Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords"

• Previous message: Miller, Joseph A: "RE: PT Activity duration/time"
• In reply to: Thor (Hammer of God): "Re: MSFT Bans insecure hashes - was"Passwords with Lan Manager (LM) under Windows""
• Next in thread: dave kleiman: "RE: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords""
• Reply: dave kleiman: "RE: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords""
• Maybe reply: Miguel Dilaj: "RE: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <pen-test@securityfocus.com>
Date: Mon, 26 Sep 2005 11:20:58 +0100

Hi all,

I've been following both threads with much more interest than time to
answer, so I'll spare a few minutes to produce a "digest" answer. Hope the
moderators allow it ;-)

Regarding "Whitespace in passwords", and as some people already mentioned,
modern password cracking software (both commercial and free) can find
non-printable chars, so space or ALT-whatever are going to be found anyway.
Rainbow tables now tend to include space, but I still haven't heard of
anyone producing a table for 0x00-0xff (0x0000-0xffff if you use extended
unicode chars ;-)
Applications CAN be broken by using strange characters, so YMMV.

In not totally accurate chronological order:

Craig Wright wrote on 19/09/05:
> The success rate is 80.19% for "alpha numeric symbol 32 space" - this is
EVERYthing in NTLM - not just space or extended - the table is 53% derived-
but if you read further - this
> equates to an 80.19% crack rate.

That's not correct. That includes ONLY the charset A-Z{32 symbols}{space}.
It has a few limitations that are not obvious for people unaware of how NTLM
works:

A) it is limited to 7 characters, when NTLM is up to 14 in older Windows,
and (I think) up to 128 on newer ones.
If you don't believe me, see the parameters they pass to rtgen:
        ntlm alpha-numeric-symbol32-space 1 7 0 9000 40000000 #15
Correlate with the syntax:
        algorithm charset minlength maxlength index chainlength chaincount
comment
Use a password of length 8, and you screwed them.

B) it can't handle different case in the password.
Their "alpha-whatever" tables cover A-Z{whatever}.
Their "loweralpha-whatever" tables cover a-z{whatever}.
The password "Admin" won't be cracked.
You need to have "mixAlPhA{whatever}", covering A-Za-z{whatever} to crack
such passwords.

Using alpha tables only is fine for old LM, because the password is always
translated to uppercase, but it won't work for all the case-sensitive
algorithms.

Craig Wright wrote on 20/09/05:
> There is NTLM and not just lanman - even on the areas not completely
cracked - expect this to be a matter of weeks or months to complete and even
with an incomplete table there is even
> with "alpha numeric symbol 14" sets a 80+% crack rate.
>
> Further "alpha numeric symbol 5" does not mean the length is 5 chars - it
is still 14 chars in length. It refers to the symbol set not the length just
as "alpha numeric symbol 14" again
> refers to the symbol set used. (PS the complete lanman "alpha numeric
symbol 14" is available for purchase from the researcher on a set of DVD's
now and 100% complete - just wait for the
> post). Crack one table and get 1 weeks access (or there about)
>
> {snip}
>
> The Rainbow crack default tables are up to 14 chars. Any password of up to
14 chars (with the correct tables)

No, RTFM of rtgen and check the syntax they use.

< personal comment>
I don't like the 1 week access/table they offer. I generated a couple
tables, but the clock start ticking right after they submit the tables, and
it can happen that your week expires before you need it. I would have prefer
"n" usages with no time limitation, however, their tables have the flaws
mentioned above.
I also offered them big computing power in exchange for their LM set (no
need to reinvent the wheel, isn't?), but they never answered my email, so
I'm producing my own customized set of LM, and also some other customized
(and case sensitive!) sets.
</personal comment>

Craig Wright wrote on 20/09/05:
> The "14 character all lowercase passphrase with numbers" set is only 3gb
and it took me a week to generate - without dedicating the hosts - see lm
configuration #5
> at http://www.antsight.com/zsl/rainbowcrack/

Yeah... Check the link "table generation commands" and check the syntax.
Those are up to 7, and you profit from the fact that LM is 2x7. But don't
try to translate that into other algorithms.

Tim wrote on 20/09/05:
> A-z, 0-9 and all special characters is about 44GB and those go only to 7
characters for LanMan (why bother doing more the 7 characters on LanMan?).

Define "all special characters".
If you consider that probably 150 characters (normal, symbols and extended)
can be used for LM, your tables up to length 7 with 99.0% success
probability will be 13.113 GB (feel free to convert to TB), with the
following generation syntax:
        lm test150space 1 7 0 9000 40000000 foobar
If "all special characters" for you means 14 common symbols and space, yes,
they will be 26.8 GB with 99.0% success probability.

Craig Wright wrote on 21/09/05:
> John was a tool which was good a decade ago

And is still the fastest bruteforcer. The "mangling" of dictionary words is
also much better than other tools.

Cedric Baechler asked on 20/09/05:
> Does anyone know which 142-character set is used ? (for LM)

Cedric: I did a quick investigation on that some time ago, without too much
success... I found an interesting reference (I think it was in an article in
SecurityFocus, but I'm not sure) about the fact that some extended
characters can be use in the command line, but not in the GUI (and probably
the opposite as well).
Sorry for not being of help, but that was my $0.01 contribution.

Craig Wright wrote on 23/09/05:
> I still say that Kerberos or IPsec based auth is the best policy in
windows. LanMan, NTLMv1 or V2 are vulnerable.

