RE: Passwords with Lan Manager (LM) under Windows

From: Craig Wright (cwright_at_bdosyd.com.au)
Date: 09/22/05

  • Next message: Roberto De Fazio: "RE: Certification OPST" 
    Date: Thu, 22 Sep 2005 16:51:16 +1000
To: "Thor (Hammer of God)" <thor@hammerofgod.com>, <pand0ra.usa@gmail.com>, <pen-test@securityfocus.com>

    PPS to last post

    IPsec does (or at least can and I am not going into a page of detail to
    describe this now) authenticate the client system BEFORE the Kerberos
    exchange starts

    There are 2 parts -
    1 authenticating the client system
    2 authenticating the user

    IPsec "includes" an authentication protocol. Further - (and should we
    change this section to a separate topic?) 802.1x with certs is also
    supported to add a further layer.

    I also understand that all traffic from any IP port 88 is assumed by MS
    systems to be Kerberos traffic and thus exempt from all IPsec filters
    allowing scanning etc etc. This would be a separate issue and discussion
    if you wish to take that up.

    Craig

    -----Original Message-----
    From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
    Sent: 22 September 2005 3:46
    To: Craig Wright; pand0ra.usa@gmail.com; pen-test@securityfocus.com
    Subject: Re: Passwords with Lan Manager (LM) under Windows

    Well, that's an issue with the client, not NTLMv2. NTLMv2 is tight. LM
    sucks- that's obvious (and it was IBM, not MS that gave us that one.)
    And yes, you can use precomputed tables against NTLM hashes, but not
    against NTLMv2... The NTLM hash is keyed off of the password, but NTLMv2
    hashes up the password with the user's domain/user data when generating
    the key...
    You can't precompile that data into a rainbow, you know?

    Regarding the "IPsec based auth" reference (here I go again), I'd have
    to say that there is no such thing... IPSec negotiation in Windows can
    be based on one of three mechanisms: A pre-shared key, Kerberos, or a
    cert-- it is not an authentication protocol in itself... (the cert being
    the strongest IMO).

    t

    ----- Original Message -----
    From: "Craig Wright" <cwright@bdosyd.com.au>
    To: "Thor (Hammer of God)" <thor@hammerofgod.com>;
    <pand0ra.usa@gmail.com>; <pen-test@securityfocus.com>
    Sent: Wednesday, September 21, 2005 10:05 PM
    Subject: RE: Passwords with Lan Manager (LM) under Windows

    Further to the last post
    There are a number of issues with NTLMv2 and legacy applications such as
    Windows RAS that cause lower levels of authentication

    I still say that Kerberos or IPsec based auth is the best policy in
    windows. LanMan, NTLMv1 or V2 are vulnerable.

    Precomputed tables may have been uncommon 12 months ago - but that was
    then and this is now.

    Cain & Abel will use sorted Rainbow Tables for Cryptanalysis attacks

    Craig

    -----Original Message-----
    From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
    Sent: 22 September 2005 12:00
    To: Craig Wright; pand0ra.usa@gmail.com; pen-test@securityfocus.com
    Subject: Re: Passwords with Lan Manager (LM) under Windows

    ----- Original Message -----
    From: "Craig Wright" <cwright@bdosyd.com.au>
    To: <pand0ra.usa@gmail.com>; <pen-test@securityfocus.com>
    Sent: Wednesday, September 21, 2005 12:32 PM
    Subject: RE: Passwords with Lan Manager (LM) under Windows

    > Even NTLMv2 will break the hashing into chunks which are able to be
    > individually broken down.

    I'm not sure what you mean... NTLMv2 uses a single 128bit key for the
    hash, challenge and response... Or are you referring to the NTLM2
    session response key (56+56+16)? If so, that is not the same thing as
    NTLMv2...
    Can
    you elaborate please ?

    t

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------

  • Next message: Roberto De Fazio: "RE: Certification OPST"

    Relevant Pages

    • RE: Passwords with Lan Manager (LM) under Windows
      ... "Initial security proposals involve using IPsec-based authentication" ... Passwords with Lan Manager under Windows ... Regarding the "IPsec based auth" reference, ...
      (Pen-Test)
    • Re: Passwords with Lan Manager (LM) under Windows
      ... "advisable to make IPsec-based authentication a part of the authentication ... For authentication, IPSec allows you to use the Kerberos V5 protocol, ... Passwords with Lan Manager under Windows ...
      (Pen-Test)
    • using IPSec with Dial up networking
      ... But i want to use IPSec in ... What do i need to do on Windows 2000 to make ... give their usernames and passwords to others every time i ...
      (microsoft.public.win2000.security)
    • ADFS Development Issues
      ... I am looking for some advice on how to develop a certain type of ADFS ... We have a Web Server - Windows server 2003 R2 EE ... I also got a web service successfully authenticating using adfs as ... the sample claim app and published the web service files into the same ...
      (microsoft.public.windows.server.active_directory)
    • Re: can xp act as server for vpn connection
      ... IPSEC L2TP connections won't work behind a NAT firewall without ... included in Windows XP... ... >>you can set the security policy on the client connection. ...
      (microsoft.public.windowsxp.work_remotely)