Ntlm Unsafe

G
Guang Ying YuanAdvisory IT specialist at IBM
NTLM Authentication 
     Unsafe

        Originally presented at
Symposium on Security for Asia Network
           SyScAN '04
  December 17th, 2004 – some updates for March 2005




           Information Security Partners, LLC
                   iSECPartners.com
https://www.isecpartners.com




What you get for attending – An Outline

• Demo of an easy‐to‐execute attack on NTLM
   – Works on majority of corporate networks.
• How to harden against attack.
• Enumeration of NTLM’s risks, so that you can justify the 
  deployment of potentially inconvenient settings and have a 
  clear understanding of the risks you must accept.
• I will talk about other weaknesses of NTLM, including 
  password authenticators being password equivalents, what 
  that means, and demonstrate an iSEC tool for taking 
  advantage of it.
• I will discuss authentication alternatives including SRP (a 
  zero‐knowledge proof of knowledge protocol)
https://www.isecpartners.com




Agenda

• Background on NTLM
   – What is NTLM
   – A little crypto 
   – Some observations
• Password equivalence issues
• Pre‐computed dictionary attacks
   – NTLMv2 as a solution
• Middle person attack
• Hardening against these issues
• Questions
https://www.isecpartners.com




What is NTLM?

• An authentication protocol that supports Single Sign‐On primarily 
  used on Windows networks
• Challenge ‐ Response based
• Replaced a weaker protocol called “LAN Manager”
• NTLM is “NT Lan Manager”
• NTLM is NTLM version 1 or NTLMv1
• Still “on” by default in popular operating systems
• Ubiquitous – Windows, Mac and Linux networks all commonly 
  deploy NTLM
    –   Windows XP / Server 2003 / 2000 / NT 
    –   Internet Explorer
    –   Firefox
    –   Samba
    –   jCIFS
    –   Mac OS X
    –   WinCE 
    –   Storage devices
https://www.isecpartners.com




What is NTLM?

• Used to authenticate
   –   Web site users – share point, IIS, servlets with jCIFS
   –   File share access – including default shares like c$ and admin$
   –   Printer access
   –   DCE RPC calls
   –   DCOM
• Usually can be replaced with stronger Kerberos authentication
   – But active attackers can downgrade to NTLM
   – Users without  tickets, or with intermittent connectivity avoid Kerberos
• Dictionary attacks have been demonstrated against NTLM
   – Cain and Abel, l0pht crack et al. perform password search against sniffed 
     NTLM authentications
   – These are not pre‐computed attacks – so they require very weak passwords
https://www.isecpartners.com




NTLM Basics

1. Take a password
2. Calculate the MD4 of it ‐> 128 random bits or 16 bytes
3. Store this value – the “NTLM Hash” (aka the Authenticator) –
   this is different than the “LAN Man Hash”

During Authentication
1. Get an 8 byte challenge
2. Divide the NTLM Hash (MD4 of password) into three pieces
   • 2 seven byte and one 2 byte (7 + 7 + 2 = 16 bytes)
3. DES encrypt the challenge with the three MD4 chunks
4. Concatenate the three cipher texts to make the “NTLM 
   response”
5. Send the “NTLM response” to the server
https://www.isecpartners.com




NTLM Basics

How an NTLM Hash & Challenge            NTLMv1 Response

MD4 of password = 0x0123456789ABCDEFFEDCBA9876543210
  Broken into three “Key Chunks”
     Key 1: 0123456789ABCD
     Key 2: EFFEDCBA987654
     Key 3: 32100000000000


NTLM Response is the concatenation of the encryption 
  of the challenge with three separate keys = 

DES(Challenge, Key1) + DES(Challenge, Key2) + DES(Challenge, Key 3)
https://www.isecpartners.com




NTLM Basics

• Response generation requires only the “NTLM Hash” (which 
  is the password authenticator). The server must store the 
  password authenticator to be able to authenticate users.
• Unix password authenticators typically are non‐password‐
  equivalent salted hashes so that exposure isn’t catastrophic.
• Effort to try all DES keys: 2 x 2^56 + 2^16 ≅ 2^57 for all three 
  portions of the response
• 10 character alphabetic mixed case password has about 2^57 
  possibilities
https://www.isecpartners.com




NTLM Observations – What’s nice

• NTLM provides a different response for every challenge, so 
  an attacker can’t pre‐compute a dictionary attack as the 
  challenge space is huge (2^128 is bigger than my golf score)
• Doesn’t require a centralized server available at logon
• Can “pass through” authorization to a domain controller or 
  other server
• Passive attackers don’t see passwords
• No replay attacks as the server is unlikely to ever reuse a 
  challenge (about 2^64 observations required for a collision)
• MD4 of the password whitens it 
https://www.isecpartners.com




