WindowsWindows Passwords:Passwords: EverythingEverything YouYou NeedNeed ToTo KnowKnow
JesperJesper M.M. JohanssonJohansson Enterprise Security Architect Security Business and Technology Unit Microsoft Corporation [email protected]@microsoft.com OverviewOverview
HowHow passwordspasswords areare storedstored HowHow passwordspasswords areare usedused HowHow passwordspasswords areare attackedattacked PasswordPassword bestbest practicespractices HowHow WindowsWindows StoresStores PasswordsPasswords InIn thethe beginningbeginning…… PasswordPassword RepresentationsRepresentations
LMLM ““hasheshashes”” OldOld technologytechnology usedused onon LANLAN ManagerManager NTNT hasheshashes A.k.a.,A.k.a., UnicodeUnicode passwordpassword oror MD4MD4 hashhash UsedUsed forfor authenticationauthentication onon moremore recentrecent WindowsWindows systemssystems CachedCached credentialscredentials DerivationDerivation ofof NTNT hashhash StoredStored UserUser NamesNames andand PasswordsPasswords CallingCalling applicationapplication decidesdecides onon representationrepresentation LMLM ““HashHash”” GenerationGeneration
Padded with NULL to 14 characters Converted to upper case Separated into two 7 character strings
Seattle1 = SEATTLE + 1******
Key Key
Constant DESDES DESDES Constant
Concatenate LM Hash LMLM ““HashHash”” ConsiderationsConsiderations
ItIt’’ss notnot aa hashhash LimitedLimited charactercharacter setset CommonCommon alphanumericalphanumeric setset onlyonly CaseCase insensitiveinsensitive 142142 symbolssymbols PaddedPadded toto exactlyexactly 1414 characterscharacters ActuallyActually twotwo sevenseven--charactercharacter passwordspasswords MaximumMaximum numbernumber ofof passwordspasswords ≈≈ 6.8*106.8*1012 UnsaltedUnsalted…… SaltingSalting
PreventsPrevents derivingderiving passwordspasswords fromfrom passwordpassword filefile StoredStored representationrepresentation differsdiffers SideSide effect:effect: defeatsdefeats prepre-- computedcomputed hashhash Alice:root:b4ef21:3ba4303ceattacksattacks 24a83fe0317608de02bf38d Same Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac Password Cecil:root:209be1:a483b303c23af34761de02be038fde08 NTNT HashHash GenerationGeneration
HashHash thethe passwordpassword StoreStore itit
Seattle1 unicode MD4MD4 Pwd NTNT HashHash ConsiderationsConsiderations CaseCase preservingpreserving 65,53565,535 symbolssymbols MaximumMaximum lengthlength == 127127 characterscharacters NumberNumber ofof ≤≤1414--charactercharacter passwords,passwords, samesame charchar setset asas LMLM hashhash ≈≈ 4.6*104.6*1025 NumberNumber ofof ≤≤1414--charactercharacter passwordpassword (full(full charchar set)set) ≈≈ 2.7*102.7*1067 NumberNumber ofof 127127--charactercharacter passwordspasswords ≈≈ 4.9*104.9*10611 UnsaltedUnsalted CachedCached CredentialsCredentials GenerationGeneration StoredStored atat logonlogon ManagedManaged byby LSALSA HashHash ofof aa hashhash Unicode Pwd Username
Concatenate MD4
Cached Creds. StoredStored UserUser NamesNames AndAnd PasswordsPasswords
CredentialCredential ManagerManager StoresStores specificspecific passwordpassword--basedbased credentialscredentials locallylocally ApplicationsApplications cancan leverageleverage forfor passwordpassword storagestorage UsesUses DPAPIDPAPI forfor storagestorage HowHow PasswordsPasswords AreAre UsedUsed AuthenticationAuthentication AuthenticationAuthentication ((authnauthn))
