Re: BoS: NT Password Cracker

[k-hamer () ntx1 cso uiuc edu (Kenneth L. Hamer)]

> ----------
> From:  Yuri Volobuev[SMTP:volobuev () t1 chem umn edu]
> Sent:  Sunday, November 17, 1996 2:12 PM
> To:    Kenneth L. Hamer
> Cc:    Multiple recipients of list BUGTRAQ
> Subject:       Re: BoS: NT Password Cracker
>
> > Once you have the raw hash data used to authenticate users, cracking a
> > password becomes a simple matter of a dictionary attack.  By avoiding
> > NT's authentication subsystem entirely and using custom code you can
> > probably speed up the process.  Having 4 P6-200s chewing on _one_
> > account, the administrator account, should not take that long.
>
> All this math is childish, but I know for sure that for brute-force
> cracking
> of DES _big_ resources are needed, such as dedicated encoding hardware,
> so
> it's generally only can be done by governments or big corporations.
> May be
> some folks in NSA know of a better way to crack it, but I haven't heard
> of
> any. Idea of 4 PPros and few hours just dosn't fit in the picture.
> It's
> either really crappy encryption or not "any level of password
> complexity".
> Encryption scheme is probably not very good anyway because they can
> export
> it.  I don't know more, I'd appreciate if somebody can explain this
> better.

Actually, I've engaged my brain, and of course you are correct.  A
dictionary attack cannot provide guaranteed results in a reasonable
amount of time unless the key space is unacceptably small.  Dictionary
attacks make great fishing expeditions for this sort of problem, but
that's not what is being claimed here.

However, the fact remains that Windows NT does not store passwords in a
form from which the original password can be directly recovered[1].  The
"Lan Manager password" is used to encrypt a constant multiple times,
using DES.  Anyone conversant with the UNIX password encryption scheme
should find this familiar.  The "Windows NT password" is encrypted using
MD-4.  NT stores two versions for backwards compatibility with older
systems.  The possiblity exists that having the additonal information
available weakens the security of this system, I don't know[2].

Looking at the Knowledge Base article again (Q102716, "User
Authentication With Windows NT"), the one-way encrypted passwords are
encrypted again using a reversible encryption, for "obfuscation
purposes".  The company (MWC, Inc.) providing this admin password
recovery service does require full access to the system hard drive of
the target machine, they are probably replacing the administrative
password, not actually recovering the lost one.

If this is the case, they need only reverse the second, unpublished, and
probably relatively weak encryption, recover the keys, and replace the
original one-way "encrypted" passwords with ones of their own
construction.  This is similar in spirit to booting your UNIX system off
of a CDROM or the network and replacing the "encrypted" root password in
the passwd or shadow file.

The advertisement of a password "recovery" service may merely be a
marketing decision, so as not to confuse the customer base.  I doubt
their customers would really care whether they get their original
password or not, so long as they can access their machine again.

In any case, since MWC clearly states that they require full access to
the hard drive of the target machine (and from under a different
installation of NT unless an accessable privilaged account is
available), I don't think this represents a real threat.  Does anyone
want to conjecture how long it would take to replace the root password
on a target UNIX machine, if you can access the target hard drive from a
OS in which you have root access?  Not counting load and unload times,
I'd say under 60 seconds.  How about other operating systems (VMS, MVS,
etc)?

Anyway, I'm willing to continue the discussion via e-mail (since I think
finding possible attacks against NT is a very worthy endeavor) but in
deference to the other people on the list who may not be interested I'm
going to stop responding to the list.  I am picking this up through
Best-Of-Security anyway.  Apparently BUGTRAQ sends all of its stuff
there.  My apologies to those inconvenienced by this discussion.

- Ken

[1] To be precise, Microsoft says "The first encryption is a one-way
function (OWF) version of the clear text generally considered to be
non-decryptable".  KB Q102716

[2] Neither of the OWF passwords are ever sent over the net in the
clear.  Normally, one of both of the OWF passwords are used as a basis
for challenge-response, depending on the client type.  In pass-through
authentication the OWF password is sent over a secure channel, which has
a more-or-less unique session key.  This fact might make interesting
fodder for cryptanalysis, but is probably not being used here.