NTLM Observations – What’s weak

•   The password authenticator is itself password equivalent
•   The authenticator is protected with the weak DES cipher
•   Machines can break DES – cost and speed are not public
•   DES cipher has an attack complexity of 2^56, which means for 
    [a‐z][A‐Z] passwords of length 10 or more it is fewer 
    operations to break DES then to brute force the password.
•   Passive adversaries get an offline dictionary attack on the 
    password which could compromise weak passwords (Cain 
    and Abel)
•   The protocol doesn’t protect against middle person attacks
•   Active attackers can provide known challenges and launch 
    pre‐computed dictionary attacks
•   Most of these would be fine if the communication was over a 
    secure SSL or TLS tunnel
    – The password equivalency of the authenticator would not
https://www.isecpartners.com




Password Equivalence of Authenticator

• To demonstrate the password equivalence of the NTLM Hash 
  (MD4(password)) I modified the jCIFS “SmbShell” example 
  so that it would authenticate using username and NTLM Hash 
  instead of password.
• This only works because of the “password equivalence” of the 
  NTLM Hash which is used as the “password authenticator”.
• Attacker doesn’t have to use rainbow tables or brute force
• Extracting hashes does require administrator access!
• Often one time brief physical access can result in password 
  hash extraction
https://www.isecpartners.com




Password Equivalence of Authenticator

• Syskey helps protect windows machines that store these 
  authenticators (i.e. machines with passwords)
• Local accounts are stored on workstations like this laptop
• Local administrator accounts often have synchronized 
  passwords in corporate environments – while convenient for 
  administration, the password equivalence of these 
  authenticators represent an enormous risk!
https://www.isecpartners.com




Password Equivalence of Authenticator

• This equivalence is commonly misunderstood.
• Many people assume the password hashes stored by Windows 
  are similar to the password hashes found in BSD or Linux 
  shadow files. However shadow hashes are generally not 
  password equivalents.
• The equivalence is mentioned in the excellent book “Network 
  Security ‐ Private Communication in a public world” Second 
  Edition, Radia Perlman, Charlie Kaufman, Mike Speciner
   “the fact that the server stores a hash of the user’s password rather than the 
      actual password does not theoretically make the scheme more secure. A 
      modified version of the client software could impersonate the user if it 
      directly used the hash of the password rather than hashing the string the 
      user types.” – Page 622, 24.7.1 Lan Manager and NTLM
• The modified client I present demonstrates the practical truth 
  of the above theoretical statement.
https://www.isecpartners.com




NTLM Hash Authentication Shell Demonstration

• java ‐jar SmbShell.jar
• This shell is similar to the example in jCIFS except that it has 
  been modified to:
    –   Login without passwords
    –   Support deletion of files
    –   Support uploading of files (put)
    –   Support downloading of files (get)



    DEMO
https://www.isecpartners.com




Protecting against authenticator password equivalence

• Use Syskey with a password to keep workstations safer from 
  attackers who get them alone with a floppy or USB disk
    –   Laptops or at‐risk workstations are particularly good candidates
• Never synchronize local passwords between machines! 
    –   Especially not local administrator passwords (where synchronization is common)
• Use Secure Remote Password protocol (SRP http://srp.stanford.edu/) 
  for incompatible applications or systems that need to authenticate 
  users by password
• Acknowledge and accept the risk

Open Questions
• Do you think NTLMv2 or SMB Signing resolve this? 
    –   I don’t believe so. Although I am not demonstrating equivalence with NTLMv2 or 
        SMB Signing required.
• Does Kerberos help?
    –   I am not yet convinced, but at least it helps against these tools.
https://www.isecpartners.com




Dictionary attacks

Dictionary attacks come in three flavors
• Online – almost useless against any but the weakest passwords
    –   Hard to prevent, account lockout periods are commonly used to mitigate this minor 
        risk
    –   Works well on passwords like “password”, “Jesse”, and “test”
• Offline – useful against weak passwords
    –   Real problem for obsolete “LAN Manager” protocol, not common against NTLM
    –   Cain and Abel supports this kind of dictionary attack through monitoring of NTLM 
        Challenge‐Response pairs
    –   Works well on passwords like “p0tat0”, “Cat2”, and “giantrobot”
    –   Possible with a DES cracking oracle (targets recovery of the NTLM Hash)
• Pre‐computed offline – Very effective against whole key spaces with 
  Time‐Space trade‐offs as seen in Rainbow Crack
    –   Possible with an active attack on NTLM
    –   Works well on passwords like “ydDKaEza”, “a39dAJ1z”, and “b@d00D!”
https://www.isecpartners.com




Pre‐computed dictionary attacks on NTLM

• By deciding on a standard “challenge” and computing the 
  dictionary, key space, or crack table based on that challenge 
  an attacker prepares to break a password
• The attacker then impersonates a server
    – This can be very easy
    – IE will magically authenticate against a site with a Netbios name if directed 
      there with an iframe, link, or 302.
    – Firefox supports transparent authentication after the initial auth – initial 
      authentication prompts the user.
• The attacker’s server uses the standard challenge that was 
  used to generate the dictionary, key space or crack table.
https://www.isecpartners.com