Kerberos can be attacked as well, thanks to Microsoft who flawed the
Kerberos implementation in Windows.

Thor (Hammer of God) wrote on 25/09/05:
> {one of the best answers in the thread, omitted for brevity}

MY answer to that: clap, clap, clap, clap!

Craig Wright wrote on 23/09/05:
> "Microsoft is banning certain cryptographic functions from new computer
code, citing increasingly sophisticated attacks that make them less secure,
according to a company executive. The
> Redmond, Wash., software company instituted a new policy for all
developers that bans functions using the DES, MD4, MD5 and, in some cases,
the SHA1 encryption algorithm, which is
> becoming "creaky at the edges," said Michael Howard, senior security
program manager at the company, Howard said."
>
> "All three algorithms show signs of 'extreme weakness' and have been
banned, Howard said. Microsoft is recommending using the Secure Hash
Algorithm (SHA)256 encryption algorithm and AES
> (Advanced Encryption Standard) cipher instead, he said.

Well... I hope my rant below is not taking anyone at Microsoft or here by
surprise.

ANY function like:
        h = f(P)

In which the universe of h is of limited size and the universe of P is
infinite (that includes ALL hashing functions, a lot of encryption
functions, etc) will have infinite collisions.
Take for example any 16-byte hash, like MD2, MD4, MD5, NTLM, etc.
You've 0xffffffffffffffffffffffffffffffff (+1, to include the all-zeroes
hash) different hashes,
BUT YOU HAVE INFINITE POSSIBLE PLAINTEXTS (P in the equation above).
That means that you don't only have collisions. You don't only have a big
number of collisions. YOU HAVE AN INFINITE NUMBER OF COLLISIONS.

Take whatever hashing algorithm you want, for example SHA-2 (512), you'll
have
0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffff (+1 ;-) hashes, but
still infinite P.
Paraphrasing late Dr. Carl Sagan in his book "Cosmos": that big number is
not even close to the idea of infinite. It is EXACTLY at the same distance
of infinite than number zero.

Being a humble pentester, I'll leave the honour of discovery to the
mathematicians out there ;-)

Any hashed static password can be attacked after someone finds colliding
vectors.

Regarding article referenced by Mr. Wright:
http://www.codeproject.com/useritems/HackingMd5.asp
The article is very interesting, it shows two vectors that produce the same
MD5 hash, and gives the explanation on how to expand the vectors adding the
same payload to both of them to keep having the same MD5 hash.
Full stop.
The overall idea discussed in the paper is flawed because an attacker still
needs to replace the installer.exe
It will be MUCH BETTER (er... For attackers!) if two vectors starting like
an .exe, with a jump instruction past the length of the vector are found.
Then the vector can be padded with zeroes up to the destination of the jump
instruction, and a payload added that contains:
1) the check of the flag byte to execute evil or good code
2) evil code
3) good code

THEN, we'll be in serious problems... And that hashing will have to be
dropped instantly ;-)

Final rant, other attacks on passwords...
Let's suppose that you use a devilish complex password.
1) An attacker with remote administrative access can install a kernel-level
keylogger in your machine.
2) An attacker with remote non-administrative access can modify VeoVeo can
install it on your machine to use the keylogging functionality only, and not
showing the icon in the tray bar
(http://usuarios.lycos.es/n3kr0m4nc3r/tools/ for a hasty English
translation, Spanish original in www.hackindex.org).
3) An attacker with physical access can plug one of those (or similar)
between your keyboard and your desktop machine:
http://www.keyghost.com/products.htm
There's even a version of a hardware keylogger that's a chip that sits
INSIDE your keyboard ;-)

Enter PKI authentication... You need your certificate and the password of
your private key.
The certificate will typically reside on a private network drive, to be
covered by backup, but even if it's in your local disk, someone with
"password power" level of access (see 3 points above if cracking fails) can
obtain it.
Most users will have the same password for Windows logon and their private
key.
If not, use the keylogging stuff mentioned in the 3 points above ;-)

Last rant: Are you sure you like your XYZ application using Single Sign On
relying on Windows passwords? (I've seen examples...)

Someone mentioned One Time Passwords, and I tend to agree. Using OTPs have
some practical disadvantages (applications not supporting them, etc.), but
is much more secure than static passwords. Probably smart cards will do the
trick.

Well... I think that this email is long enough for people avoid reading it,
so I'll put just an additional tiny bit of info ;-)

In a forthcoming FIST Conference (hopefully in Manchester, UK, provided I
can get a venue for it) I'll discuss the technology we are using to generate
200+ tables in under 3 weeks (and counting!). I'll announce it in due time
on www.oissg.org, and probably here as well.

Gosh... I've to WORK!
Cheers,

Miguel

***********************************************************************************************************
DISCLAIMER:
This e-mail contains proprietary information, some or all of which may be legally privileged.
It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail,
please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
disclose, distribute, copy, print or rely on this e-mail.
***********************************************************************************************************

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Previous message: Miller, Joseph A: "RE: PT Activity duration/time"
• In reply to: Thor (Hammer of God): "Re: MSFT Bans insecure hashes - was"Passwords with Lan Manager (LM) under Windows""
• Next in thread: dave kleiman: "RE: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords""
• Reply: dave kleiman: "RE: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords""
• Maybe reply: Miguel Dilaj: "RE: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]