Cracking Windows passwords in 5 seconds (Cool concept, unless you, you know, use Windows)

SecurityFocus BUGTRAQ Mailing List ^ | July 22, 2003 | Philippe Oechslin

[Timesink]

To: BugTraq

Subject: Cracking windows passwords in 5 seconds

Date: Jul 22 2003 8:37PM

Author: Philippe Oechslin

As opposed to unix, windows password hashes can be calculated in advance because no salt or other random information si involved. This makes so called time-memory trade-off attacks possible. This vulnerability is not new but we think that we have the first tool to exploit this.

At LASEC (lasecwww.epfl.ch) we have developed an advanced time-memory trade-off method. It is based on original work which was done in 1980 but has never been applied to windows passwords. It works by calculating all possible hashes in advance and storing some of them in an organized table. The more information you keep in the table, the faster the cracking will be.

We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average (see http://lasecpc13.epfl.ch/ntcrack). With the help of 0.95GB of data we can find the password after an average of 4 million hash operation. A brute force cracker would need to calculate an average of 50% of all hashes, which amounts to about 40 billion hases for alphanumerical passwords (lanman hash).

More info about the method can be found at in a paper at http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03.

Philippe Oechslin

[Ramius]

I'm not talking about access to encrypted files on a local box. There are any number of pretty good encryption tools available, have been for years. Windows has had "on the fly" encryption since 2K.

Yes, it can render hard drive data useless even if the machine is compromised. It can also render data useless if the user screws up. If you have users that never *ever* screw anything up I highly recommend having them encrypt their local data. Otherwise, you know of course that they'll be blaming YOU when their data is useless because they forgot their password on the day of the big presentation.

[Russian Sage]

I hope every Windows administrator is doing the following:...

Of these, only longer passwords help against either brute-force or storage/time tradeoff attacks. (You probably know that, but many readers might not.)

[Ramius]

Your ideas on security have been polluted by conventional practice.

Funny that. I call it the real world. :-)

This does not mean that I take security lightly. Quite the opposite. As a network manager it is the most important thing that I do. What it does mean though, is that there ARE, like it or not, certain realities that will turn security measures counterproductive.

Want eight-character complex passwords for all users? Fine, but then know that all you have to do to get access to the network is to start looking for sticky notes under keyboards. That's the only way users will be able to remember them.

Want permanent lockout on three bad passwords? Fine... but know that all I have to do to lock your CEO out of the network is try his email user against your VPN concentrator three times and I've just locked him out of your network. What fun!!

Want users to encrypt all their local data? fine... but don't let them come running to me when they forget the password they changed last night after the ninth scotch and now you have to make a presentation on a multimillion dollar contract in an hour.

Me... I'll be happy with something else.

[general_re]

That depends on how it is set up.

It depends on how valuable the information stored on it is, and thus, how determined and ruthless your potential attackers are likely to be. Give me physical control of the box, physical control of you, and a pair of pliers, and I'll be on as root in less than twenty minutes, I expect. And there are plenty of installations out there where this is a very real risk - don't underestimate the utility of access control for protecting you and the system. There's not much point in breaking your fingers to get your password if I still can't get at the machine once I have it.

[Michael Barnes]

SecureID is out friend

;-)

[Southack]

"Want users to encrypt all their local data? fine... but don't let them come running to me when they forget the password they changed last night after the ninth scotch and now you have to make a presentation on a multimillion dollar contract in an hour."

Simply ask yourself, do ATM users have trouble accessing their account information? Do ATM users have hideously long, complex passwords or utilize encryption so severe that if they lose their password they are forever locked out of their banking accounts?

If the answer is "no", then ask yourself, why would I treat my corporate users to any lower level of useability and security than that which is enjoyed by ATM and POS terminal users?

Is the answer, "I don't know any better", or "I don't like them", or "I haven't really thought about an architectural solution"?

[Michael Barnes]

damn 9th scotch...out=our.

Now, what was my damn password; am I logged in here? Hello?

[lelio]

Have you implemented Secure ID anywhere? I've been meaning to look into it, but more as a hobby. I'm guessing an dev kit would be hidiously expensive.

[Russian Sage]

Of these, only longer passwords help against either brute-force or storage/time tradeoff attacks.