Pre‐computed dictionary attacks on NTLM

• NTLMv2 is specifically designed to eliminate the possibility 
  of pre‐computed dictionary attacks
   – Uses client nonce in addition to server nonce / challenge in calculation of 
     response 
   – An additional fix in NTLMv2 reduces the risk of middle person attacks
   – Additional nonce changes the size of the response breaking many 
     implementations
• NTLMv2 is probably an acknowledgement of the pre‐
  computed dictionary weakness in NTLM
• It has been mentioned before online – as a letter in 
  Christopher R. Hertel’s online book “Implementing CIFS –
  The Common Internet File System” reads:
      “you talk about the quot;client challengequot; a bit, but miss the point of it: the client
      nonce (as it should really more correctly be called) is there to prevent
      precomputed dictionary attacks by the server ” ‐ Ronald Tschalär to Chris
      Hertel, in Implementing CIFS http://ubiqx.org/cifs/SMB.html#SMB.8
https://www.isecpartners.com




Pre‐computed dictionary attacks on NTLM

• This servlet negotiates NTLM authentication against browsers
• Always serves the challenge:

byte[] ISEC_CHALL = { (byte) 'i', (byte) 'S',
  (byte) 'E', (byte) 'C', 0, 0x15, (byte) 0xEC, 0
  };

• In hex: 695345430015EC00

• Under NTLM each password maps to one NTLM response
• Under NTLMv2 each password maps to many NTLMv2 
  responses

DEMO
https://www.isecpartners.com




Protecting against pre‐computed dictionary attacks

• Require only NTLMv2 or LMv2 on all servers and 
  workstations
• Negotiating NTLMv2 does nothing to protect you, the active 
  attack requires an active adversary and active adversaries can 
  easily downgrade.
• Change the settings from default – this ships vulnerable
https://www.isecpartners.com




Middle person attacks on NTLM

• NTLM doesn’t protect against Middle Person attacks
• The most common tool for demonstrating middle person 
  attacks on NTLM is SMBRelay
• SMBRelay is complicated, and works when people connect to 
  shares
• I decided to exploit the willingness of browsers to 
  transparently authenticate with local machines to connect 
  back over SMB.
• Browser’s are used very frequently, not a lot of waiting for 
  share connecting
https://www.isecpartners.com




Middle person attacks on NTLM

• This means I am using NTLM over HTTP authentication to 
  access an NTLM protected SMB resource (a share)
• People use web browsers as administrator frequently, and it’s 
  easy to tell when they are doing it – for example going to 
  windows update is a give away.
• My code speaks HTTP and SMB – thanks to jCIFS!
https://www.isecpartners.com




NTLM middle person attack explained

• Attacker may do DNS or Netbios response forging to acquire victims
• Victim connects to a local “attack web server” over HTTP
• Victim sees attack server as in the “Local Intranet Zone”
    –   Allows automatic NTLM authentication
• Attack server connects to victim or target resource over SMB
    –   Victim must have file sharing accessible, be logged in as an account with access, 
        support NTLM and not require SMB signing
• Attack server gets a challenge from the victim
• Attack server demands NTLM authentication and reflects the 
  challenge to the victim
• Victim responds correctly to the challenge 
• Attack server provides the victim’s response and authenticates
• Attack server copies the backup SAM or does whatever else it likes
• Attack server serves a page to the victim or redirects them
https://www.isecpartners.com




NTLM middle person attack explained

I have two versions
• One grabs the backup SAM from admin$/repair/sam
   – It often contains the NTLM Hash for the administrator 
   – It is often useable on other machines on the network
   – It can be used directly to authenticate with the tool I demoed earlier
• The other connects and launches my “modified SmbShell”

The second version is more fun to watch, and is more flexible in
  terms of exploit potential

DEMO
https://www.isecpartners.com




Protecting against NTLM middle person attacks

• Use NTLM authentication on web servers only with SSL
• Disable automatic NTLM authentication in browsers
• Setting must be to “always” use SMB Signing. Negotiating 
  signing does nothing to protect you. Exploiting this 
  vulnerability requires an active attacker, and active attackers 
  will just downgrade if they have the option. Change the 
  settings from default – this ships vulnerable
https://www.isecpartners.com




Take away’s

I hope you agree that
• NTLM is too dangerous to use on your network
    –   Use NTLMv2 or Kerberos, and set them to “always”, otherwise attackers just 
        downgrade
    –   Use SMB Signing to prevent middle person attacks
    –   Only use NTLM or NTLMv2 auth on websites when using HTTPS
• IE should be set not to automatically NTLM authenticate
• Never use identical administrator passwords across machines as they 
  are stored in password equivalent form
• Samba shares are no less vulnerable than Windows
• Sorry, but I don’t have a solution for Mac OS X ‐ ADmitMac
  (http://www.thursby.com/) has one I haven’t tried
• Future authentication protocols should use Zero‐Knowledge Proof of 
  Knowledge techniques like SRP does.
• iSEC Partners has cool, unique tools to clearly demonstrate the 
  practical importance of common risks.
https://www.isecpartners.com