WinlogonWinlogon passespasses thethe authnauthn informationinformation toto LSASSLSASS LSASSLSASS determinesdetermines thethe authnauthn packagepackage LocalLocal oror remoteremote login?login? IfIf remoteremote KerberosKerberos MSV1_0MSV1_0 NTLMv2, NTLM, LM TheThe chosenchosen packagepackage generatesgenerates authnauthn datadata NTLMNTLM AndAnd LMLM AuthenticationAuthentication OnOn TheThe WireWire
Authn_Request
Server_Challenge – nonce
LM Response – DES(LM Hash, nonce)
NTLM Response – DES(Unicode pwd, nonce) Client Server
Authn_Result NTLMv2NTLMv2 AuthenticationAuthentication OnOn TheThe WireWire
Authn_Request
Server_Challenge – nonces
LM Response – DUMMY
Client NTLM v2 Response – Server
ƒ(Unicode pwd, nonces, noncec)
Authn_Result LMCompatibilityLevelLMCompatibilityLevel
Client-side impact Level Sends Accepts Prohibits Sending 0* LM, NTLM, LM, NTLM, NTLMv2 NTLMv2, Session security
1 LM, NTLM, Session LM, NTLM, NTLMv2 NTLMv2 security 2* NTLM, Session security LM, NTLM, NTLMv2 LM and NTLMv2
3 NTLMv2, Session LM, NTLM, NTLMv2 LM and NTLM security
Server-side impact
Level Sends Accepts Prohibits Accepting 4 NTLMv2, Session NTLM, NTLMv2 LM security 5 NTLMv2, Session NTLMv2 LM and NTLM security
* Default on some OS KerberosKerberos AuthenticationAuthentication
AuthenticatesAuthenticates accessaccess toto domaindomain resourcesresources byby domaindomain membersmembers UsesUses differentdifferent operationsoperations thanthan NTLMNTLM SensitiveSensitive datadata isis betterbetter protectedprotected fromfrom eavesdroppingeavesdropping RFCRFC compliantcompliant (yes,(yes, itit is!)is!) UsesUses NTNT hashhash WellWell documenteddocumented HowHow PasswordsPasswords AreAre AttackedAttacked KeyKey PointPoint
BadBad passwordspasswords getget broken,broken, eveneven whenwhen usingusing goodgood storagestorage andand authenticationauthentication methods!methods! SolutionsSolutions 1.1. UseUse betterbetter passwordspasswords 2.2. DonDon’’tt letlet badbad guysguys getget thethe hasheshashes FourFour TypesTypes ofof AttackAttack
PassivePassive onlineonline ActiveActive onlineonline OfflineOffline AttacksAttacks NonNon--electronicelectronic attacksattacks PassivePassive OnlineOnline AttacksAttacks WireWire SniffingSniffing
AccessAccess andand recordrecord rawraw networknetwork traffictraffic WaitWait untiluntil authnauthn sequencesequence BruteBrute forceforce credentialscredentials ConsiderationsConsiderations RelativelyRelatively hardhard toto perpetrateperpetrate UsuallyUsually extremelyextremely computationallycomputationally complexcomplex ToolsTools widelywidely availableavailable PassivePassive OnlineOnline AttacksAttacks Man-in-the-Middle and Replay Attacks
SomehowSomehow getget accessaccess toto communicationscommunications channelchannel WaitWait untiluntil authnauthn sequencesequence ProxyProxy authnauthn--traffictraffic NoNo needneed toto brutebrute--forceforce ConsiderationsConsiderations Relatively hard to perpetrate Must be trusted by one or both sides Some tools widely available Can sometimes be broken by invalidating traffic SMBSMB ReflectionReflection AttackAttack
