L0phtCrack Is a password cracker that will take encrypted Windows NT passwords and compute the plain text password L0phtCrack – SANS GIAC LevelOne ©2000, 2001 Thank you, and welcome to SANS LevelOne We will be covering L0phtCrack Hello, my name is Eric Cole and I will be explaining L0phtCrack to you If you have any questions or comments regarding L0phtCrack please contact me at eric7095@aol.com Password Cracker Details • Name: L0pht Crack • Operating System: Microsoft NT • Methods: dictionary attack, brute force attack and hybrid attack • Brief Description: A password cracker that will take encrypted NT passwords and compute the plain text password L0phtCrack – SANS GIAC LevelOne ©2000, 2001 L0phtCrack (zero, not the letter O) is an NT password auditing tool It will compute NT user passwords from the cryptographic hashes that are stored by the NT operating system The operating system does not store the user passwords in their original clear-text form for security reasons The actual user passwords are encrypted because they are sensitive information that can be used to impersonate any user, including the Administrator of the operating system L0phtCrack computes the password from a variety of sources using a variety of methods The end result is a state-of-theart tool for recovering the passwords that users use L0phtCrack operates in three attack modes to crack a user’s password They are a dictionary attack, a brute force attack, and a hybrid attack Each of these will be covered in detail in later slides Checklist • The following are the objectives for this course After completion a user should understand the following: – – – – – – – – – – what password cracking is why it is important methods of password cracking weaknesses in Windows NT’s implementation of encryption what L0phtCrack is how to install and run L0phtCrack how L0phtCrack works how to protect against password cracking on Windows NT password security features in Windows NT features of a strong password L0phtCrack – SANS GIAC LevelOne ©2000, 2001 This page intentionally left blank How are passwords stored on a system? • User passwords must be protected against: – unauthorized disclosure – unauthorized modification – unauthorized removal • Solution: Store only encrypted password L0phtCrack – SANS GIAC LevelOne ©2000, 2001 In most companies, passwords are the first and only line of defense to protecting their information and servers Since most user IDs consist of the first initial / last name of an employee or some combination, it is fairly easy to find out valid user IDs for individuals at a company Based on this, the only other piece of information you need to gain access is a user password Therefore, they need to be protected and very hard to guess The key things passwords need to be protected against are: unauthorized disclosure, unauthorized modification, and unauthorized removal If users write down their passwords or share them with other people, then the user’s password is compromised and can be used as an entry point into the system Being able to modify a password is just as risky because as long as an attacker knows what password is associated with a user ID, they can use it to gain access It does not matter if the real user knows it or not This is potentially dangerous [for the attacker] because if the user tries to get in and cannot, they might be suspicious of foul play In order to protect passwords, operating systems use encryption, which basically hides the originally content so if someone gets the encrypted password they will not be able to determine what the original password was Encryption 101 • Encryption is the process of converting plain text into cipher text • The goal is the make the original text unreadable • Three basic methods: – symmetric - single key – asymmetric - two keys (public and private) – hash - one way algorithm, no key L0phtCrack – SANS GIAC LevelOne ©2000, 2001 This section will cover a brief overview of encryption so that you can understand why and how password cracking works For additional details, there are several good cryptography books on the market (Editor’s Note: Applied Cryptography by Bruce Schneier is generally considered one of the best references on cryptography - JEK) In its most basic form, cryptography is the process of converting plaintext into ciphertext with the goal of making the original [plain] text unreadable Basically, plaintext is the original, “human readable” message and ciphertext is the unreadable message in its encrypted form Therefore, since the goal of passwords is to make them unreadable, they are stored in encrypted form There are three basic type of encryption Symmetric encryption uses a single key to encrypt and decrypt the message If two people wanted to communicate, they would both have to have the same key and one person would use it to encrypt the message and the other person would use the same key to decrypt it (Editor’s note: Symmetric encryption is also known as private key cryptography because a single, private key is used for encryption and decryption – JEK) Asymmetric encryption uses two keys, a public and a private key The public key is given to everyone and is used to only encrypt The private key is known by only the owner and is used to decrypt messages (Editor’s note: Asymmetric encryption is also known as public key cryptography because it uses both a private key and a public key to encrypt and decrypt information – JEK) Hash functions are considered one-way functions because they perform a one-way transformation of information that is irreversible Basically, given an input string, the hash function would produce a fixedlength output string, and from the output string there is no way to determine the original input string NT uses hashing to store its passwords Basically, it would take a user’s password, run it through a hash algorithm, and store the hash of the password When someone tries to log on to the system, it takes the passwords the user enters, runs it through the hash, and if there is a match then it is the same password What is password cracking? • Guessing someone's plain text password when you only have the encrypted password • General method one: • find valid user ID • create list of possible passwords • try typing in each password • if system allows you in - success • if not try again L0phtCrack – SANS GIAC LevelOne ©2000, 2001 Password cracking is the process of trying to guess or determine someone’s plaintext