Questions?
https://www.isecpartners.com




         Shameless plug
Information Security Partners can help your 
organization understand and mitigate its 
application or network security risks. We
perform protocol, application, and network
penetration testing, training and complimentary
security services. 
See iSEC Partners online at 
  https://www.isecpartners.com
Or talk to the author: Jesse Burns, Principal Partner
Email: Jesse at iSECPartners dot com
1 of 28

Recommended

NSC #2 - D2 02 - Benjamin Delpy - Mimikatz by
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
1.3K views57 slides
Kerberos, NTLM and LM-Hash by
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
6.3K views25 slides
Abusing Microsoft Kerberos - Sorry you guys don't get it by
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
43.1K views53 slides
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di... by
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
18.6K views90 slides
CEHv9 : module 03 - scanning networks by
CEHv9 : module 03 - scanning networksCEHv9 : module 03 - scanning networks
CEHv9 : module 03 - scanning networksteknetir
1.5K views82 slides
Up is Down, Black is White: Using SCCM for Wrong and Right by
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
6.5K views52 slides

More Related Content

What's hot

DerbyCon 2019 - Kerberoasting Revisited by
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
10.3K views27 slides
Secure Shell(ssh) by
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
3.5K views35 slides
SSH - Secure Shell by
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
8.1K views20 slides
Active directory domain and trust by
Active directory domain and trustActive directory domain and trust
Active directory domain and trustChinmoy Jena
1.7K views8 slides
Hacking the future with USB HID by
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
4.2K views34 slides
Ace Up the Sleeve by
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
23.7K views60 slides

What's hot(20)

DerbyCon 2019 - Kerberoasting Revisited by Will Schroeder
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder10.3K views
Secure Shell(ssh) by Pina Parmar
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
Pina Parmar3.5K views
Active directory domain and trust by Chinmoy Jena
Active directory domain and trustActive directory domain and trust
Active directory domain and trust
Chinmoy Jena1.7K views
Hacking the future with USB HID by Nikhil Mittal
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
Nikhil Mittal4.2K views
Red Team Methodology - A Naked Look by Jason Lang
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang14.7K views
Troopers 19 - I am AD FS and So Can You by Douglas Bienstock
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock8.2K views
DNS High-Availability Tools - Open-Source Load Balancing Solutions by Men and Mice
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice4.7K views
CEHv9 : module 05 - system hacking by teknetir
CEHv9 : module 05 - system hackingCEHv9 : module 05 - system hacking
CEHv9 : module 05 - system hacking
teknetir873 views
Red Hat Certified Engineer (RHCE) EX294 Exam Questions by Study Material
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsRed Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
Study Material747 views
Kerberos for Distributed System Security - Omal Perera by Omal Perera
Kerberos for Distributed System Security - Omal PereraKerberos for Distributed System Security - Omal Perera
Kerberos for Distributed System Security - Omal Perera
Omal Perera478 views
Here Be Dragons: The Unexplored Land of Active Directory ACLs by Andy Robbins
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins6.2K views
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r... by xKinAnx
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
xKinAnx1.6K views
Google Cloud Platform monitoring with Zabbix by Max Kuzkin
Google Cloud Platform monitoring with ZabbixGoogle Cloud Platform monitoring with Zabbix
Google Cloud Platform monitoring with Zabbix
Max Kuzkin11.1K views
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter by Kohei Tokunaga
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterThe overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
Kohei Tokunaga721 views
Introduction to Homomorphic Encryption by Christoph Matthies
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
Christoph Matthies13.5K views

Similar to Ntlm Unsafe

FreeBSD and Hardening Web Server by
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerMuhammad Moinur Rahman
259 views54 slides
Information Security Engineering by
Information Security EngineeringInformation Security Engineering
Information Security EngineeringMd. Hasan Basri (Angel)
209 views50 slides
Online Authentication by
Online AuthenticationOnline Authentication
Online AuthenticationMarc-Andre Heroux
1.1K views10 slides
Attacking XML Security by
Attacking XML SecurityAttacking XML Security
Attacking XML SecurityYusuf Motiwala
3.7K views182 slides
New Security Issues related to Embedded Web Servers by
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersEric Vétillard
632 views46 slides
Insecurity-In-Security version.1 (2010) by
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
769 views26 slides

Similar to Ntlm Unsafe(20)

