Cracking Windows passwords in 5 seconds (Cool concept, unless you, you know, use Windows)

SecurityFocus BUGTRAQ Mailing List ^ | July 22, 2003 | Philippe Oechslin

[Timesink]

To: BugTraq

Subject: Cracking windows passwords in 5 seconds

Date: Jul 22 2003 8:37PM

Author: Philippe Oechslin

As opposed to unix, windows password hashes can be calculated in advance because no salt or other random information si involved. This makes so called time-memory trade-off attacks possible. This vulnerability is not new but we think that we have the first tool to exploit this.

At LASEC (lasecwww.epfl.ch) we have developed an advanced time-memory trade-off method. It is based on original work which was done in 1980 but has never been applied to windows passwords. It works by calculating all possible hashes in advance and storing some of them in an organized table. The more information you keep in the table, the faster the cracking will be.

We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average (see http://lasecpc13.epfl.ch/ntcrack). With the help of 0.95GB of data we can find the password after an average of 4 million hash operation. A brute force cracker would need to calculate an average of 50% of all hashes, which amounts to about 40 billion hases for alphanumerical passwords (lanman hash).

More info about the method can be found at in a paper at http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03.

Philippe Oechslin

[Southack]

"If you were to break in through the 3 inch thick steel door in the back of the ATM, you would have full access and be able to have some real fun."

Nonsense. I can physically give you an ATM machine, but that won't enable you to access the accounts of the bank's customers.

Same goes for a POS terminal. You can buy one on eBay right now, but that won't give you access to the data that you want on someone else's network, even though you clearly have full physical access to it.

In short, claiming that physical access defeats security is just baby-talk for admitting that **your** own security is child's play.

Same goes for spouting off about needing big, long, complex passwords. POS terminals (and ATMs for that matter) only require a 4 digit password, yet the posters on this thread clearly can't get through that level of security due to the **architecture** involved.

So here's a tip: if you can't guarantee the physical secuirty of a PC, POS terminal, or ATM, then you simply don't place valuable data onto said "vulnerable" machines.

Store such data somewhere else. Somewhere safe.

That's how banks do it today. Steal an old ATM, drill through its armour, boot up the ancient AT&T 3B2 inside with any startup disk that you want, it still won't give you access to all of the customer accounts of any bank, even though said machine has its physical access compromised and even though said machine only asks for a simple numeric 4 digit password.

It ain't the tactics, people; it's the architecture.

[cspackler]

However, we are not talking about ATMs. These are apples and oranges that you are trying to compare *architectures*. If you are using Windows, that is your architecture. If someone can get access to a Windows pc on your corportate network inside your firewall, they can have access to all of your passwords. It really doesn't matter if there is any sensitive data on the exact machine that you are accessing. If your admin password is hacked, every pc on your network is wide open. That is the *architecture* that you are stuck with. That is the whole point of the thread. There is no way to *architect* around that vulnerabilty, unless you believe that you can run your corporation on a bunch of ATM machines.

[Southack]

"If someone can get access to a Windows pc on your corportate network inside your firewall, they can have access to all of your passwords. It really doesn't matter if there is any sensitive data on the exact machine that you are accessing. If your admin password is hacked, every pc on your network is wide open. "

Hypothetically, what would prevent a savvy system administrator from having a Windows network that only accesses and stores secure data through a new-fangled invention called a "browser"?

Of course, everyone on the Internet has access to the network that your browser is accessing, so your entire web-based network must be completely vulnerable, right?!

< /MOCKING >

[cspackler]

Hypothetically, what would prevent a savvy system administrator from having a Windows network that only accesses and stores secure data through a new-fangled invention called a "browser"?

Common sense. "Hello, I'm the Network Admin. You can no longer use any of the applications on your desktop. Word? Forget it, just create some HTML to communcate. Excel? Never mind. All of the corporate applications that are currently not browser based? GONE!!!!! We are only going to allow incoming traffic on port 8080... What do you mean, I'm fired?"

Of course, everyone on the Internet has access to the network that your browser is accessing, so your entire web-based network must be completely vulnerable, right?!

No, that's why we have those new-fangled things called "firewalls".

[TravisBickle]

Does this mean my wife will be able to find my porn?

