Kerberos, NTLM and LM-Hash

KERBEROS, NTLM
AND LM-HASH
By: Ankit Mehta

CONTENTS
 Kerberos
 Working of Kerberos
 KerberosVersion 5
 LM-Hash
 LM-Hash Mechanism
 LM-HashWeaknesses
 NTLM
 NTLM Situations
 NTLMAuthentication Messages
 NTLMAuthentication Steps
 NTLMVulnerabilities

KERBEROS
 Kerberos is the name of “TheThree Headed Dog” guarding the gates of Hades
according to the Greek Mythology.
 Developed at MIT to protect network services provided by Project Athena.
 Uses Symmetric Key Cryptography algorithm.
 Needs a trusted third party.
 Steve Miller and Clifford Neuman were the designers of KerberosVersion 4.
 Current version of Kerberos isVersion 5.

WORKING OF KERBEROS
 There are four parties involved:
 The client (say A)
 Authentication Server (sayAS)
 Ticket Granting Server (sayTGS)
 The server (say B)

STEP 1: LOGIN
Output
ASA
A
Session
Key (KS)
Encrypt
Session
Key (KS)
TGT
KS +TGT
Encrypt
Output
Symmetric Key derived from A’s
password (KA)
Symmetric Key shared with theTicket
Granting Server (TGS)

STEP 2: OBTAINING A SERVICE GRANTING
TICKET (SGT)
Request for SGT
TGSA
Encrypt Session Key (KS)
Encrypted
Timestamp
(ET)
Output (Request for SGT)
TGT B
KAB
Timestamp

STEP 2: OBTAINING A SERVICE GRANTING
TICKET (SGT)
Output
TGSA
A KAB
Encrypt
B KAB
Encrypt
Output
Session Key (KS)
B’s Secret Key

STEP 3: USER CONTACTS ‘B’ FOR
ACCESSINGTHE SERVER
Output
A B
Encrypt
Secret Key to be shared by ‘A’ and ‘B’
(KAB)
Encrypted
Timestamp
(ET)
Output
(‘A’ + KAB) encrypted with ‘B’s secret key
Timestamp
‘A’ received this
combination from
the previous step

STEP 3: USER CONTACTS ‘B’ FOR
ACCESSINGTHE SERVER
Acknowledgement
A B
Encrypt Secret Key to be shared by ‘A’ and ‘B’ (KAB)
Encrypted
Timestamp
(ET)
Timestamp sent initially by Alice + 1
Encrypted Timestamp (ET)

KERBEROSVERSION 5
 There are 3 new ticket types in Kerberos version 5 which were not there in version
4.They are as follows:
1. Forwardable
2. Renewable
3. Postdatable

LM-HASH
 LAN Manager hash is a compromised password hashing function that was the
primary hash that Microsoft LAN Manager and Microsoft Windows versions prior
toWindows NT used to store user passwords.
 Support for the legacy LAN Manager protocol continued in later versions of
Windows for backward compatibility.
 Since WindowsVista, the protocol is disabled by default.

LM-HASH MECHANISM
 The user's password is restricted to a maximum of fourteen characters.
 The user’s password is converted to uppercase.
 The user's password is encoded in the System OEM Code page
 This password is null-padded to 14 bytes.
 The “fixed-length” password is split into two seven-byte halves.
 These values are used to create two DES keys, one from each 7-byte half, by
converting the seven bytes into a bit stream with the most significant bit first, and
inserting a null bit after every seven bits (so 1010100 becomes 10101000).
 This generates the 64 bits needed for a DES key.

LM-HASH MECHANISM
 Each of the two keys is used to DES-encrypt the constant ASCII string
“KGS!@#$%”,resulting in two 8-byte cipher text values.
 These two cipher text values are concatenated to form a 16-byte value, which is
the LM hash.