New Security Issues related to Embedded Web Servers by Eric Vétillard
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web Servers
Eric Vétillard632 views
Insecurity-In-Security version.1 (2010) by Abhishek Kumar
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar769 views
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon by Priyanka Aash
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
Priyanka Aash1.6K views
Tsc summit #2 - HTTP Header Security by Mikal Villa
Tsc summit #2  - HTTP Header SecurityTsc summit #2  - HTTP Header Security
Tsc summit #2 - HTTP Header Security
Mikal Villa938 views
Aws training in bangalore by apponix123
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
apponix12353 views
LF_APIStrat17_Don't Build a Death Star by LF_APIStrat
LF_APIStrat17_Don't Build a Death StarLF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death Star
LF_APIStrat109 views
[CB20] Operation I am Tom: How APT actors move laterally in corporate network... by CODE BLUE
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE221 views
Hardening cassandra for compliance or paranoia by zznate
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
zznate5.8K views
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia). by DataStax Academy
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
DataStax Academy2K views
So you want to be a security expert by Royce Davis
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
Royce Davis1.9K views
Application of Machine Learning in Cybersecurity by Pratap Dangeti
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
Pratap Dangeti523 views
Hardening cassandra q2_2016 by zznate
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
zznate871 views
Securing Cassandra for Compliance by DataStax
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
DataStax14.3K views

More from Guang Ying Yuan

【职场女性领导力】《向前一步》 by
【职场女性领导力】《向前一步》【职场女性领导力】《向前一步》
【职场女性领导力】《向前一步》Guang Ying Yuan
1.5K views26 slides
Pulic Speaking by
Pulic SpeakingPulic Speaking
Pulic SpeakingGuang Ying Yuan
740 views42 slides
Jmeter by
Jmeter Jmeter
Jmeter Guang Ying Yuan
1.6K views24 slides
Android vs i os features by
Android vs i os featuresAndroid vs i os features
Android vs i os featuresGuang Ying Yuan
1.7K views10 slides
Designing and implementing high performance rule based applications by
Designing and implementing high performance rule based applicationsDesigning and implementing high performance rule based applications
Designing and implementing high performance rule based applicationsGuang Ying Yuan
1.8K views38 slides
螃蟹、猫头鹰和蝙蝠 by
螃蟹、猫头鹰和蝙蝠  螃蟹、猫头鹰和蝙蝠
螃蟹、猫头鹰和蝙蝠 Guang Ying Yuan
719 views11 slides

More from Guang Ying Yuan(20)

【职场女性领导力】《向前一步》 by Guang Ying Yuan
【职场女性领导力】《向前一步》【职场女性领导力】《向前一步》
【职场女性领导力】《向前一步》
Guang Ying Yuan1.5K views
Designing and implementing high performance rule based applications by Guang Ying Yuan
Designing and implementing high performance rule based applicationsDesigning and implementing high performance rule based applications
Designing and implementing high performance rule based applications
Guang Ying Yuan1.8K views
2010 06 28_2357_savor_the_blue_volume_ii_my by Guang Ying Yuan
2010 06 28_2357_savor_the_blue_volume_ii_my2010 06 28_2357_savor_the_blue_volume_ii_my
2010 06 28_2357_savor_the_blue_volume_ii_my
Guang Ying Yuan1.8K views
Agile Software Development Overview 1231560734008086 2 by Guang Ying Yuan
Agile Software Development Overview 1231560734008086 2Agile Software Development Overview 1231560734008086 2
Agile Software Development Overview 1231560734008086 2
Guang Ying Yuan929 views
Day1 Sap Basis Overview V1 1 by Guang Ying Yuan
Day1 Sap Basis Overview V1 1Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1
Guang Ying Yuan15.4K views

Recently uploaded

Combining Orchestration and Choreography for a Clean Architecture by
Combining Orchestration and Choreography for a Clean ArchitectureCombining Orchestration and Choreography for a Clean Architecture
Combining Orchestration and Choreography for a Clean ArchitectureThomasHeinrichs1
69 views24 slides
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum... by
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...NUS-ISS
34 views35 slides
handbook for web 3 adoption.pdf by
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdfLiveplex
19 views16 slides
20231123_Camunda Meetup Vienna.pdf by
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdfPhactum Softwareentwicklung GmbH
28 views73 slides
Future of Learning - Khoong Chan Meng by
Future of Learning - Khoong Chan MengFuture of Learning - Khoong Chan Meng
Future of Learning - Khoong Chan MengNUS-ISS
33 views7 slides

Recently uploaded(20)

Combining Orchestration and Choreography for a Clean Architecture by ThomasHeinrichs1
Combining Orchestration and Choreography for a Clean ArchitectureCombining Orchestration and Choreography for a Clean Architecture
Combining Orchestration and Choreography for a Clean Architecture
ThomasHeinrichs169 views
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum... by NUS-ISS
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
NUS-ISS34 views
handbook for web 3 adoption.pdf by Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex19 views
Future of Learning - Khoong Chan Meng by NUS-ISS
Future of Learning - Khoong Chan MengFuture of Learning - Khoong Chan Meng
Future of Learning - Khoong Chan Meng
NUS-ISS33 views
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... by Vadym Kazulkin
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
Vadym Kazulkin75 views
Data-centric AI and the convergence of data and model engineering: opportunit... by Paolo Missier
Data-centric AI and the convergence of data and model engineering:opportunit...Data-centric AI and the convergence of data and model engineering:opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...
Paolo Missier34 views
DALI Basics Course 2023 by Ivory Egg
DALI Basics Course  2023DALI Basics Course  2023
DALI Basics Course 2023
Ivory Egg14 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb12 views
Future of Learning - Yap Aye Wee.pdf by NUS-ISS
Future of Learning - Yap Aye Wee.pdfFuture of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdf
NUS-ISS41 views
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze by NUS-ISS
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng TszeDigital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
NUS-ISS19 views
Spesifikasi Lengkap ASUS Vivobook Go 14 by Dot Semarang
Spesifikasi Lengkap ASUS Vivobook Go 14Spesifikasi Lengkap ASUS Vivobook Go 14
Spesifikasi Lengkap ASUS Vivobook Go 14
Dot Semarang35 views

