enterprise security architect security business and technology...
TRANSCRIPT
Windows Passwords: Windows Passwords: Everything You Need Everything You Need To KnowTo Know
Jesper M. JohanssonJesper M. JohanssonEnterprise Security ArchitectEnterprise Security ArchitectSecurity Business and Technology UnitSecurity Business and Technology UnitMicrosoft CorporationMicrosoft [email protected]@microsoft.com
OverviewOverview
How passwords are storedHow passwords are stored
How passwords are usedHow passwords are used
How passwords are attackedHow passwords are attacked
Password best practicesPassword best practices
How Windows Stores How Windows Stores PasswordsPasswords
In the beginningIn the beginning……
Password RepresentationsPassword Representations
LM LM ““hasheshashes””Old technology used on LAN ManagerOld technology used on LAN Manager
NT hashesNT hashesA.k.a., Unicode password or MD4 hashA.k.a., Unicode password or MD4 hash
Used for authentication on more recent Used for authentication on more recent Windows systemsWindows systems
Cached credentialsCached credentialsDerivation of NT hashDerivation of NT hash
Stored User Names and PasswordsStored User Names and PasswordsCalling application decides on Calling application decides on representationrepresentation
LM LM ““HashHash”” GenerationGeneration
Padded with NULL to 14 charactersPadded with NULL to 14 characters
Converted to upper caseConverted to upper case
Separated into two 7 character stringsSeparated into two 7 character strings
KeyKey
ConstantConstant
Seattle1Seattle1 SEATTLESEATTLE 1******1******== ++
LM HashLM Hash
KeyKey
ConstantConstant
ConcatenateConcatenate
DESDES DESDES
LM LM ““HashHash”” ConsiderationsConsiderations
ItIt’’s not a hashs not a hash
Limited character setLimited character set
Common alphanumeric set onlyCommon alphanumeric set only
Case insensitiveCase insensitive
142 symbols142 symbols
Padded to exactly 14 charactersPadded to exactly 14 characters
Actually two sevenActually two seven--character passwordscharacter passwords
Maximum number of passwords Maximum number of passwords ≈≈6.8*106.8*101212
UnsaltedUnsalted……
SaltingSalting
Prevents deriving Prevents deriving passwords from passwords from password filepassword file
Stored Stored representation representation differsdiffers
Side effect: Side effect: defeats predefeats pre--computed hash computed hash attacksattacksAlice:root:b4ef21:3ba4303ce24a83fe0317608de02bf38d
Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac
Cecil:root:209be1:a483b303c23af34761de02be038fde08
Same Password
NT Hash GenerationNT Hash Generation
Hash the passwordHash the password
Store itStore it
unicodeunicodePwdPwd
Seattle1Seattle1 MD4MD4
NT Hash ConsiderationsNT Hash Considerations
Case preservingCase preserving
65,535 symbols65,535 symbols
Maximum length = 127 charactersMaximum length = 127 characters
Number of Number of ≤≤1414--character passwords, character passwords, same char set as LM hash same char set as LM hash ≈≈ 4.6*104.6*102525
Number of Number of ≤≤1414--character password character password (full char set) (full char set) ≈≈ 2.7*102.7*106767
Number of 127Number of 127--character passwords character passwords ≈≈4.9*104.9*10611611
UnsaltedUnsalted
Cached Credentials GenerationCached Credentials Generation
Stored at logonStored at logon
Managed by LSAManaged by LSA
Hash of a hashHash of a hashUnicodeUnicode
PwdPwd
MD4MD4
UsernameUsername
Concatenate
Cached Creds.
