Windows Passwords: Everything You Need
Total Page:16
File Type:pdf, Size:1020Kb
WindowsWindows Passwords:Passwords: EverythingEverything YouYou NeedNeed ToTo KnowKnow JesperJesper M.M. JohanssonJohansson Enterprise Security Architect Security Business and Technology Unit Microsoft Corporation [email protected]@microsoft.com OverviewOverview HowHow passwordspasswords areare storedstored HowHow passwordspasswords areare usedused HowHow passwordspasswords areare attackedattacked PasswordPassword bestbest practicespractices HowHow WindowsWindows StoresStores PasswordsPasswords InIn thethe beginningbeginning…… PasswordPassword RepresentationsRepresentations LMLM ““hasheshashes”” OldOld technologytechnology usedused onon LANLAN ManagerManager NTNT hasheshashes A.k.a.,A.k.a., UnicodeUnicode passwordpassword oror MD4MD4 hashhash UsedUsed forfor authenticationauthentication onon moremore recentrecent WindowsWindows systemssystems CachedCached credentialscredentials DerivationDerivation ofof NTNT hashhash StoredStored UserUser NamesNames andand PasswordsPasswords CallingCalling applicationapplication decidesdecides onon representationrepresentation LMLM ““HashHash”” GenerationGeneration Padded with NULL to 14 characters Converted to upper case Separated into two 7 character strings Seattle1 = SEATTLE + 1****** Key Key Constant DESDES DESDES Constant Concatenate LM Hash LMLM ““HashHash”” ConsiderationsConsiderations ItIt’’ss notnot aa hashhash LimitedLimited charactercharacter setset CommonCommon alphanumericalphanumeric setset onlyonly CaseCase insensitiveinsensitive 142142 symbolssymbols PaddedPadded toto exactlyexactly 1414 characterscharacters ActuallyActually twotwo sevenseven--charactercharacter passwordspasswords MaximumMaximum numbernumber ofof passwordspasswords ≈≈ 6.8*106.8*1012 UnsaltedUnsalted…… SaltingSalting PreventsPrevents derivingderiving passwordspasswords fromfrom passwordpassword filefile StoredStored representationrepresentation differsdiffers SideSide effect:effect: defeatsdefeats prepre-- computedcomputed hashhash Alice:root:b4ef21:3ba4303ceattacksattacks 24a83fe0317608de02bf38d Same Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac Password Cecil:root:209be1:a483b303c23af34761de02be038fde08 NTNT HashHash GenerationGeneration HashHash thethe passwordpassword StoreStore itit Seattle1 unicode MD4MD4 Pwd NTNT HashHash ConsiderationsConsiderations CaseCase preservingpreserving 65,53565,535 symbolssymbols MaximumMaximum lengthlength == 127127 characterscharacters NumberNumber ofof ≤≤1414--charactercharacter passwords,passwords, samesame charchar setset asas LMLM hashhash ≈≈ 4.6*104.6*1025 NumberNumber ofof ≤≤1414--charactercharacter passwordpassword (full(full charchar set)set) ≈≈ 2.7*102.7*1067 NumberNumber ofof 127127--charactercharacter passwordspasswords ≈≈ 4.9*104.9*10611 UnsaltedUnsalted CachedCached CredentialsCredentials GenerationGeneration StoredStored atat logonlogon ManagedManaged byby LSALSA HashHash ofof aa hashhash Unicode Pwd Username Concatenate MD4 Cached Creds. StoredStored UserUser NamesNames AndAnd PasswordsPasswords CredentialCredential ManagerManager StoresStores specificspecific passwordpassword--basedbased credentialscredentials locallylocally ApplicationsApplications cancan leverageleverage forfor passwordpassword storagestorage UsesUses DPAPIDPAPI forfor storagestorage HowHow PasswordsPasswords AreAre UsedUsed AuthenticationAuthentication AuthenticationAuthentication ((authnauthn)) WinlogonWinlogon passespasses thethe authnauthn informationinformation toto LSASSLSASS LSASSLSASS determinesdetermines thethe authnauthn packagepackage LocalLocal oror remoteremote login?login? IfIf remoteremote KerberosKerberos MSV1_0MSV1_0 NTLMv2, NTLM, LM TheThe chosenchosen packagepackage generatesgenerates authnauthn datadata NTLMNTLM AndAnd LMLM AuthenticationAuthentication OnOn TheThe WireWire Authn_Request Server_Challenge – nonce LM Response – DES(LM Hash, nonce) NTLM Response – DES(Unicode pwd, nonce) Client Server Authn_Result NTLMv2NTLMv2 AuthenticationAuthentication OnOn TheThe WireWire Authn_Request Server_Challenge – nonces LM Response – DUMMY Client NTLM v2 Response – Server ƒ(Unicode pwd, nonces, noncec) Authn_Result LMCompatibilityLevelLMCompatibilityLevel Client-side impact Level Sends Accepts Prohibits Sending 0* LM, NTLM, LM, NTLM, NTLMv2 NTLMv2, Session security 1 LM, NTLM, Session LM, NTLM, NTLMv2 NTLMv2 security 2* NTLM, Session security LM, NTLM, NTLMv2 LM and NTLMv2 3 NTLMv2, Session LM, NTLM, NTLMv2 LM and NTLM security Server-side impact Level Sends Accepts Prohibits Accepting 4 NTLMv2, Session NTLM, NTLMv2 LM security 5 NTLMv2, Session NTLMv2 LM and NTLM security * Default on some OS KerberosKerberos AuthenticationAuthentication AuthenticatesAuthenticates accessaccess toto domaindomain resourcesresources