Windows Passwords

How Passwords Are Attacked

Indira Gandhi Delhi Technical University for Women, New Delhi

Key Point

Bad passwords get broken, even when using good

storage and authentication methods!
Solutions
1. Use better passwords
2. Dont let bad guys get the hashes

Indira Gandhi Delhi Technical University for Women, New Delhi

Four Types of Attack

Passive online
Active online
Offline Attacks
Non-electronic attacks

Indira Gandhi Delhi Technical University for Women, New Delhi

Passive Online Attacks
Man-in-the-Middle and Replay Attacks

Somehow get access to communications channel

Wait until authn sequence
Proxy authn-traffic
No need to brute-force
Considerations
Relatively hard to perpetrate
Must be trusted by one or both sides
Some tools widely available
Can sometimes be broken by invalidating traffic
Server Message Block (SMB) Reflection
Attack5. All right, heres my response
to your (my) challenge.

3. OK, here is
a challenge

1. Hey, I want to connect

2. What a coincidence,
so do I.

4. Thanks! Heres your

challenge, right
back at you

6. Thats so nice, heres

your response back to you
Active Online Attacks
Password guessing

Try different passwords until one works

Succeeds with
Bad passwords
Open authentication points
Considerations
Should take a long time
Requires huge amounts of network bandwidth
Easily detected
Core problem: Bad passwords
Offline Attacks

Attacker has password database

How? Hard on Windows, easier on Unix
Can attack at leisure
Password representations must be
cryptographically secure
Considerations
Moores law
Attacks against cached credentials about 3x slower
Offline Attacks
Dictionary Attack

Try different passwords from a list

Succeeds only with poor passwords
Considerations
Very fast
Core problem: Bad passwords
Offline Attacks
Hybrid Attack

Start with Dictionary

Insert entropy
Append a symbol
Append a number

Considerations
Relatively fast
Succeeds when entropy is poorly used
Pass-The-Hash Attacks
LM Response DES(LM Hash, nonce)

NTLM Response DES(Unicode pwd, nonce)

Tool computes response from nonce based on

arbitrary hash
Tools are rare but are available
Instant attack
Does not work with cached credentials
Non-Technical Attacks
Shoulder surfing
Watching someone type their password
Common and successful
Mouthing password while typing
Keyboard sniffing
Hardware is cheap and hard to detect
Software is cheap and hard to detect
Both can be controlled remotely
Social engineering
Windows Authentication

Indira Gandhi Delhi Technical University for Women, New Delhi

Why Windows Authentication?
Most forms of user authentication rely on user supplied
passwords.
Properly authenticated access is often not logged.
A compromised password offers the attacker an
opportunity to access a system from inside virtually
undetected.
Account with bad or empty passwords are extremely
common.

Indira Gandhi Delhi Technical University for Women, New Delhi

The most common password vulnerabilities:

User accounts with weak or nonexistent passwords

Fail to protect passwords
Administrative accounts with weak or nonexistent
passwords
Password hashing algorithms are known

Indira Gandhi Delhi Technical University for Women, New Delhi

Three Windows Authentication Algorithms:

1. LM (least secure, most compatible)

2. NTLM
3. NTLMv2 (most secure, least compatible)

Indira Gandhi Delhi Technical University for Women, New Delhi

How to Protect Weaknesses of Windows
Authentication

Assure that passwords are consistently strong

Protect strong passwords
Tightly control accounts
Maintain strong password policy for the enterprise.
Disable LM authentication across the network.
Prevent the LM hash from being stored
Prevent password hashes and SAM database from be being
copied.

Indira Gandhi Delhi Technical University for Women, New Delhi

How Passwords Are Used
Authentication

Indira Gandhi Delhi Technical University for Women, New Delhi

Preliminary
Winlogon:
In computing, Winlogon is the component of Microsoft
Windows operating systems that is responsible for handling
the secure attention sequence, loading the user profile on
logon, and optionally locking the computer when
a screensaver is running
Winlogon has the following responsibilities:
1. Window station and desktop protection
2. Standard SAS recognition
3. SAS routine dispatching
4. User profile loading
5. Assignment of security to user shell
6. Screen saver control
7. Multiple network provider support
Indira Gandhi Delhi Technical University for Women, New Delhi
Preliminary
LSASS:
Local Security Authority Subsystem Service (LSASS), is
a process in Microsoft Windows operating systems that is
responsible for enforcing the security policy on the system.
It verifies users logging on to a Windows computer or server,
handles password changes, and creates access tokens. It also
writes to the Windows Security Log.
"lsass.exe" is the Local Security Authentication Server.
lsass verifies the validity of user logons to your PC or server.
It generates the process responsible for authenticating users
for the Winlogon service. This is performed by using
authentication packages such as the default, Msgina.dll If
authentication is successful, Lsass generates the user's access
token, which is used to launch the initial shell. Other
processes that the user initiates then inherit this token.
Indira Gandhi Delhi Technical University for Women, New Delhi
Authentication (authn)
Winlogon passes the authn information to LSASS
LSASS determines the authn package
Local or remote login? If remote
Kerberos
NTLMv2, NTLM, LM
The chosen package generates authn data