Techies, anyone?

[Southack]

MS Word works wonderfully over the internet through your browser. You should try it some day.

Also, on that "network access" comment, you must have missed my < /MOCKING > tag. My whole point is that you **can** secure your network.

Oh, now here's a thought...If you can secure your network but not your PC's, in which place should you store your sensitive data?!

[Southack]

"You can no longer use any of the applications on your desktop. Word? Forget it, just create some HTML to communcate. Excel? Never mind. All of the corporate applications that are currently not browser based? GONE!!!!!"

Goodness, an Excel Spreadsheet that works through a browser! What a find! I bet that no one has heard of this!

< /MOCKING >

[cspackler]

MS Word works wonderfully over the internet through your browser. You should try it some day.

Works, yes. Wonderfully, no. If it worked that well, MS wouldn't still be selling the app. The short story is, using a crack program on a floppy, anyone can walk up to ANY pc or server that is inside of your firewall and crack the windows passwords on the system. At that point, it does not matter if your data is on the pc, a network server, or the moon. Unless you are going to completely do away with Windows security and make every pc on the system strictly an ip connection with no local hard drive, all of your applications completely browser based and not share any network resources... I give up. At that point, however, you don't really have a network, but a loosely put together intranet that has no benefit for the corporation but a bunch of IP addresses.

[Southack]

"anyone can walk up to ANY pc or server that is inside of your firewall and crack the windows passwords on the system. At that point, it does not matter if your data is on the pc, a network server, or the moon."

You must not have a very secure network, then.

[cspackler]

You must not have a very secure network, then.

That is the whole point of the article. It is an inherent windows (in this case) issue. There ain't nothin', aside from using complex passwords, that you can do about it.

[Southack]

Of course you can do something about it.

You can change the **architecture** of your Windows network such that secure data is stored only on a secure network, while worthless and trivial data is stored on vulnerable PC's.

Just because someone can hack one PC on a network doesn't mean that the whole system has to be insecure. Even a fully exposed network, such as the Internet, can be secured. One PC can be hacked that has access to the Internet, but that won't give the hacker access to **my** data. If your corporate network is less secure than that example, then you've got yourself an architectural problem.

Think!

Store your data in **secure** locations, not on vulnerable PC's.

[tutstar]

bttt

[jriemer]

Dude, that's some powerful hash!

[BlazingArizona]

The general rule on passwords is, don't use any word that's in an English dictionary, or a common name, since these are vulnerable to an attack consisting of just plugging in every word in Websters or the OED, programmatically. You might use a two-word phrase run together.

[cspackler]

OK, one last time. Someone in the corporation has access, one way or another, to the sensitive data. This has to be true, otherwise there is no use in having it. Therefore, if I can run a crack and decipher everyone on the networks password, I can then log on as any of those people and have access to the data. How can you secure data well enough that noone can get to it? And why would you want to?

[Southack]

"Someone in the corporation has access, one way or another, to the sensitive data. This has to be true, otherwise there is no use in having it. Therefore, if I can run a crack and decipher everyone on the networks password, I can then log on as any of those people and have access to the data. How can you secure data well enough that noone can get to it?"

Gee, so bank accounts must be pretty insecure since ATM cards only require a 4 digit PIN, right?!

And VPN's must be insecure because you could run crack programs on every internet user's passwords, right?!

< /MOCKING >

[Southack]

Have you discerned that there is a crucial **difference** between gaining full access to a PC from that of gaining full access to everything that's on a network?

[cspackler]

ATM pins are not stored in Windows hashes.

[Southack]

ATM PINS aren't tough to crack, ditto for Windows passwords.

But one of those two systems usually has a more secure **architecture** than the other, rendering the passwords to a much lower place on the security totem pole...

[CyberCowboy777]

The local administrator account really should have no access on a domain and little on the local machine. The GPO has priority and the local administrator account should not be placed into the Domain Admin Group.

Even with access to a local PC and the local administrator password all secure data is on servers with network and O/S file level security.

We happen to also require alpha/numeric/character combo passwords at 8 long with a 90 expiration and 3 strikes your (locked) out. (Some may well write down the password, but the access for that user is going to be limited anyway)