5. All right, here’s my response to your (my) challenge.
3. OK, here is a challenge
1. Hey, I want to connect
2. What a coincidence, so do I.
4. Thanks! Here’s your challenge, right back at you
6. That’s so nice, here’s your response back to you CrackingCracking v.v. GuessingGuessing
GuessingGuessing fromfrom thethe logonlogon promptprompt VeryVery slowslow EasyEasy toto detectdetect CoreCore problem:problem: badbad passwordspasswords CrackingCracking presumespresumes attackerattacker hashas hasheshashes HashesHashes maymay bebe worldworld readablereadable IfIf not,not, systemsystem hashas alreadyalready beenbeen hackedhacked VeryVery fastfast CoreCore problem:problem: badbad guysguys withwith accessaccess toto hasheshashes ActiveActive OnlineOnline AttacksAttacks Password guessing TryTry differentdifferent passwordspasswords untiluntil oneone worksworks SucceedsSucceeds withwith…… BadBad passwordspasswords OpenOpen authenticationauthentication pointspoints ConsiderationsConsiderations ShouldShould taketake aa longlong timetime RequiresRequires hugehuge amountsamounts ofof networknetwork bandwidthbandwidth EasilyEasily detecteddetected CoreCore problem:problem: BadBad passwordspasswords OfflineOffline AttacksAttacks
AttackerAttacker hashas passwordpassword databasedatabase How?How? HardHard onon Windows,Windows, easiereasier onon UnixUnix CanCan attackattack atat leisureleisure PasswordPassword representationsrepresentations mustmust bebe cryptographicallycryptographically securesecure ConsiderationsConsiderations MooreMoore’’ss lawlaw AttacksAttacks againstagainst cachedcached credentialscredentials aboutabout 3x3x slowerslower OfflineOffline AttacksAttacks Dictionary Attack
TryTry differentdifferent passwordspasswords fromfrom aa listlist SucceedsSucceeds onlyonly withwith poorpoor passwordspasswords ConsiderationsConsiderations VeryVery fastfast CoreCore problem:problem: BadBad passwordspasswords OfflineOffline AttacksAttacks Hybrid Attack
StartStart withwith DictionaryDictionary InsertInsert entropyentropy AppendAppend aa symbolsymbol AppendAppend aa numbernumber …… ConsiderationsConsiderations RelativelyRelatively fastfast SucceedsSucceeds whenwhen entropyentropy isis poorlypoorly usedused OfflineOffline AttacksAttacks Brute-force Attack TryTry allall possiblepossible passwordspasswords MoreMore commonly,commonly, aa subsetsubset thereofthereof UsuallyUsually implementedimplemented withwith progressiveprogressive complexitycomplexity Typically,Typically, LMLM ““hashhash”” isis attackedattacked firstfirst ConsiderationsConsiderations VeryVery slowslow AllAll passwordspasswords willwill eventuallyeventually bebe foundfound AttackAttack againstagainst NTNT hashhash isis MUCHMUCH harderharder thanthan LMLM hashhash OfflineOffline AttacksAttacks Pre-computed Hashes
GenerateGenerate allall possiblepossible hasheshashes aa prioripriori CompareCompare toto databasedatabase valuesvalues StoringStoring hasheshashes requiresrequires hugehuge storagestorage LMLM ““HashesHashes””:: 310310 TerabytesTerabytes NTNT HashesHashes << 1515 chars:chars: 5,652,897,0095,652,897,009 exabytesexabytes Solution:Solution: UseUse aa timetime--spacespace tradeofftradeoff SucceedsSucceeds duedue toto lacklack ofof saltsalt OfflineOffline AttacksAttacks Pre-computed Hashes – Considerations
TakesTakes significantsignificant efforteffort upup frontfront LMLM HashesHashes muchmuch moremore vulnerablevulnerable duedue toto smallersmaller keykey spacespace andand shortershorter lengthlength WebWeb servicesservices availableavailable SETISETI--stylestyle effortsefforts toto generategenerate tablestables DoDo notnot workwork againstagainst cachedcached credentialscredentials MitigationsMitigations Use good passwords Remove LM Hashes PassPass--TheThe--HashHash AttacksAttacks
LM Response – DES(LM Hash, nonce)
NTLM Response – DES(Unicode pwd, nonce)