Ntlm Unsafe

  • 1. NTLM Authentication  Unsafe Originally presented at Symposium on Security for Asia Network SyScAN '04 December 17th, 2004 – some updates for March 2005 Information Security Partners, LLC iSECPartners.com
  • 2. https://www.isecpartners.com What you get for attending – An Outline • Demo of an easy‐to‐execute attack on NTLM – Works on majority of corporate networks. • How to harden against attack. • Enumeration of NTLM’s risks, so that you can justify the  deployment of potentially inconvenient settings and have a  clear understanding of the risks you must accept. • I will talk about other weaknesses of NTLM, including  password authenticators being password equivalents, what  that means, and demonstrate an iSEC tool for taking  advantage of it. • I will discuss authentication alternatives including SRP (a  zero‐knowledge proof of knowledge protocol)
  • 3. https://www.isecpartners.com Agenda • Background on NTLM – What is NTLM – A little crypto  – Some observations • Password equivalence issues • Pre‐computed dictionary attacks – NTLMv2 as a solution • Middle person attack • Hardening against these issues • Questions
  • 4. https://www.isecpartners.com What is NTLM? • An authentication protocol that supports Single Sign‐On primarily  used on Windows networks • Challenge ‐ Response based • Replaced a weaker protocol called “LAN Manager” • NTLM is “NT Lan Manager” • NTLM is NTLM version 1 or NTLMv1 • Still “on” by default in popular operating systems • Ubiquitous – Windows, Mac and Linux networks all commonly  deploy NTLM – Windows XP / Server 2003 / 2000 / NT  – Internet Explorer – Firefox – Samba – jCIFS – Mac OS X – WinCE  – Storage devices
  • 5. https://www.isecpartners.com What is NTLM? • Used to authenticate – Web site users – share point, IIS, servlets with jCIFS – File share access – including default shares like c$ and admin$ – Printer access – DCE RPC calls – DCOM • Usually can be replaced with stronger Kerberos authentication – But active attackers can downgrade to NTLM – Users without  tickets, or with intermittent connectivity avoid Kerberos • Dictionary attacks have been demonstrated against NTLM – Cain and Abel, l0pht crack et al. perform password search against sniffed  NTLM authentications – These are not pre‐computed attacks – so they require very weak passwords
  • 6. https://www.isecpartners.com NTLM Basics 1. Take a password 2. Calculate the MD4 of it ‐> 128 random bits or 16 bytes 3. Store this value – the “NTLM Hash” (aka the Authenticator) – this is different than the “LAN Man Hash” During Authentication 1. Get an 8 byte challenge 2. Divide the NTLM Hash (MD4 of password) into three pieces • 2 seven byte and one 2 byte (7 + 7 + 2 = 16 bytes) 3. DES encrypt the challenge with the three MD4 chunks 4. Concatenate the three cipher texts to make the “NTLM  response” 5. Send the “NTLM response” to the server
  • 7. https://www.isecpartners.com NTLM Basics How an NTLM Hash & Challenge  NTLMv1 Response MD4 of password = 0x0123456789ABCDEFFEDCBA9876543210 Broken into three “Key Chunks” Key 1: 0123456789ABCD Key 2: EFFEDCBA987654 Key 3: 32100000000000 NTLM Response is the concatenation of the encryption  of the challenge with three separate keys =  DES(Challenge, Key1) + DES(Challenge, Key2) + DES(Challenge, Key 3)
  • 8. https://www.isecpartners.com NTLM Basics • Response generation requires only the “NTLM Hash” (which  is the password authenticator). The server must store the  password authenticator to be able to authenticate users. • Unix password authenticators typically are non‐password‐ equivalent salted hashes so that exposure isn’t catastrophic. • Effort to try all DES keys: 2 x 2^56 + 2^16 ≅ 2^57 for all three  portions of the response • 10 character alphabetic mixed case password has about 2^57  possibilities
  • 9. https://www.isecpartners.com NTLM Observations – What’s nice • NTLM provides a different response for every challenge, so  an attacker can’t pre‐compute a dictionary attack as the  challenge space is huge (2^128 is bigger than my golf score) • Doesn’t require a centralized server available at logon • Can “pass through” authorization to a domain controller or  other server • Passive attackers don’t see passwords • No replay attacks as the server is unlikely to ever reuse a  challenge (about 2^64 observations required for a collision) • MD4 of the password whitens it 
  • 10. https://www.isecpartners.com NTLM Observations – What’s weak • The password authenticator is itself password equivalent • The authenticator is protected with the weak DES cipher • Machines can break DES – cost and speed are not public • DES cipher has an attack complexity of 2^56, which means for  [a‐z][A‐Z] passwords of length 10 or more it is fewer  operations to break DES then to brute force the password. • Passive adversaries get an offline dictionary attack on the  password which could compromise weak passwords (Cain  and Abel) • The protocol doesn’t protect against middle person attacks • Active attackers can provide known challenges and launch  pre‐computed dictionary attacks • Most of these would be fine if the communication was over a  secure SSL or TLS tunnel – The password equivalency of the authenticator would not
