windows this presentation is an amalgam of presentations by mark michael, randy marchany and ed...
Post on 26-Dec-2015
216 Views
Preview:
TRANSCRIPT
Windows
This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne
Windows Security
Local Security Authority (LSA) Determines whether a logon attempt is
valid Security Accounts Manager (SAM)
Receives user logon information and checks it with its database to verify a correct username/password
SAM Database Stores the LM and NT password hashes
Windows Passwords LM Password
Used for backward compatibility
Stores passwords in CAPS Much easier to crack
than NT Hashes Password is not hashed
or encrypted Broken up into 2 groups
of 7 characters Usually gives away the
NT password if cracked
NT Password Used for compatibility
with Windows NT/2000 systems
Stores password exactly how they were entered by the user
Uses a series of 2 one way hashes to hash the password
Does not salt passwords like Unix
Windows “NT” Passwords Length
Anywhere from 0 to 14 characters Characters
All letters (upper and lowercase), numbers, and symbols are acceptable
Stored in SAM database \WINNT\system32\config or \WINNT\repair …
NT Passwords
1. Hashed using RSA MD4 function Not reversable! But can be
replicated… 2. Hashed again using MS function
into SAM Reversable and fairly simple
3. Encrypted using Syskey function Strong encryption of SAM on disk
LM Passwords VS. NT Passwords
An 8 character LM password is 890 times easier to crack than an 8 character NT password
A 14 character LM password is 450 trillion times easier to crack than a 14 character NT Password 450 trillion = 450,000,000,000,000
Windows Cracking
Obtain copy of SAM and run L0phtCrack
BUT – can’t get “real” SAM if system uses Active Directory
UNLESS, use PWDUMP3 first…
NTFSDos and SAMDump NTFSDos
Utility that allows DOS to view NTFS partitions
Can be placed on a boot disk and used to access files that can’t be accessed in Windows
SAMDump Utility that “dumps”
the password hashes in the SAM database
Can be used to view the password hashes or to export them into a text file
If Syskey is used, displayed hashes will be incorrect
http://www.hackingexposed.com/links-cdrom/links-cdrom.html
PWDump3
A utility similar to SAMDump Grabs password hashes from
memory instead of the SAM database Because of this, it will work with
Syskey enabled Can only be used by the
Administrator on each system
L0phtCrack Uses Dictionary, Hybrid, and Brute Force
attacks on password hashes Can get password from a local machine, a
repair disk, a copied SAM file, or over a network (By sniffing packets)
Can only be used by users who have Administrator status
Uses a built in version of PWDump3 to access the password hashes from memory
Password Protectionhttp://www.ntbugtraq.com/default.asp?
sid=1&pid=47&aid=15
1. Remove permissions from the “repair” file
2. Audit Password Registry Keys3. Use a strong Admin password and
DON’T share it!1. Integrate @#$%{|> characters – increases
key space 100 times2. Possibly add characters from [Alt+###]
Un*x Cracking
Obtain “John the Ripper” Run against /etc/passwd file
top related