Indira Gandhi Delhi Technical University for Women, New Delhi

NTLM And LM Authentication On The
Wire

Authn_Request

Server_Challenge nonce

LM Response DES(LM Hash, nonce)

NTLM Response DES(Unicode pwd, nonce)

Client Server

Authn_Result

Indira Gandhi Delhi Technical University for Women, New Delhi

NTLMv2 Authentication
On The Wire

Authn_Request

Server_Challenge nonce s

LM Response DUMMY

Client NTLM v2 Response Server

(Unicode pwd, nonce ,s nonce c)

Authn_Result

Indira Gandhi Delhi Technical University for Women, New Delhi

 Disabling LM & NTLM
authentication and LM Hashes

Indira Gandhi Delhi Technical University for Women, New Delhi

Lock down systems
Requiring your users to use complex passwords and
enforcing that policy is useless if you authenticate and
locally store easily cracked password files.
By default, Windows NT, 2000, and XP locally store
legacy LAN Manager (LM) password hashes
(LANMAN hashes). LM uses a weak encryption
scheme to store passwords, and hackers can usually
crack it in a very short period of time.

Indira Gandhi Delhi Technical University for Women, New Delhi

Windows stores LM hashes in the Security Account
Manager (SAM) database. By default, clients have
LAN Manager authentication enabled, and servers
accept this authentication.
This allows workstations to send weak LM hashes
across the network, making Windows authentication
vulnerable to packet sniffing and reducing the amount
of effort an attacker must expend to crack user
passwords.

Indira Gandhi Delhi Technical University for Women, New Delhi

Disabling LM and NTLM
authentication

Indira Gandhi Delhi Technical University for Women, New Delhi

To disable this ability and better secure
your workstations, follow these steps

1. Go to Control Panel. Select System and Security and

then Administrative Tools.
2. Select Local Security Policy.
3. In the left pane, expand Local Policies, and select
Security Options.
4. Then, scroll down to Network Security: LAN Manager
Authentication Level.

Indira Gandhi Delhi Technical University for Women, New Delhi

LMCompatibilityLevel's default is 0.
Your options include:
Level 0: Send LM response and NTLM response; never
use NTLMv2 session security.
Level 1: Use NTLMv2 session security if negotiated.
Level 2: Send NTLM authentication only.
Level 3: Send NTLMv2 authentication only.
Level 4: Refuse LM authentication.
Level 5: Refuse LM and NTLM authentication; accept
only NTLMv2.

Indira Gandhi Delhi Technical University for Women, New Delhi

Configure the system to use only NTLMv2, Level 3.
This forces the clients to send NTLMv2 authentication
only.
Set your servers to Level 5, and your client-server
communication is now secure

Indira Gandhi Delhi Technical University for Women, New Delhi

Disabling LM Hashes

Indira Gandhi Delhi Technical University for Women, New Delhi

Implement NoLMHash Policy
After you make this change, you'll still need to force the
systems to remove the LM hash from their SAM database.

To disable the storage of LM hashes of a user's passwords

using Active Directory and Group Policy, follow these
steps:
1. Type Gpedit.msc in run or search bar of the start menu.
2. In Group Policy, expand Computer Configuration, expand
Windows Settings, expand Security Settings, and expand Local
Policies.
3. Select Security Options.
4. Double-click Network Security: Do Not Store LAN Manager
Hash Value On Next Password Change.
5. Select Enabled, and click OK.
Indira Gandhi Delhi Technical University for Women, New Delhi
 To disable the storage of LM hashes of a user's passwords in the
local computer's SAM database by using Local Group Policy
(Windows XP , Windows 2000 or Windows 7), make the
following change locally. Follow these steps:
1. Go to Start | Control Panel.
2. Double-click Administrative Tools.
3. Double-click Local Security Policy.
4. In the left pane, expand Local Policies, and select Security
Options.
5. Double-click Network Security: Do Not Store LAN Manager
Hash Value On Next Password Change.
6. Select Enabled, and click OK.
These changes won't take effect until the user changes his or her
password and Windows creates a new hash. This is a good time
to force a domain-wide password change, specifically for all
users with elevated privileges.
Indira Gandhi Delhi Technical University for Women, New Delhi
References:
http://support.microsoft.com/kb/147706
http://www.techrepublic.com/article/tech-tip-lock-down-systems
-by-disabling-lm-authentication/#
https://www.imss.caltech.edu/node/396
https://support.software.dell.com/kb/119536?utm_source=re
directs&utm_medium=aquisition&utm_campaign=AppAssure_301_
Support

Indira Gandhi Delhi Technical University for Women, New Delhi

Thank You!

Indira Gandhi Delhi Technical University for Women, New Delhi