LM-HASH MECHANISM
Key
Constant
Seattle1 SEATTLE 1******= +
LM Hash
Key
Constant
Concatenate
DES DES

LM-HASH WEAKNESSES
 Passwords are limited to a maximum of only 14 characters, giving a theoretical
maximum keyspace of 9514 (approx) 292 with the 95ASCII printable characters.
 Passwords longer than 7 characters are divided into two pieces and each piece is
hashed separately.
 By mounting a brute force attack on each half separately, modern desktop
machines can crack alphanumeric LM hashes in a few hours.
 All lower case letters in the password are changed to upper case before the
password is hashed, which further reduces the key space for each half to:
 697 (approx) 243.

LM-HASH WEAKNESSES
 Any password that is shorter than 8 characters will result in the hashing of 7 null
bytes, yielding the constant value of 0xAAD3B435B51404EE, hence making it easy
to identify short passwords on sight.
 Many cracking tools, e.g. RainbowCrack, L0phtCrack and Cain, now incorporate
similar attacks and make cracking of LM hashes fast and trivial.
 LM-Hash values only change when a user changes his password.

NTLM
 NTLM is a suite of authentication and session security protocols used in various
Microsoft network protocol implementations and supported by the NTLM
Security Support Provider.
 NTLM is also used throughout Microsoft's systems as an integrated single sign-on
mechanism.
 It is recognized as part of the "IntegratedWindows Authentication" stack for
HTTP authentication.
 It is also used in Microsoft implementations of SMTP, POP3, IMAP (all part of
Exchange), CIFS/SMB,Telnet, SIP, and possibly others.

NTLM
 The NTLM Security Support Provider provides authentication, integrity, and
confidentiality services within the Window Security Support Provider Interface
(SSPI) framework.
 The SSPI specifies, and the NTLMSSP implements, the following core operations:
 Authentication -- NTLM provides a challenge-response authentication mechanism
 Signing --The NTLMSSP provides a means of applying a digital "signature" to a
message.
 Sealing --The NTLMSSP implements a symmetric-key encryption mechanism, which
provides message confidentiality.

NTLM SITUATIONS
 The client is authenticating to a server using an IP address
 The client is authenticating to a server that belongs to a different Active Directory
forest that has a legacy NTLM trust instead of a transitive inter-forest trust
 The client is authenticating to a server that doesn't belong to a domain
 No Active Directory domain exists (commonly referred to as "workgroup" or
"peer-to-peer")
 Where a firewall would otherwise restrict the ports required by Kerberos (typically
TCP 88)

NTLM AUTHENTICATION MESSAGES
 NTLM authentication is a challenge-response scheme, consisting of three
messages:
1.Type 1 (negotiation)
2.Type 2 (challenge)
3.Type 3 (authentication)

NTML AUTHENTICATION STEPS
1. The first step provides the user's NTLM credentials and occurs only as part of the
authentication (logon) process.
2. A user accesses a client computer and provides a domain name, user name, and
password.The client computes a cryptographic hash of the password and discards the
actual password.
3. The client sends the user name to the server (in plaintext).
4. The server generates a 16-byte random number, called a challenge or nonce, and sends
it to the client.
5. The client encrypts this challenge with the hash of the user's password and returns the
result to the server.This is called the response.
6. The server sends the following three items to the domain controller:
 User name
 Challenge sent to the client
 Response received from the client

NTML AUTHENTICATION STEPS
7.The domain controller uses the user name to retrieve the hash of the user's
password from the Security Account Manager database. It uses this password hash
to encrypt the challenge.
8.The domain controller compares the encrypted challenge it computed (in step 6)
to the response computed by the client (in step 4). If they are identical,
authentication is successful.

NTLMVULNERABILITIES
 But it remains vulnerable to the “pass the hash” attack, which is a variant on the
“reflection attack”.
 “Metasploit” can be used in many cases to obtain credentials from one machine
which can be used to gain control of another machine.
 The “Squirtle toolkit” can be used to leverage web site “cross-site scripting”
attacks into attacks on nearby assets via NTLM.
 One of the attacks is the ability to predict pseudo-random numberss and
challenges/responsess generated by the protocol.

Kerberos, NTLM and LM-Hash

More Related Content

What's hot

Viewers also liked

Similar to Kerberos, NTLM and LM-Hash

Recently uploaded

Kerberos, NTLM and LM-Hash