Re: NTLM v2 implementation
From: Thor@HammerofGod.comDate: 12/21/01
- Previous message: Mark Medici: "Microsoft MS01-059, Universal Plug-n-Play vulnerability."
- In reply to: S.Leyers: "Re: NTLM v2 implementation"
- Next in thread: S.Leyers: "Re: NTLM v2 implementation"
- Reply: S.Leyers: "Re: NTLM v2 implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Thor@HammerofGod.com To: s.leyers@subdimension.com, focus-ms@securityfocus.com Date: Fri, 21 Dec 2001 07:46:41 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 01:49 AM 12/21/2001, S.Leyers wrote:
>Sounds that implementing NTLM v2 is pretty useless for the workstations and
>their local admin account.
>Well it even seems strange to me that whatever i do (implement NTLM v2,
>implement password policy to force users to have 7+ characters passwords) my
>efforts to secure that part of my network would be rendered useless by the
>presence of the SAM (or ntds.dit) and the LM Hash in it.
>
>Beside the considerations over NTLM v2, what I would like to have is usefull
>long password. So far I can put a 15 characters password on my admin account
>i can find it back through pwdump/L0phtcrack in a matter of hours thanks (?)
>to LM Hash ... so far it is pretty scary.
Well, to use pwdump3, you have to be an administrator on the box anyway...
So while the admins of the workstations could indeed dump all the users you
had on that local box and crack the pwd, they could also do anything the
wanted in regard to keystroke loggers, etc. I would think that you would
have your workstations all members of your domain though, so that they
would not have the users stored in the local SAM anyway. If you have an
administrator on a DC that you don't trust with your usernames and
passwords, then you've got Bigger Problems(tm).
The real value of NTLMv2 is its strong encryption of the credentials as
they travels over the wire, where people would be able to sniff the pwd and
crack it. The being said, Urity has a session at the upcoming Blackhat in
New Orleans where he will be speaking on "Craking NTLMv2
Authentication." I have not seen the materials for the session, so I have
no idea how this may affect the value of NTLMv2 encryption.
Insofar as removing the LM hash from AD/SAM, that is now a supported
function for Win2k (SP2) via a registry hack. See article
Q299656 for more information on how to do this. I think you are well on
your way, though... Enforcing NTLMv2 and removing the LM Hash from AD/SAM
is a powerful way to protect your credentials when NTLM is being used.
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPCNZYYhsmyD15h5gEQLmUgCeJbF7TSaVXegvgrxGuau5VjJ9YtQAnA6D
IcAqBUgzRnWuQO1de7r8txCU
=af6Z
-----END PGP SIGNATURE-----
- Previous message: Mark Medici: "Microsoft MS01-059, Universal Plug-n-Play vulnerability."
- In reply to: S.Leyers: "Re: NTLM v2 implementation"
- Next in thread: S.Leyers: "Re: NTLM v2 implementation"
- Reply: S.Leyers: "Re: NTLM v2 implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