  • 11. https://www.isecpartners.com Password Equivalence of Authenticator • To demonstrate the password equivalence of the NTLM Hash  (MD4(password)) I modified the jCIFS “SmbShell” example  so that it would authenticate using username and NTLM Hash  instead of password. • This only works because of the “password equivalence” of the  NTLM Hash which is used as the “password authenticator”. • Attacker doesn’t have to use rainbow tables or brute force • Extracting hashes does require administrator access! • Often one time brief physical access can result in password  hash extraction
  • 12. https://www.isecpartners.com Password Equivalence of Authenticator • Syskey helps protect windows machines that store these  authenticators (i.e. machines with passwords) • Local accounts are stored on workstations like this laptop • Local administrator accounts often have synchronized  passwords in corporate environments – while convenient for  administration, the password equivalence of these  authenticators represent an enormous risk!
  • 13. https://www.isecpartners.com Password Equivalence of Authenticator • This equivalence is commonly misunderstood. • Many people assume the password hashes stored by Windows  are similar to the password hashes found in BSD or Linux  shadow files. However shadow hashes are generally not  password equivalents. • The equivalence is mentioned in the excellent book “Network  Security ‐ Private Communication in a public world” Second  Edition, Radia Perlman, Charlie Kaufman, Mike Speciner “the fact that the server stores a hash of the user’s password rather than the  actual password does not theoretically make the scheme more secure. A  modified version of the client software could impersonate the user if it  directly used the hash of the password rather than hashing the string the  user types.” – Page 622, 24.7.1 Lan Manager and NTLM • The modified client I present demonstrates the practical truth  of the above theoretical statement.
  • 14. https://www.isecpartners.com NTLM Hash Authentication Shell Demonstration • java ‐jar SmbShell.jar • This shell is similar to the example in jCIFS except that it has  been modified to: – Login without passwords – Support deletion of files – Support uploading of files (put) – Support downloading of files (get) DEMO
  • 15. https://www.isecpartners.com Protecting against authenticator password equivalence • Use Syskey with a password to keep workstations safer from  attackers who get them alone with a floppy or USB disk – Laptops or at‐risk workstations are particularly good candidates • Never synchronize local passwords between machines!  – Especially not local administrator passwords (where synchronization is common) • Use Secure Remote Password protocol (SRP http://srp.stanford.edu/)  for incompatible applications or systems that need to authenticate  users by password • Acknowledge and accept the risk Open Questions • Do you think NTLMv2 or SMB Signing resolve this?  – I don’t believe so. Although I am not demonstrating equivalence with NTLMv2 or  SMB Signing required. • Does Kerberos help? – I am not yet convinced, but at least it helps against these tools.
  • 16. https://www.isecpartners.com Dictionary attacks Dictionary attacks come in three flavors • Online – almost useless against any but the weakest passwords – Hard to prevent, account lockout periods are commonly used to mitigate this minor  risk – Works well on passwords like “password”, “Jesse”, and “test” • Offline – useful against weak passwords – Real problem for obsolete “LAN Manager” protocol, not common against NTLM – Cain and Abel supports this kind of dictionary attack through monitoring of NTLM  Challenge‐Response pairs – Works well on passwords like “p0tat0”, “Cat2”, and “giantrobot” – Possible with a DES cracking oracle (targets recovery of the NTLM Hash) • Pre‐computed offline – Very effective against whole key spaces with  Time‐Space trade‐offs as seen in Rainbow Crack – Possible with an active attack on NTLM – Works well on passwords like “ydDKaEza”, “a39dAJ1z”, and “b@d00D!”
  • 17. https://www.isecpartners.com Pre‐computed dictionary attacks on NTLM • By deciding on a standard “challenge” and computing the  dictionary, key space, or crack table based on that challenge  an attacker prepares to break a password • The attacker then impersonates a server – This can be very easy – IE will magically authenticate against a site with a Netbios name if directed  there with an iframe, link, or 302. – Firefox supports transparent authentication after the initial auth – initial  authentication prompts the user. • The attacker’s server uses the standard challenge that was  used to generate the dictionary, key space or crack table.