Stored User Names And PasswordsStored User Names And Passwords
Credential ManagerCredential Manager
Stores specific passwordStores specific password--based based credentials locallycredentials locally
Applications can leverage for Applications can leverage for password storagepassword storage
Uses DPAPI for storageUses DPAPI for storage
How Passwords Are How Passwords Are UsedUsedAuthenticationAuthentication
Authentication (Authentication (authnauthn))
WinlogonWinlogon passes the passes the authnauthn information information to LSASSto LSASS
LSASS determines the LSASS determines the authnauthn packagepackage
Local or remote login? If remoteLocal or remote login? If remote
KerberosKerberos
MSV1_0MSV1_0
NTLMv2, NTLM, LMNTLMv2, NTLM, LM
The chosen package generates The chosen package generates authnauthn datadata
NTLM And LM Authentication On NTLM And LM Authentication On The WireThe Wire
Authn_RequestAuthn_Request
LM Response LM Response –– DES(LM Hash, nonce)DES(LM Hash, nonce)
Server_ChallengeServer_Challenge –– noncenonce
Authn_ResultAuthn_Result
ClientClient ServerServerNTLM Response NTLM Response –– DES(UnicodeDES(Unicode pwdpwd, nonce), nonce)
NTLMv2 Authentication NTLMv2 Authentication On The WireOn The Wire
Authn_RequestAuthn_Request
Server_ChallengeServer_Challenge –– noncenoncess
Authn_ResultAuthn_Result
ClientClient ServerServer
LM Response LM Response –– DUMMYDUMMY
NTLM v2 Response NTLM v2 Response ––ƒƒ(Unicode (Unicode pwdpwd, , noncenoncess, , noncenoncecc))
LMCompatibilityLevelLMCompatibilityLevel
Level Level SendsSends AcceptsAccepts Prohibits SendingProhibits Sending
00** LM, NTLM, LM, NTLM, LM, NTLM, NTLMv2LM, NTLM, NTLMv2
LM, NTLM, NTLMv2LM, NTLM, NTLMv2
LM, NTLM, NTLMv2LM, NTLM, NTLMv2
LM, NTLM, NTLMv2LM, NTLM, NTLMv2
NTLMv2, Session securityNTLMv2, Session security
11 LM, NTLM, Session LM, NTLM, Session securitysecurity
NTLMv2NTLMv2
22** NTLM, Session securityNTLM, Session security LM and NTLMv2LM and NTLMv2
33 NTLMv2, Session NTLMv2, Session securitysecurity
LM and NTLMLM and NTLM
Level Level SendsSends AcceptsAccepts Prohibits AcceptingProhibits Accepting
44 NTLMv2, Session NTLMv2, Session securitysecurity
NTLM, NTLMv2NTLM, NTLMv2
NTLMv2NTLMv2
LMLM
55 NTLMv2, Session NTLMv2, Session securitysecurity
LM and NTLMLM and NTLM
ClientClient--side impactside impact
ServerServer--side impactside impact
** Default on some OSDefault on some OS
Kerberos AuthenticationKerberos Authentication
Authenticates access to domain Authenticates access to domain resources by domain membersresources by domain members
Uses different operations than NTLMUses different operations than NTLM
Sensitive data is better protected from Sensitive data is better protected from eavesdroppingeavesdropping
RFC compliant (yes, it is!)RFC compliant (yes, it is!)
Uses NT hashUses NT hash
Well documentedWell documented
How Passwords Are How Passwords Are AttackedAttacked
Key PointKey Point
Bad passwords get broken, even when Bad passwords get broken, even when using good storage and authentication using good storage and authentication methods! methods!
SolutionsSolutions
1.1. Use better passwordsUse better passwords
2.2. DonDon’’t let bad guys get the hashest let bad guys get the hashes
Four Types of AttackFour Types of Attack
Passive onlinePassive online
Active onlineActive online
Offline AttacksOffline Attacks
NonNon--electronic attackselectronic attacks
Passive Online Attacks Passive Online Attacks Wire SniffingWire Sniffing
Access and record raw network trafficAccess and record raw network traffic
Wait until Wait until authnauthn sequencesequence
Brute force credentialsBrute force credentials
ConsiderationsConsiderations
Relatively hard to perpetrateRelatively hard to perpetrate
Usually extremely computationally Usually extremely computationally complexcomplex
Tools widely availableTools widely available
Passive Online Attacks Passive Online Attacks ManMan--inin--thethe--Middle and Replay AttacksMiddle and Replay Attacks
Somehow get access to communications Somehow get access to communications channelchannel
Wait until Wait until authnauthn sequencesequence
Proxy Proxy authnauthn--traffictraffic
No need to bruteNo need to brute--forceforce
ConsiderationsConsiderations
Relatively hard to perpetrateRelatively hard to perpetrate
Must be trusted by one or both sidesMust be trusted by one or both sides
Some tools widely availableSome tools widely available
Can sometimes be broken by invalidating trafficCan sometimes be broken by invalidating traffic
