Microsoft authentication
- Windows stores passwords in hashed form using either:
- Security Accounts Manager (SAM) Database
- A file stored at
%SystemRoot%/system32/config/SAM
- Locked by Windows kernel to prevent copying/moving
- Usually stolen through bootable CD/USBs.
- A file stored at
- Active Directory Database
- Stored on a domain controller in a database
- Located in either
%SystemRoot%\NTDS\Ntds.dit
or%SystemRoot%\System32\Ntds.dit
- Security Accounts Manager (SAM) Database
NTLM authentication
- New Technology (NT) LAN Manager (LM)
- Security protocols, default authentication scheme
- 📝 Consists of LM and NTLM authentication protocols
- Challenge-response authentication protocols
- Each stores user passwords in SAM database using different hash methodologies
- 💡 Try all as many systems still keep older authentication for backwards compatibility.
- 💡 Insecure, can be disabled through GPO (Group Policy Object) with privacy.sexy
LM vs NTLM
LM
LM is the oldest password protocol dating back to OS/2 in 1980's
LM Hash
- E.g.
aad3c435b514a4eeaad3b935b51304f
- 📝 Flow
- Convert all lower case to upper case (case-insensitive)
- Pad password to 14 characters with NULL characters
- Split the password to two 7 character chunks
- Create two DES keys from each 7 character chunk
- DES encrypt the string "
KGS!@#$%
" with these two chunks - Concatenate the two DES encrypted strings = LM hash.
- E.g.
Authentication flow
- Client ends authentication request
- Server response with a challenge
- Client responds with DES encrypted LM hash with challenge as key
Weaknesses
- No salting allowing MITM attacks (through pass the hash and rainbow tables).
- If password is less than 7 characters second half is always
0xAAD3B435B51404EE
- Maximum allowed length is 14 characters
- Case insensitive: PassWord, PaSsWoRd, PASSword and other similar combinations are same as PASSWORD.
- 💡 Turned off as default since Windows Vista/Server 2008 as it's weak
Cracking
john --format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt
NTLM
Also known as NT LAN Manager
Uses DES with MD4 hash, used in Windows NT until SP3
NTLM Hash
Also known as NTLM hash, NTHash, *NT hash'.
Algorithm:
MD4(UTF-16-LE(password))
- UTF-16-LE is the little endian UTF-16
E.g.
B4B9B02E6F09A9BD760F388B67351E2B
Cracking
- Can be extracted using e.g. SAM database or mimikatz
- Then
john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt
NTLMv1
Also known as Net-NTLMv1
Uses both the NT and LM hash, depending on configuration and what is available.
Deprecated, but still used in some old systems on the network.
E.g.
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
Authentication flow
C = 8-byte server challenge, random
- Server sends sending an 8-byte random number, the challenge
K1 | K2 | K3 = NTLM-Hash | 5-bytes-0
- Five zeroes are added to the hash to achieve 21 bytes
- 21 bytes is split into three 7 byte parts
response = DES(K1,C) | DES(K2,C) | DES(K3,C)
- Each part is used as key in DES
- Three encryptions are reunited to form the 24-byte response
Cracking
- 💡 Easy to crack as it lacks salting
- Can be captured using Responder
- Then
john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt
NTLM v2
Also known as Net-NTLMv2
Uses MD5
Introduced in Windows NT 4.0 SP1 (Windows 2000)
E.g.
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
Replaces NTLM with
- stronger cryptography against spoofing attacks
- ability to authenticate the client
Authentication flow
SC = 8-byte server challenge, random
- Server sends sending an 8-byte random number, the challenge
CC = 8-byte client challenge, random
- 8-byte random value for the challenge
CC* = (X, time, CC2, domain name)
time
: the current time in NT Time formatCC2
: an 8-byte random valueX
: fixed contents of a formatting field.
v2-Hash = HMAC-MD5(NT-Hash, user name, domain name)
- HMAC-MD5 hash of users password and domain name with other identifying information
LMv2 = HMAC-MD5(v2-Hash, SC, CC)
NTv2 = HMAC-MD5(v2-Hash, SC, CC*)
response = LMv2 | CC | NTv2 | CC*
Cracking it
- Can be captured using Responder
- Then:
john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 3 hash.txt
Pass the hash attack
- Also known as pass-the-hash
- Allows gaining access to systems without accessing password in plaintext
- Can be used on any systems using LM or NTLM authentication
- Exploits static hash that's shared between sessions in authentication protocol
- Helps to hack Windows user name, domain name, and password hashes
- Can dump hashes
- from compromised machines by e.g. Windows Credentials Editor and Pass-the-Hash Toolkit
- or sniff the network
- Allows privilege escalation as domain administrators connected to machine also leaves their hashes.
Kerberos authentication
- Network authentication protocol for client/server applications
- Protects against replay attacks and eavesdropping
- Uses both symmetric and asymmetric encryption
- Uses TCP/UDP port 88
- Mutual authentication
- Both parties verifies each others identity using tickets.
Kerberos authentication components
- Requires Key Distribution Center (KDC) that consists of:
- Authentication server (AS)
- Ticket Granting Server (TGS)
- Ticket Granting Ticket (TGT)
- Small, encrypted file with limited validity
- Protects users from MITM attacks
- Includes session key, its expiration date, and the user's IP address
Kerberos authentication flow
- Client asks KDC (who has AS and TGS) for ticket to authenticate throughout the network.
- This request is in clear text.
- Server responds with secret key.
- Hashed by the password copy kept on AD server (TGT).
- TGT sent back to server requesting TGS if user decrypts.
- Server responds with ticket, and client can log on and access network resources.