Windows

This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.

I have edited and added material.

Dr. Stephen C. Hayne

Windows Security

Local Security Authority (LSA) Determines whether a logon attempt is

valid Security Accounts Manager (SAM)

Receives user logon information and checks it with its database to verify a correct username/password

SAM Database Stores the LM and NT password hashes

Windows Passwords LM Password

Used for backward compatibility

Stores passwords in CAPS Much easier to crack

than NT Hashes Password is not hashed

or encrypted Broken up into 2 groups

of 7 characters Usually gives away the

NT password if cracked

NT Password Used for compatibility

with Windows NT/2000 systems

Stores password exactly how they were entered by the user

Uses a series of 2 one way hashes to hash the password

Does not salt passwords like Unix

Windows “NT” Passwords Length

Anywhere from 0 to 14 characters Characters

All letters (upper and lowercase), numbers, and symbols are acceptable

Stored in SAM database \WINNT\system32\config or \WINNT\repair …

NT Passwords

1. Hashed using RSA MD4 function Not reversable! But can be

replicated… 2. Hashed again using MS function

into SAM Reversable and fairly simple

3. Encrypted using Syskey function Strong encryption of SAM on disk

LM Passwords VS. NT Passwords

An 8 character LM password is 890 times easier to crack than an 8 character NT password

A 14 character LM password is 450 trillion times easier to crack than a 14 character NT Password 450 trillion = 450,000,000,000,000

Windows Cracking

Obtain copy of SAM and run L0phtCrack

BUT – can’t get “real” SAM if system uses Active Directory

UNLESS, use PWDUMP3 first…

NTFSDos and SAMDump NTFSDos

Utility that allows DOS to view NTFS partitions

Can be placed on a boot disk and used to access files that can’t be accessed in Windows

SAMDump Utility that “dumps”

the password hashes in the SAM database

Can be used to view the password hashes or to export them into a text file

If Syskey is used, displayed hashes will be incorrect

http://www.hackingexposed.com/links-cdrom/links-cdrom.html

PWDump3

A utility similar to SAMDump Grabs password hashes from

memory instead of the SAM database Because of this, it will work with

Syskey enabled Can only be used by the

Administrator on each system

L0phtCrack Uses Dictionary, Hybrid, and Brute Force

attacks on password hashes Can get password from a local machine, a

repair disk, a copied SAM file, or over a network (By sniffing packets)

Can only be used by users who have Administrator status

Uses a built in version of PWDump3 to access the password hashes from memory

Password Protectionhttp://www.ntbugtraq.com/default.asp?

sid=1&pid=47&aid=15

1. Remove permissions from the “repair” file

2. Audit Password Registry Keys3. Use a strong Admin password and

DON’T share it!1. Integrate @#$%{|> characters – increases

key space 100 times2. Possibly add characters from [Alt+###]

Un*x Cracking

Obtain “John the Ripper” Run against /etc/passwd file