I should clarify, I mean attacks on the password hash, as in the article.

[Michael Barnes]

Recall the days when ATM's were mostly run over SNA? Now that was "fun".

[HAL9000]

Windows has had "on the fly" encryption since 2K.

Is it a standard feature of the operating system?

Otherwise, you know of course that they'll be blaming YOU when their data is useless because they forgot their password on the day of the big presentation.

There is not much danger of that happening. On Mac OS X 10.3, the user only needs to remember is their login password - something they typically already use. After they login, the encryption/decryption process works automatically and transparently.

Now, if the user dies and someone else needs to access the files, that could be a problem.

[Ramius]

SecureID is out friend

Yes, I know.

My previous statements stand, however. :-)

babysteps. :-)

[Southack]

"It depends on how valuable the information stored on it is, and thus, how determined and ruthless your potential attackers are likely to be. Give me physical control of the box, physical control of you, and a pair of pliers, and I'll be on as root in less than twenty minutes, I expect. And there are plenty of installations out there where this is a very real risk - don't underestimate the utility of access control for protecting you and the system."

On some very secure systems, the user is given two passwords. One password is for normal access, and the second password is for "duress" access.

Duress is when a foreign agent is beating the crap out of your wife and baby daughter until you give him a password that accesses all of your information.

Except that while the "duress" password will give said access to most or all of your critical data, it also signals your own team to come swooping in to the rescue.

In the civilian world, something very similar is done with web honeypot servers, which lure crackers in with "real looking" data and help the feds bust them.

Typically, a good honeypot server will have "valid" credit card numbers on it, for instance, but using those numbers will have the feds on you in mere minutes, as they are programmed in to the network to signal that a crime is in progress. Use the credit card number from a honeypot and you **will** get busted.

[Ramius]

Yes it is.

Yes it still can be if they change their password and forget it.

Yes, and that's happened to me too. :-)

[Michael Barnes]

I have not personally erected a SecureID architecture, but use it daily and supprot a few of the boxes here and there. I can tell you this, it's worth it's weight in gold. I wish we could go with all admin users using it as their general login pw's. It would be soooo much easier and secure.

[Russian Sage]

Assuming the numbers in the article...

This only speeds things up by a factor of 10,000, so a brute-force attack would only take about 14 hours.  That may seem much longer but a password that can be brute-force cracked in 14 hours stinks big time  And since the attacks can be done away from the target computer, what's the hurry?

Salting passwords does slow down the storage/time tradeoff attacks, but does zilch against the brute-force attack - the same password still takes only 14 hours to crack against Unix.

Does anyone know how much salt Unix uses these days? It believe it used to be only 12 bits. If that is the case now, 12 bits of salt only retard things by a factor of 4096. That could be a crack in 6 hours instead of 5 seconds with the same storage,  a crack in 5 seconds with about 4000 GB, or a crack in 100 seconds with only about 200GB.

There is no technology to make a short password secure. Use a long password whether or not they make you.

[Michael Barnes]

Not to say that your previous don't stand buddy. It's a teeter-totter thing. Secure the hell out of it, it's damn near un-usable. Leave it wide open, it's fun for even your buddies to ride on..

It's all a careful balance in the long run.

[Hot Soup]

The easiest way is usually to just go to 'forgot password' and see if you can answer his secret question(him being your brother)

[Ramius]

Honeypots are fun on a whole other order of magnitude. Have pursued that with some satisfaction myself.

It's been fun, folks... but the battery gods have called my laptop home to valhalla for the evening. I'll check in in the morning.

[Southack]

"Recall the days when ATM's were mostly run over SNA? Now that was "fun"."

What, they've changed?!

Just kidding. My favorite ATM scam was the two guys who bought an old retired ATM shell at a corporate auction (the Colorado S&L had gone bankrupt back in the 1980's).

They put an Apple computer inside and rigged it to record the account data on the ATM card and the PIN data that the user typed in.

And they wheeled that puppy into a shopping mall like they owned the place.

People started lining up to use it only to get "Sorry, no funds available" error messages.

Then they came back after the weekend was over, took the machine home and then began manufacturing their own ATM cards from the valid account numbers, matched to the PINs that were typed in.

Pretty gutsy!