SMB Reflection AttackSMB Reflection Attack
1. Hey, I want to connect1. Hey, I want to connect
2. What a coincidence,2. What a coincidence,so do I.so do I.
3. OK, here is3. OK, here isa challengea challenge
4. Thanks! Here4. Thanks! Here’’s your s your challenge, right challenge, right
back at youback at you
5. All right, here5. All right, here’’s my responses my responseto your (my) challenge.to your (my) challenge.
6. That6. That’’s so nice, heres so nice, here’’ssyour response back to youyour response back to you
Cracking v. GuessingCracking v. Guessing
Guessing from the logon promptGuessing from the logon prompt
Very slowVery slow
Easy to detectEasy to detect
Core problem: bad passwordsCore problem: bad passwords
Cracking presumes attacker has hashesCracking presumes attacker has hashes
Hashes may be world readableHashes may be world readable
If not, system has already been hackedIf not, system has already been hacked
Very fastVery fast
Core problem: bad guys with access to Core problem: bad guys with access to hasheshashes
Active Online Attacks Active Online Attacks Password guessingPassword guessing
Try different passwords until one Try different passwords until one worksworks
Succeeds withSucceeds with……Bad passwordsBad passwords
Open authentication pointsOpen authentication points
ConsiderationsConsiderationsShould take a long timeShould take a long time
Requires huge amounts of network Requires huge amounts of network bandwidthbandwidth
Easily detectedEasily detected
Core problem: Bad passwordsCore problem: Bad passwords
Offline AttacksOffline Attacks
Attacker has password databaseAttacker has password database
How? Hard on Windows, easier on UnixHow? Hard on Windows, easier on Unix
Can attack at leisureCan attack at leisure
Password representations must be Password representations must be cryptographically securecryptographically secure
ConsiderationsConsiderations
MooreMoore’’s laws law
Attacks against cached credentials about Attacks against cached credentials about 3x slower3x slower
Offline Attacks Offline Attacks Dictionary AttackDictionary Attack
Try different passwords from a listTry different passwords from a list
Succeeds only with poor passwordsSucceeds only with poor passwords
ConsiderationsConsiderations
Very fastVery fast
Core problem: Bad passwordsCore problem: Bad passwords
Offline Attacks Offline Attacks Hybrid AttackHybrid Attack
Start with DictionaryStart with Dictionary
Insert entropyInsert entropy
Append a symbolAppend a symbol
Append a numberAppend a number
……ConsiderationsConsiderations
Relatively fastRelatively fast
Succeeds when entropy is poorly usedSucceeds when entropy is poorly used
Offline Attacks Offline Attacks BruteBrute--force Attackforce Attack
Try all possible passwordsTry all possible passwordsMore commonly, a subset thereofMore commonly, a subset thereof
Usually implemented with progressive Usually implemented with progressive complexitycomplexity
Typically, LM Typically, LM ““hashhash”” is attacked is attacked firstfirst
ConsiderationsConsiderationsVery slowVery slow
All passwords will eventually be foundAll passwords will eventually be found
Attack against NT hash is MUCH harder Attack against NT hash is MUCH harder than LM hashthan LM hash
Offline Attacks Offline Attacks PrePre--computed Hashescomputed Hashes
Generate all possible hashes a prioriGenerate all possible hashes a priori
Compare to database valuesCompare to database values
Storing hashes requires huge storageStoring hashes requires huge storage
LM LM ““HashesHashes””: 310 Terabytes: 310 Terabytes
NT Hashes < 15 chars: 5,652,897,009 NT Hashes < 15 chars: 5,652,897,009 exabytesexabytes
Solution: Use a timeSolution: Use a time--space tradeoffspace tradeoff
Succeeds due to lack of saltSucceeds due to lack of salt
Offline Attacks Offline Attacks PrePre--computed Hashes computed Hashes –– ConsiderationsConsiderations
Takes significant effort up frontTakes significant effort up front
LM Hashes much more vulnerable due to LM Hashes much more vulnerable due to smaller key space and shorter lengthsmaller key space and shorter length
Web services availableWeb services available
SETISETI--style efforts to generate tablesstyle efforts to generate tables
Do not work against cached credentialsDo not work against cached credentials
MitigationsMitigations
Use good passwordsUse good passwords