  • 18. https://www.isecpartners.com Pre‐computed dictionary attacks on NTLM • NTLMv2 is specifically designed to eliminate the possibility  of pre‐computed dictionary attacks – Uses client nonce in addition to server nonce / challenge in calculation of  response  – An additional fix in NTLMv2 reduces the risk of middle person attacks – Additional nonce changes the size of the response breaking many  implementations • NTLMv2 is probably an acknowledgement of the pre‐ computed dictionary weakness in NTLM • It has been mentioned before online – as a letter in  Christopher R. Hertel’s online book “Implementing CIFS – The Common Internet File System” reads: “you talk about the quot;client challengequot; a bit, but miss the point of it: the client nonce (as it should really more correctly be called) is there to prevent precomputed dictionary attacks by the server ” ‐ Ronald Tschalär to Chris Hertel, in Implementing CIFS http://ubiqx.org/cifs/SMB.html#SMB.8
  • 19. https://www.isecpartners.com Pre‐computed dictionary attacks on NTLM • This servlet negotiates NTLM authentication against browsers • Always serves the challenge: byte[] ISEC_CHALL = { (byte) 'i', (byte) 'S', (byte) 'E', (byte) 'C', 0, 0x15, (byte) 0xEC, 0 }; • In hex: 695345430015EC00 • Under NTLM each password maps to one NTLM response • Under NTLMv2 each password maps to many NTLMv2  responses DEMO
  • 20. https://www.isecpartners.com Protecting against pre‐computed dictionary attacks • Require only NTLMv2 or LMv2 on all servers and  workstations • Negotiating NTLMv2 does nothing to protect you, the active  attack requires an active adversary and active adversaries can  easily downgrade. • Change the settings from default – this ships vulnerable
  • 21. https://www.isecpartners.com Middle person attacks on NTLM • NTLM doesn’t protect against Middle Person attacks • The most common tool for demonstrating middle person  attacks on NTLM is SMBRelay • SMBRelay is complicated, and works when people connect to  shares • I decided to exploit the willingness of browsers to  transparently authenticate with local machines to connect  back over SMB. • Browser’s are used very frequently, not a lot of waiting for  share connecting
  • 22. https://www.isecpartners.com Middle person attacks on NTLM • This means I am using NTLM over HTTP authentication to  access an NTLM protected SMB resource (a share) • People use web browsers as administrator frequently, and it’s  easy to tell when they are doing it – for example going to  windows update is a give away. • My code speaks HTTP and SMB – thanks to jCIFS!
  • 23. https://www.isecpartners.com NTLM middle person attack explained • Attacker may do DNS or Netbios response forging to acquire victims • Victim connects to a local “attack web server” over HTTP • Victim sees attack server as in the “Local Intranet Zone” – Allows automatic NTLM authentication • Attack server connects to victim or target resource over SMB – Victim must have file sharing accessible, be logged in as an account with access,  support NTLM and not require SMB signing • Attack server gets a challenge from the victim • Attack server demands NTLM authentication and reflects the  challenge to the victim • Victim responds correctly to the challenge  • Attack server provides the victim’s response and authenticates • Attack server copies the backup SAM or does whatever else it likes • Attack server serves a page to the victim or redirects them
  • 24. https://www.isecpartners.com NTLM middle person attack explained I have two versions • One grabs the backup SAM from admin$/repair/sam – It often contains the NTLM Hash for the administrator  – It is often useable on other machines on the network – It can be used directly to authenticate with the tool I demoed earlier • The other connects and launches my “modified SmbShell” The second version is more fun to watch, and is more flexible in terms of exploit potential DEMO
  • 25. https://www.isecpartners.com Protecting against NTLM middle person attacks • Use NTLM authentication on web servers only with SSL • Disable automatic NTLM authentication in browsers • Setting must be to “always” use SMB Signing. Negotiating  signing does nothing to protect you. Exploiting this  vulnerability requires an active attacker, and active attackers  will just downgrade if they have the option. Change the  settings from default – this ships vulnerable
  • 26. https://www.isecpartners.com Take away’s I hope you agree that • NTLM is too dangerous to use on your network – Use NTLMv2 or Kerberos, and set them to “always”, otherwise attackers just  downgrade – Use SMB Signing to prevent middle person attacks – Only use NTLM or NTLMv2 auth on websites when using HTTPS • IE should be set not to automatically NTLM authenticate • Never use identical administrator passwords across machines as they  are stored in password equivalent form • Samba shares are no less vulnerable than Windows • Sorry, but I don’t have a solution for Mac OS X ‐ ADmitMac (http://www.thursby.com/) has one I haven’t tried • Future authentication protocols should use Zero‐Knowledge Proof of  Knowledge techniques like SRP does. • iSEC Partners has cool, unique tools to clearly demonstrate the  practical importance of common risks.
  • 28. https://www.isecpartners.com Shameless plug Information Security Partners can help your  organization understand and mitigate its  application or network security risks. We perform protocol, application, and network penetration testing, training and complimentary security services.  See iSEC Partners online at  https://www.isecpartners.com Or talk to the author: Jesse Burns, Principal Partner Email: Jesse at iSECPartners dot com