password hold up to the SSD based cracking technology?

Sounds like we need to put this to the test. Most hackers will crack passwords by decoding the password hash dumps from a compromised computer. So,  I pulled several 14 character complex passwords hashes from a compromised Windows XP SP3 test machine, to see how they would stand up to Objectif’s free online XP hash cracker. The results were stunning.

Let’s start out with an easy one. Here is the Administrator password hash from the machine:

aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

And putting this into Objectif’s tool we get this response:

Password: Empty password…
Time: 2 seconds

Administrator didn’t set a password, that’s not good…

Okay, that wasn’t 14 characters, let’s try a hard one.

How about this one:

Hash: 17817c9fbf9d272af44dfa1cb95cae33:6bcec2ba2597f089189735afeaa300d4

And the response:

Password: 72@Fee4S@mura!
Time: 5 Seconds

Wow! that took only 5 seconds and that is a decent password.

Let’s try a few more:

Hash: ac93c8016d14e75a2e9b76bb9e8c2bb6:8516cd0838d1a4dfd1ac3e8eb9811350
Password: (689!!!<>”QTHp
Time: 8 Seconds

Hash: d4b3b6605abec1a16a794128df6bc4da:14981697efb5db5267236c5fdbd74af6
Password: *mZ?9%^jS743:!
Time: 5 Seconds (Try typing that in every day!)

And Finally:

Hash: 747747dc6e245f78d18aebeb7cabe1d6:43c6cc2170b7a4ef851a622ff15c6055
Password: T&p/E$v-O6,1@}
Time: Okay, this one really pushed it to the limits, it took a whole 11 seconds to crack!
(* Ran it through a second time later on and it got it in 3 seconds!)

Very impressive, it took only five to eleven seconds in this test to crack 14 character complex passwords. I was able to create a password that Objectif’s site couldn’t decode; it was using characters from the extended ASII set. But, unfortunately, I could not log into the XP system using it either.  🙂

Want to see how a password would do without having to exploit a system and dump the password hashes? Objectif allows you to put a password in and it will convert it for you. Then you can place the hash into the cracker and see how it does.

Granted, these are Windows LM Hashes and not the more secure Windows 7/ Server 2008 NTLM based hashes. But, I believe that with cracking speeds increasing, relying on passwords alone may no longer be a good security measure. Many companies and government facilities are moving away from using just passwords to dual authentication methods. Biometrics and smartcards are really becoming popular in secure facilities.

And if the rumors are true, it looks like Microsoft may include facial recognition authentication in the next version of Windows. Time to dust off the old Web Cam…

* UPDATE:

Curious how long Windows 7 NTLM can hold up to password hash attacks? Check out “NTLM Passwords: Can’t Crack it? Just Pass it!“

or prefer just Pulling Passwords in Plain Text instead of having to crack them? Check out Mimikatz.

GPU Crackers make Seven Character Passwords Inadequate

That’s the news from the Georgia Tech Research Institute. Using the power of a graphics video card processor (GPU) to crack passwords is not new news. But with the speeds that the GPU’s are reaching, they now have the ability to easily brute force up to seven character passwords.

According to the GTRI case study, “We’ve been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places,” said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute (GTRI).

“Right now we can confidently say that a seven-character password is hopelessly inadequate – and as GPU power continues to go up every year, the threat will increase.”

So, how fast have Graphic Processors become? Today’s graphic cards can run at speeds approaching 2 Teraflops! Teraflops are used to measure processing speed. A teraflop is one trillion floating point operations per second. To put that speed in prospective, the fastest super-computer in the year 2000 could run at 7 Teraflops. And it was a $110 million dollar monster of linked computers. Now imagine all of that speed leveraged into brute forcing passwords. This is exactly what can be done with password cracking software based on the GPU.

How long should passwords be? According to the case study, “any password shorter than 12 characters could be vulnerable – if not now, soon.”

So, what do we do? According to an article on GCN, the best defense against this is to use sentences for your passwords. I whole heartedly agree and actually use this for my own personal passwords. Take something that means something to you and make a password out of it. Throw in a few special characters for added safety. For example:

MyV0lksw@genIsTheF@stestC@r!   (Don’t even try this on my systems, I am a MOPAR nut)

It is easy to remember because it means something to you. It is complex because it uses upper and lower case letters, symbols, a number and is very long.

GPUs will become faster as time goes on, so the time of using passwords alone to protect your systems may be at an end. The GCN article recommends using a two part system for authentication. “Agencies have gradually been moving toward two-factor authentication systems, which take some of the pressure off of passwords. As the processing units available to attackers become increasingly powerful, two-factor systems could become even more necessary.”

The upcoming Windows 8 is supposed to have facial recognition built it. According to Windows8News, the feature will be called “My PC  Knows Me”.  The feature will provide enhanced login security, including facial recognition augmented with password or fingerprint authentication. The PC will also be able to detect when the user walks away and automatically place the computer into sleep mode.

Very amazing indeed, but I will not be impressed until the computer can detect your face, change your status to “busy”, pull up the latest news you like and automatically make your favorite cup of coffee.     🙂 

Want to know more? Check out these newer articles:

Cracking 14 Character Complex Passwords in 5 Seconds
No need to crack complex 20 character passwords, Just pass them

Book Review: “OWNED: Why Hacking Continues to be a Problem” by Mister Reiner

Mister Reiner gave me a copy of this book quite a while ago. I have finally gotten around to reading it and I was pleasantly surprised. With so many quality titles out there on computer security, honestly I was a bit skeptical, but this book brings in a breath of fresh air.

I loved Mister Reiner’s introduction. I feel that his battle of convincing co-workers that their network has in fact been penetrated is echoed in many workplaces around the world. Sometimes the hardest people to convince that there has been a computer intrusion are those who are in charge of securing the network.

With the majority of my experience being in the small business field I was very impressed with chapter 2, “The Standard Security Template”. This is probably one of the best step by step views of securing a new small network system that I have yet seen in print. Most books focus on large corporate networks, but Mister Reiner has provided an excellent setup guide for securing a small network. Mister Reiner also covers the basic knowledge needed to secure a system and the importance of system documentation.

Next, Mister Reiner takes a look at hackers and their tactics. Chapter 5, “Hacking 201 – Getting more technical” is one of my favorite chapters. In this chapter, Mister Reiner gives you a unique, over the shoulder view of a hack in progress. Even though it is not a technical, in-depth, step by step how to, it still gives you an amazing view into what hackers target and how they would operate against an online database server.

Mister Reiner continues with a look at the different skill level of hackers and how their skill level determines their operational techniques. This includes recon, mapping of a network, and using E-Mail to penetrate a system. Once penetrated, Mister Reiner shows some of the techniques hackers use to consolidate their hold on the network using smart Trojans and sleepers.

Finally, Mister Reiner wraps up the book with a look at the monumental task of deciphering and catching malicious traffic through logs and intrusion detection systems. With the holes in operating systems and applications, volumes of data to monitor and the ever present human factor, I wholeheartedly agree with Mister Reiner’s summation. Which is, to completely secure a system, we need to “Throw out all the hardware, operating systems and applications we use now – and reengineer everything from scratch.”

“OWNED: Why Hacking Continues to be a Problem” gives a very good look at network security, the tactics of hackers and the struggles of securing systems against these threats. The book is not overly technical and is easy to read. If you are new to computer security and want to know more, I highly recommend this book.