Re: NTLM v2 implementation

From: S.Leyers (s.leyers@subdimension.com)
Date: 12/21/01 

From: "S.Leyers" <s.leyers@subdimension.com>
To: <Thor@HammerofGod.com>, <focus-ms@securityfocus.com>
Date: Fri, 21 Dec 2001 18:03:18 +0100

> Well, to use pwdump3, you have to be an administrator on the box anyway...
> So while the admins of the workstations could indeed dump all the users
you
> had on that local box and crack the pwd, they could also do anything the
> wanted in regard to keystroke loggers, etc. I would think that you would
> have your workstations all members of your domain though, so that they
> would not have the users stored in the local SAM anyway. If you have an
> administrator on a DC that you don't trust with your usernames and
> passwords, then you've got Bigger Problems(tm).
>
> The real value of NTLMv2 is its strong encryption of the credentials as
> they travels over the wire, where people would be able to sniff the pwd
and
> crack it. The being said, Urity has a session at the upcoming Blackhat in
> New Orleans where he will be speaking on "Craking NTLMv2
> Authentication." I have not seen the materials for the session, so I have
> no idea how this may affect the value of NTLMv2 encryption.
>
> Insofar as removing the LM hash from AD/SAM, that is now a supported
> function for Win2k (SP2) via a registry hack. See article
> Q299656 for more information on how to do this. I think you are well on
> your way, though... Enforcing NTLMv2 and removing the LM Hash from AD/SAM
> is a powerful way to protect your credentials when NTLM is being used.

Q299656 is one of the answer i was looking for .... Many thanks !!!
While it is "only" for W2k sp2 servers/workstations it is already a good
beginning.

Now regarding pwdump, i know the user need admin rights (local or domain).
Users are indeed part of my domain, can't boot from floppy/cdrom (password
on bios), can't read the %systemroot%/repair dir (in case i've set a admin
password during installation), account are locked out after 10 retries (some
people find it already too much), ... but i really didn't feel like writing
in my post all the installations and security procedures we use.

The purpose of my mail was that after 'playing' with pwdump/L0pht, i've been
surprised about the effect of the LM Hash.
And now that i know that it is a weak point in term of security i would like
to correct the problem if possible.

I saw people suggesting in the thread "question regarding SAM file /
l0phtcrack / pwdump2" setting strong password that takes more time to crack
than you renew the password. I liked the idea but so far as i've seen you
should renew it every 2 days as long as you have LM Hash in use.

So i tried (unsuccessfully) to remove it, making intruder's work harder in
case he get access to a SAM.

So far i've learned that "The real value of NTLMv2 is its strong encryption
of the credentials as they travels over the wire"
and that W2k SP2 support the removal of the LM hash thanks to the Q299656
article you mentionned. The combination of the two begins to satisfy my
point of view on that matter .... unless Urity's session brings a new light
on it.

Now my last open point on that matter is "what about NT 4 ?" as my servers
are still NT4 sp6a.

thanks again for all informations you gave me so far !

This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a pro-active anti-virus service working around the clock, around the globe visit http://www.messagelabs.com/