RE: ADS Password Storage Protection

In Windows it is LM or NT (sometimes called NTLM) hashes.

NTLMv2 refers to the authenication protocol that exchanges the hash
between the client and server authentication database. Windows has four
choices: Kerberos, NTLMv2, NTLM, and LM. The last two are week, the
first two are strong. You can sniff password hashes (i.e. LM or NT) out
of the authentication streams...but rainbow tables only store password
hashes.

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@xxxxxxxx]
Sent: Tuesday, July 18, 2006 12:50 PM
To: Eoin Miller; eric.baechle@xxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: ADS Password Storage Protection

I may be wrong, but I thought rainbow tables only worked with NTLM
passwords. If you force the passwords to be NTLMv2, rainbow tables are
not useful in cracking the passwords.

Dennis

-----Original Message-----
From: Eoin Miller [mailto:eoin.miller@xxxxxxxxxxxxxxxxxxxx]
Sent: Monday, July 17, 2006 6:20 PM
To: eric.baechle@xxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: ADS Password Storage Protection

eric.baechle@xxxxxxx wrote:
Winshel;

Actually, a passphrase is not as secure as a random password. As you
probably have heard, "Don't use dictionary words" over and over again.
Even compound dictionary words are bad, ie: "firedogdalmation".
Compounding dictionary words with spaces, punctuation, and even
gramatically correct modifiers in between is really no different than
without. It's a very simple substitution to try; "firedogdalmation" and
then try "fire dog dalmation", "Fire Dog Dalmation", "Dalmation the Fire
Dog", etc.

Using compound dictionary words could come back to bite you very
quickly, even when used in long phrases.

Sincerely,

Eric Baechle, CISSP/ISSEP, etc.
Senior INFOSEC/OPSEC Engineer
Department of Homeland Security


Password length is still extremely important. A completely randomized 8
character length password is still no match for an attacker with the
rainbow tables at their disposal. Complexity requirements should still
be employed, but having a length requirement of less than 12 characters
is not adaquate. I believe the idea expressed by Winshel of length being
more important than randomness is a result of these types of precomputed
hash attacks.

--Eoin

------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at:

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: NTLM queries
    ... If there is a fallback it will be to ntlmv2, ntlm, or lm. ... ntlm [send ntlmv2 response only, ... "Windows 2000 lan manager authentication level" or download the free Windows ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: NTLM queries
    ... If there is a fallback it will be to ntlmv2, ntlm, or lm. ... ntlm [send ntlmv2 response only, ... "Windows 2000 lan manager authentication level" or download the free Windows ...
    (microsoft.public.win2000.security)
  • RE: Kerberos & NTLM Auth in IIS6
    ... what Authentication Providers do you have set? ... NTLM and Kerberos? ... though currently we are not using NTLMv2 authentication for RPC ... Edit the registry and set the appropriate keys. ...
    (Focus-Microsoft)
  • Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging
    ... BK> authentication, the session key is passed from the authority to the ... NTLMv2 can only be used inside domain tree. ... NTLM authentication should never be used to access servers outside ...
    (NT-Bugtraq)
  • Re: Password hashes
    ... NTLM uses the NT hashes of the users password ... > and there is no dedicated NTLM hash for stored passwords. ... > storage of LM hashes of user passwords used my LM authentication. ...
    (microsoft.public.windowsxp.security_admin)