report password cracking (2)

• 1. Nhm : GVHD: Trn Quc Dng Phm Vn Tnh Nguyn Hi ng Nguyn H Vng Trng Quang Minh

2. Password Crack

• I. Gii Thiu SAM

• II. Tng Qut c ch M Ha Password Trong Windows

• III. X L Logon Trong Windows

• IV.Cc kiu Tn Cng

• V. DEMO

3. SAM

• SAM (security account manager) lu tr username v password ca user.

• Password ca user lu trong SAM th c m ha

• Password ca user acccount l s kt hp ca 2 loi password: LAN Manager v Window NT password

• Password lu trong SAM c qua 2 ln m ha

• DngOWF

• M ha theo user ID

• User c th thiu 1 trong 2 loi mt khu.

4. System key technology

• System key(syskey) l 1 k thut dng bo v file SAM ca Microsoft

• Xut hin u tin Service Pack 2,nhng c pht trin Service Pack 3

• Thut ton m ha ca syskey c chiu di key 128 bit

• c thc hin bi syskey.exe

5. System key

• kch hot syskey :Run-> syskey->update

• Password Startup

• Store startup key on floppy disk

• Store Startup key Locally

6. SAM Registry key

• Key SAMc lu tr trong HKEY_LOCAL_MACHINEc qun l bi Registry Editor(regedt32.exe)

• Ch c System mi thay i chnh sa c

7. SAM on Storage Subsystems

• SAM v Syskey c lu trong2 th mc %systemroot%/repair, %systemroot%/system32 /config.

• Window explorer ch truy nhp vo c 2 th mc vi quyn hn System

• Trong th mc config, user khng th tng tc n file SAM.

• Th mc repair, user thngc th truy cp vo file SAM .

8. SAM on Network

• Nu computer l1 phn ca domain th SAMc lu tr trong active directory

• SAMlu tr thng tin, quyn hn ca user v group trong domain

9. II.C CH M HA PASSWORD CA WINDOWS 10. M HA PASSWORD TRONG WINDOWS

• User record c lu tr trong c s d liu Security Accouts Manager(SAM) hoc trong c s d liu Active Directory.

• Mi user account c kt hp bi 2 password:

• • • • +LAN Manager Compatible Password.

• • • • +WinDows Password.

11.

• Cn c gi l LM Hash.

• c gii thiu u tin bi cc h iu hnh c nh Windows 95,98

• Hin nay vn cn c s dng bi windows 2000,windows xp,vista v l do tng thch ngc vi cc h iu hnh c hn.

LAN Manager-compatible password: 12.

• Password ny da trn OEM character set

• Chiu di ti a l 14 k t

• • Cc bc tnh LM hash:

• • • Password uppercase

• • • Password c null-padded 14bytes

• • • c chi i thnh 7bytes mi phn.

• • • Mi 7bytes8bytes DES key

• • • Mi key dng m ha constandKGS!@#$% ciphertext

• • • 2 ciphertext c ni li vi nhau LM hash

LAN Manager-compatible password: 13. LAN Manager-compatible password: 14.

• Khuyt im:

• • • Chiu di password>spacekey^7.

• • • *LM HASH l mt weak password

LAN Manager-compatible password: 15.

• c gii thiu bi Windows NT, tng tnh an ton cho password so vi vic s dng LM hash.

• Da trn unicode char set.

• Chiu di n c th c nng ln 128 k t.

• Password ny c tnh bng cch s dng thut ton m ha RSA MD-4

Windows Password(NT HASH) 16. Windows Password(NT HASH) PASSWORD/USER INFORM NT windows Hash 17. III.X L LOGON TRONG WINDOWS 18. X L LOGON TRONG WINDOWS LOCAL MACHINE LOGON DOMAIN LOGON 19.

• Windows s dng LsaLogonUser API thc hin qu trnh xc thc.

• LsaLogonUser API gi gi phn mm xc thc MSV1_0.

• MSV1_0(MSV)-gi ny c gii thiu bi Window NT.

• Gi MSV ny ngoi h tr xc thc qu trnh local logon n cn h tr pass-through xc thc user trong nhng domain khc bng vic s dng dch v Netlogon.

X L LOGON TRONG WINDOWS 20.

• Gi xc thc MSV c chia thnh hai phn: top v bottom half.

• • • Top half chy trn my tnh ng nhp(local machine), n m ha password v chuyn n thnh : LAN Manager password v Windows password. Ty vo local machine logon hay domain logon m n c nhng chin lc x l khc nhau.