byby domaindomain membersmembers UsesUses differentdifferent operationsoperations thanthan NTLMNTLM SensitiveSensitive datadata isis betterbetter protectedprotected fromfrom eavesdroppingeavesdropping RFCRFC compliantcompliant (yes,(yes, itit is!)is!) UsesUses NTNT hashhash WellWell documenteddocumented HowHow PasswordsPasswords AreAre AttackedAttacked KeyKey PointPoint BadBad passwordspasswords getget broken,broken, eveneven whenwhen usingusing goodgood storagestorage andand authenticationauthentication methods!methods! SolutionsSolutions 1.1. UseUse betterbetter passwordspasswords 2.2. DonDon’’tt letlet badbad guysguys getget thethe hasheshashes FourFour TypesTypes ofof AttackAttack PassivePassive onlineonline ActiveActive onlineonline OfflineOffline AttacksAttacks NonNon--electronicelectronic attacksattacks PassivePassive OnlineOnline AttacksAttacks WireWire SniffingSniffing AccessAccess andand recordrecord rawraw networknetwork traffictraffic WaitWait untiluntil authnauthn sequencesequence BruteBrute forceforce credentialscredentials ConsiderationsConsiderations RelativelyRelatively hardhard toto perpetrateperpetrate UsuallyUsually extremelyextremely computationallycomputationally complexcomplex ToolsTools widelywidely availableavailable PassivePassive OnlineOnline AttacksAttacks Man-in-the-Middle and Replay Attacks SomehowSomehow getget accessaccess toto communicationscommunications channelchannel WaitWait untiluntil authnauthn sequencesequence ProxyProxy authnauthn--traffictraffic NoNo needneed toto brutebrute--forceforce ConsiderationsConsiderations Relatively hard to perpetrate Must be trusted by one or both sides Some tools widely available Can sometimes be broken by invalidating traffic SMBSMB ReflectionReflection AttackAttack 5. All right, here’s my response to your (my) challenge. 3. OK, here is a challenge 1. Hey, I want to connect 2. What a coincidence, so do I. 4. Thanks! Here’s your challenge, right back at you 6. That’s so nice, here’s your response back to you CrackingCracking v.v. GuessingGuessing GuessingGuessing fromfrom thethe logonlogon promptprompt VeryVery slowslow EasyEasy toto detectdetect CoreCore problem:problem: badbad passwordspasswords CrackingCracking presumespresumes attackerattacker hashas hasheshashes HashesHashes maymay bebe worldworld readablereadable IfIf not,not, systemsystem hashas alreadyalready beenbeen hackedhacked VeryVery fastfast CoreCore problem:problem: badbad guysguys withwith accessaccess toto hasheshashes ActiveActive OnlineOnline AttacksAttacks Password guessing TryTry differentdifferent passwordspasswords untiluntil oneone worksworks SucceedsSucceeds withwith…… BadBad passwordspasswords OpenOpen authenticationauthentication pointspoints ConsiderationsConsiderations ShouldShould taketake aa longlong timetime RequiresRequires hugehuge amountsamounts ofof networknetwork bandwidthbandwidth EasilyEasily detecteddetected CoreCore problem:problem: BadBad passwordspasswords OfflineOffline AttacksAttacks AttackerAttacker hashas passwordpassword databasedatabase How?How? HardHard onon Windows,Windows, easiereasier onon UnixUnix CanCan attackattack atat leisureleisure PasswordPassword representationsrepresentations mustmust bebe cryptographicallycryptographically securesecure ConsiderationsConsiderations MooreMoore’’ss lawlaw AttacksAttacks againstagainst cachedcached credentialscredentials aboutabout 3x3x slowerslower OfflineOffline AttacksAttacks Dictionary Attack TryTry differentdifferent passwordspasswords fromfrom aa listlist SucceedsSucceeds onlyonly withwith poorpoor passwordspasswords ConsiderationsConsiderations VeryVery fastfast CoreCore problem:problem: BadBad passwordspasswords OfflineOffline AttacksAttacks Hybrid Attack StartStart withwith DictionaryDictionary InsertInsert entropyentropy AppendAppend aa symbolsymbol AppendAppend aa numbernumber …… ConsiderationsConsiderations RelativelyRelatively fastfast SucceedsSucceeds whenwhen entropyentropy isis poorlypoorly usedused OfflineOffline AttacksAttacks Brute-force Attack TryTry allall possiblepossible passwordspasswords MoreMore commonly,commonly, aa subsetsubset thereofthereof UsuallyUsually implementedimplemented withwith progressiveprogressive complexitycomplexity Typically,Typically, LMLM ““hashhash”” isis attackedattacked firstfirst ConsiderationsConsiderations VeryVery slowslow AllAll passwordspasswords willwill eventuallyeventually bebe foundfound AttackAttack againstagainst NTNT hashhash isis MUCHMUCH harderharder thanthan LMLM hashhash OfflineOffline AttacksAttacks Pre-computed Hashes GenerateGenerate allall possiblepossible hasheshashes aa prioripriori CompareCompare toto databasedatabase valuesvalues StoringStoring hasheshashes requiresrequires hugehuge storagestorage LMLM ““HashesHashes””:: 310310 TerabytesTerabytes NTNT HashesHashes