Re: cracking kerberos password

From: "Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx>
Date: Sat, 21 Jul 2007 21:17:41 -0700

1. Yes, but if he truly got the hash, then you have other security issues to worry about. Windows never sends the hashes over the network--instead, they're used the computation of challenge-response pairs. To get the hashes directly you break into the authentication server on the network--typically the domain controller.

2. Yes, it uses Kerberos. Remember, though, that Kerberos uses NT hashes. See #1 above.

3. Don't get your hashes stolen. Configure your systems not to generate LanMan (LM) challenge-response pairs. Abandon "complex" passwords in favor of long passphrases. See Jesper's article at http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx for more details, and his presentation at http://download.microsoft.com/download/f/4/a/f4a67fc8-c499-461d-a025-8155fb4f7a0f/Windows%20Passwords%20Master%201.5%20Handout%20-%20Jesper%20Johansson.ppt.

Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley

"guru2003" <guru2003@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:74A1278B-4682-45A0-9110-84D2B8B45681@xxxxxxxxxxxxxxxx

we are having windows 2000 domain controller. clients are windows xp
professional.

our auditor used cain and abel and sniffed the login traffic. He said he got
the NTLM Hash. Using some password cracker , since password was simple he
cracked it too.

I have a few questions

First, is this possible?

Second, When I login from windows xp professional to windows 2000 DC , are
we not using kerberos? Can kerberos login traffic be sniffed and
password-hash extracted.?

Third , Apart from using long and complex passwords any other mechanism to
safeguard against this?

Prev by Date: Re: EFS-moved from domain to AD
Next by Date: Re: how to track the users...in the domain
Previous by thread: Re: Our high end SQL server cluster is maxed out, how else to expand? Will it help to move tables off of the cluster onto other clusters or will that just create processing bottleneck on the cluster running SQL server?
Next by thread: Re: how to track the users...in the domain
Index(es):
- Date
- Thread

Relevant Pages

RE: Basic question
... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
(Focus-Microsoft)
Re: root password
... Those hashes have several characters changed. ... Linux is very different to Windows where the passwords are only obscured. ...
(Ubuntu)
Re: cracking Y2k DC Admin password
... the hashes have been created, they are encrypted with a DES variant ... if you have the SAM file, you should also have taken the system file. ... anyone and you have your passwords. ... >> - rescue in windows folder and backup sam file from it, it has admin ...
(Pen-Test)
Re: Password hashes
... There are only two hashes used for storing passwords in the Microsoft ... and there is no dedicated NTLM hash for stored passwords. ...
(microsoft.public.windowsxp.security_admin)
Re: Hijacking the hashes : multiple windows mail clients vulnerability
... this technique has been known and discussed ad nauseum for several years, ... Windows 2000 was kicked with a vulnerability that allowed ... >client tried to validate sending the hashes of the user... ... >simply send a html formatted mail message that includes this code: ...
(Vuln-Dev)