ToolTool computescomputes responseresponse fromfrom noncenonce basedbased onon arbitraryarbitrary hashhash ToolsTools areare rarerare butbut areare availableavailable InstantInstant attackattack DoesDoes notnot workwork withwith cachedcached credentialscredentials OfflineOffline DictionaryDictionary AndAnd BruteBrute ForceForce AttackAttack NonNon--TechnicalTechnical AttacksAttacks
ShoulderShoulder surfingsurfing WatchingWatching someonesomeone typetype theirtheir passwordpassword CommonCommon andand successfulsuccessful MouthingMouthing passwordpassword whilewhile typingtyping KeyboardKeyboard sniffingsniffing HardwareHardware isis cheapcheap andand hardhard toto detectdetect SoftwareSoftware isis cheapcheap andand hardhard toto detectdetect BothBoth cancan bebe controlledcontrolled remotelyremotely SocialSocial engineeringengineering…… PasswordPassword CrackingCracking atat LayerLayer 88
http://zdnet.com.com/2100-1105_2-5195282.html http://story.news.yahoo.com/news?tmpl=story&cid=528&e=1& u=/ap/20050317/ap_on_go_ca_st_pe/irs_computer_security GreatGreat Password,Password, WeakWeak ImplementationImplementation PasswordPassword BestBest PracticesPractices PassPass PhrasesPhrases v.v. PasswordsPasswords LongerLonger IsIs Better!Better! TechnologyTechnology--BasedBased MitigationMitigation
DisableDisable LMLM hashhash storagestorage HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash Passwords > 14 characters Certain Unicode characters Clustering,Clustering, WindowsWindows CE,CE, RTC,RTC, ?????? brokenbroken Set NtlmMinClientSec & 0x80010 DeployDeploy passwordpassword policypolicy MinimumMinimum lengthlength ComplexityComplexity ExpirationExpiration ReuseReuse PasswordPassword FilterFilter if(strInList(szPwd,aBadWords)) bComplex = FALSE; if(cchPassword > 9){ for(i = 0; i < cchPassword ; i++){ if(szPwd[i] & C1_DIGIT) { dwNum = 1; continue; } if(szPwd[i] & C1_UPPER) { dwUpper = 1; continue; } if(szPwd[i] & C1_LOWER) { dwLower = 1; continue; } if(szPwd[i] & C1_SYMBOL) { dwSym = 1; continue} if(isUnicode(szPwd[i])) {dwUnicode = 1; continue} } if(bUserIsAdmin){ //Admins need better passwords than users if ((dwNum + dwUpper + dwLower + dwSym + dwUnicode == 5) && cchPassword>14) bComplex = TRUE; } else { //User is not an admin, use lower requirements if(dwNum + dwUpper + dwLower + dwSym + dwUnicode) >= 4) bComplex = TRUE; } TechnologyTechnology--BasedBased MitigationMitigation Multi-factor authentication WhyWhy useuse passwordspasswords atat all?all? SmartSmart cardscards TwoTwo--factorfactor authenticationauthentication VeryVery difficultdifficult toto thwartthwart HighHigh costcost ofof initialinitial deploymentdeployment BiometricBiometric TwoTwo-- oror threethree--factorfactor authenticationauthentication UsuallyUsually defeateddefeated withwith nonnon--technicaltechnical attacksattacks VeryVery expensiveexpensive FailureFailure--proneprone FunFun WithWith BiometricsBiometrics DetectingDetecting AttacksAttacks -- AccountAccount LockoutLockout SummarySummary
HowHow passwordspasswords areare storedstored HowHow passwordspasswords areare usedused HowHow passwordspasswords areare attackedattacked PasswordPassword bestbest practicespractices
PasswordsPasswords ArticleArticle SeriesSeries http://www.microsoft.com/http://www.microsoft.com/technet/securittechnet/securit y/secnews/newsletter.htmy/secnews/newsletter.htm ForFor moremore informationinformation
JesperJesper andand SteveSteve finallyfinally wrotewrote aa book!book!
OrderOrder online:online: http://www.awprofessional.c om/title/0321336437 UseUse promopromo codecode JJSR6437JJSR6437
[email protected]@microsoft.com © 2005 Microsoft Corporation.All rightsreserved.
Jesper M. Johansson Jesper M. Johansson
[email protected] [email protected] This presentation is for informational purposes MICROSOFT only. MAKES NO WARRANTIES, EXPRESSOR IMPLIED, IN THIS SUMMARY.