• • • bottom half chy trn my tnh cha thng tin user account,n truy vn password trong SAM v so snh vi password a vo quyt nh kt qu ca qu trnh xc thc.

X L LOGON TRONG WINDOWS 21. LOCAL MACHINE LOGON process SAM DATAbase TOP HALF BOTTOM HALF M S V 1_0 Packet 1.Encrypt/hash 2.Send 3.Query 4.Send stored hashpassword User/password 5.compare Reply result 22. DOMAIN LOGON 23. Some LAN Authentication protocols

• LM Authentication

• NTLM Authentication

• • • +NTLMv1

• • • +NTLMv2

24. NT LAN Manager Authentication

• NTLM l mt giao thc xc thc c s dng bi Microsoft Windows xc thc gia client v server.

• NTLM l tn mt tp cc security protocol ca Windows

• N l mtchallenge-response style authentication protocol.

25.

• Giao thc ny s s dng mt challenge-response trao i messages trnh t gia client v server:

• • • + NEGOTIATE_MESSAGE

• • • +CHALLENGE_MESSAGE

• • • +AUTHENTICATE_MESSAGE

NT LAN Manager Authentication 26.

• NEGOTIATE_MESSAGE:

• • The NEGOTIATE_MESSAGE nh ngha mt NTLM Negotiate message,n c gi t client n server. Yu cu m mt session authentication.

• CHALLENGE_MESSAGE

• • The CHALLENGE_MESSAGE nh ngha mt NTLM challenge message c gi t server n client, cha challenge random

• AUTHENTICATE_MESSAGE

• • Cha respond c tnh bi client ( DES(Unicode pwd, nonce) c gi n server.

NT LAN Manager Authentication 27. NT LAN Manager Authentication 28.

• C = 8-byte server challenge

• random K1 | K2 | K3 = NT-Hash | 5-bytes-0

• R1 = DES(K1,C) | DES(K2,C) | DES(K3,C) K1 | K2 | K3 = LM-Hash | 5-bytes-0

• R2 = DES(K1,C) | DES(K2,C) | DES(K3,C)

• response = R1 | R2

NTLMv1 29. NTLMv1 30. NTLMv2

• CS = 8-byte server challenge, random

• CC = 8-byte client challenge, random

• CC* = (X, time, CC, domain name)

• v2-Hash = HMAC-MD5(NT-Hash, user name, domain name)

• LMv2 = HMAC-MD5(v2-Hash, CS, CC)

• NTv2 = HMAC-MD5(v2-Hash, CS, CC*)

• response = LMv2 | CC | NTv2 | CC*

31. NTLMv2 32. DOMAIN LOGON 33. DOMAIN LOGON

• Top Half MSV hng cho request n netlogon service(nsl) ca my hin ti. Sau nsl truyn request n cho netlogon service ca my remote.

• Server tr v nonce (16bit challenge), nonce v hashed password c merge vi nhau v gi li server.

• the Netlogon service of the authenticating machine hng the request n bottom half ca gi MSV.

• The bottom half of the MSV Authentication Package truy vn the passwords trong SAM v so snh n m bo passwords nhp vo c hp ln khng.

34. DOMAIN LOGON NetLogon service Bottom HALF SAM TOP HALF NetLogon service Logon Request 1.Send Hashed password 2.Send request 3.nonce 4.Merged password 5.Send m-p query reply 6.result 7.result 35. IV.Cc kiu tn cng 36. Cracking Password

• • Three basic types of password cracks exist:

• • • Dictionary attacks

• • • Hybrid attacks

• • • Brute force attacks

37. Dictionary Attacks

• • • Dictionary password attackl li nhng t trong t in hay mt danh sch t(wordlist) th tm ra password ca mt user.

• • • Dictionary attacks dng mt t in nh trc tm kim s hp nhau gia password c m ha v t trong t in c m ha

• • • Dictionary attackkhi phc password ca mt user trong mt thi gian ngn nu nhng t trong dictionary c s dng n gin.

38. Cu trc mt WordList 39. Hybrid Attacks

• Hybrid attackcng s dng mt t in hay mt danh sch t tng t nhdictionary attacknhng n thng minh hn ch t ng gn thm nhng k t v s ti nhng t trong t in th b kha password ca user.

• V d:

• • Mt user c password lpassword

• • Nhng bin th:1password, password1, p@ssword, pa44w0rd,

40. Brute force Attacks

• • • Brute force attacks dng nhng s v k t ngu nhin b kha password ca mt user