Remove LM HashesRemove LM Hashes
PassPass--TheThe--Hash AttacksHash Attacks
Tool computes response from nonce Tool computes response from nonce based on arbitrary hashbased on arbitrary hash
Tools are rare but are availableTools are rare but are available
Instant attackInstant attack
Does not work with cached credentialsDoes not work with cached credentials
LM Response LM Response –– DES(LM Hash, nonce)DES(LM Hash, nonce)
NTLM Response NTLM Response –– DES(UnicodeDES(Unicode pwdpwd, nonce), nonce)
Offline Dictionary Offline Dictionary And Brute Force And Brute Force AttackAttack
NonNon--Technical AttacksTechnical Attacks
Shoulder surfingShoulder surfing
Watching someone type their passwordWatching someone type their password
Common and successfulCommon and successful
Mouthing password while typingMouthing password while typing
Keyboard sniffingKeyboard sniffing
Hardware is cheap and hard to detectHardware is cheap and hard to detect
Software is cheap and hard to detectSoftware is cheap and hard to detect
Both can be controlled remotelyBoth can be controlled remotely
Social engineeringSocial engineering……
Password Cracking at Layer 8Password Cracking at Layer 8
http://zdnet.com.com/2100http://zdnet.com.com/2100--1105_21105_2--5195282.html5195282.htmlhttp://http://story.news.yahoo.com/news?tmplstory.news.yahoo.com/news?tmpl==story&cidstory&cid=528&e=1&=528&e=1&u=/ap/20050317/ap_on_go_ca_st_pe/irs_computer_securityu=/ap/20050317/ap_on_go_ca_st_pe/irs_computer_security
Great Password, Weak ImplementationGreat Password, Weak Implementation
Password Best PracticesPassword Best Practices
Pass Phrases v. PasswordsPass Phrases v. Passwords
Longer Is Better!Longer Is Better!
TechnologyTechnology--Based MitigationBased Mitigation
Disable LM hash storageDisable LM hash storageHKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
Passwords > 14 characters
Certain Unicode characters
Clustering, Windows CE, RTC, ??? brokenClustering, Windows CE, RTC, ??? broken
Set Set NtlmMinClientSecNtlmMinClientSec & 0x80010& 0x80010
Deploy password policyDeploy password policy
Minimum lengthMinimum length
ComplexityComplexity
ExpirationExpiration
ReuseReuse
Password FilterPassword Filter
if(strInList(szPwd,aBadWords))bComplex = FALSE;
if(cchPassword > 9){for(i = 0; i < cchPassword ; i++){
if(szPwd[i] & C1_DIGIT) { dwNum = 1; continue; }if(szPwd[i] & C1_UPPER) { dwUpper = 1; continue; }if(szPwd[i] & C1_LOWER) { dwLower = 1; continue; }if(szPwd[i] & C1_SYMBOL) { dwSym = 1; continue}if(isUnicode(szPwd[i])) {dwUnicode = 1; continue}
}
if(bUserIsAdmin){ //Admins need better passwords than usersif ((dwNum + dwUpper + dwLower + dwSym + dwUnicode == 5) && cchPassword>14)
bComplex = TRUE;} else { //User is not an admin, use lower requirements
if(dwNum + dwUpper + dwLower + dwSym + dwUnicode) >= 4)bComplex = TRUE;
}
TechnologyTechnology--Based MitigationBased MitigationMultiMulti--factor authenticationfactor authentication
Why use passwords at all?Why use passwords at all?
Smart cardsSmart cardsTwoTwo--factor authenticationfactor authentication
Very difficult to thwartVery difficult to thwart
High cost of initial deploymentHigh cost of initial deployment
BiometricBiometricTwoTwo-- or threeor three--factor authenticationfactor authentication
Usually defeated with nonUsually defeated with non--technical technical attacksattacks
Very expensiveVery expensive
FailureFailure--proneprone
Fun With BiometricsFun With Biometrics
Detecting Attacks Detecting Attacks -- Account Account LockoutLockout
SummarySummary
How passwords are storedHow passwords are stored
How passwords are usedHow passwords are used
How passwords are attackedHow passwords are attacked
Password best practicesPassword best practices
Passwords Article SeriesPasswords Article Series
http://www.microsoft.com/http://www.microsoft.com/technet/securittechnet/security/secnews/newsletter.htmy/secnews/newsletter.htm
For more informationFor more information
Jesper and Steve Jesper and Steve finally wrote a book!finally wrote a book!
Order online:Order online:http://www.awprofessional.chttp://www.awprofessional.com/title/0321336437om/title/0321336437
Use promo codeUse promo codeJJSR6437JJSR6437
[email protected]@microsoft.com
Jesper M. JohanssonJesper M. [email protected]@microsoft.com
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.