password when you only have there encrypted password The general method for this is the following: • find a valid user ID • create list of possible passwords • try typing in each password • if the system allows you in – success!! • if not – try again (Editor’s note: A distinction is sometimes drawn between password guessing, where the attacker actually tries to log in with various passwords; and password cracking (discussed in the next slide), where the attacker obtains a copy of the encrypted password file or database and attempts to derive passwords from their encrypted form (i.e., “crack” the encryption, generally by taking a group of passwords, generating the hash values, and comparing the generated hashes to those in the password database to see if there is a match) – JEK) What is password cracking? (cont) • General method two: • find valid user ID • find encryption algorithm used • obtain encrypted password • create list of possible passwords • encrypt each password • see if there is a match • Tips • pre-compute dictionary • pre-compute encrypted passwords • automate L0phtCrack – SANS GIAC LevelOne ©2000, 2001 Another method is to: • find a valid user ID • find encryption algorithm used • obtain encrypted password • create a list of possible passwords • encrypt each password • see if there is a match So, tips for speeding this process up include: • pre-compute a password dictionary • pre-compute a list of encrypted passwords • automate the process Methods of Password Cracking • Dictionary attack • Hybrid attack • Brute force attack L0phtCrack – SANS GIAC LevelOne ©2000, 2001 The fastest method for cracking passwords is a dictionary attack This is done by testing all the words in a dictionary or word file against the password hashes When it finds the correct password, it displays the result There are lots of sites that have downloadable dictionaries you can use The second method to crack passwords is called a hybrid attack This builds upon the dictionary method by adding numeric and symbol characters to dictionary words Many users choose passwords such as "bogus11" or ”he11o!!” (where the letter “l”s are replaced by numeric ones) These passwords are just dictionary words slightly modified with additional numbers and symbols The hybrid crack rapidly computes these passwords These are the types of passwords that will pass through many password filters and policies, yet still are easily crackable The final and most powerful cracking method is the brute force method This method will always recover the password, no matter how complex It is just a matter of time Really complex passwords that use characters that are not directly available on the keyboard may take so much time that is not feasible to crack them on a single machine using today's hardware But most complex passwords can be cracked in a matter of days This is usually much shorter than the time most administrators set their password policy expiration time to Using a real-world cracking tool is the only good way to know what time one should set for password expirations Why is password cracking useful? • • • • • Audit strength of passwords Recover forgotten password Recover unknown password Migrate users Checks and balances L0phtCrack – SANS GIAC LevelOne ©2000, 2001 There are many uses for computing user passwords First and for most is for a system administrator to audit the strength of the passwords that their users are using There are password filters for NT, but how you know how well you have chosen a filter? Without testing the passwords generated by users against a real-world password cracker, you are guessing at the time it will take an external attacker or malicious insider to uncover the passwords Other uses include recovering a forgotten password, retrieving the password of a user in order to impersonate them, or migrating NT users to another platform such as Unix NT Password Cracking • All passwords are crackable • NT’s design just makes it easier – passwords broken into two sevencharacter pieces – no salt (or randomness): two identical passwords will be encrypted the same way L0phtCrack – SANS GIAC LevelOne ©2000, 2001 10 All passwords are crackable from a brute force perspective The question is, how long does it take? The goal with encryption is to make the time needed to perform a brute force attack so long that it is unfeasible for someone to – or make the time long enough that by the time they crack it the usefulness of the information has expired NT has two major design flaws in how they implement their encryption that allows someone to crack passwords quicker than would normally take The first thing is that since they make there operating systems downward-compatible with previous versions of Windows, they use the LAN Manager storage scheme which breaks a password down into two seven-character words This incredibly weakens the strength of a password Now, instead of trying to crack someone's password that is 10 or 12 characters long, you only have to crack two seven-character [or less] passwords, which is much easier Also, cracking passwords with just letters is much easier than cracking passwords with numbers and special symbols Therefore, a single password with numbers and special characters is very hard to crack But because NT breaks up the password and because most people put number or special characters at the end, it makes it easier to crack For example, to crack password#7, you have to crack passwor (which is fairly easy) and you have to crack d#7 (which is harder, but since it is so short it is still easy to do) The second issue is when you encrypt a password there is something used called a salt which is meant to make passwords a little harder to guess A salt is a random string that is combined with a password before it is encrypted This is meant to randomize the password This way, if two people have the same password, they would have different salts and there passwords would be stored differently Microsoft does not use a salt, so if two users have the same passwords they will be encrypted the same way This is a tremendous cost savings because now you only have to encrypt each word once, and if a user has that password there will be a match If salts were used, I would have to find out the salt for the user; and then encrypt all possible passwords with that salt to see if there was a match; and once there was, I would have to move on to the next user and the same thing As you can see, this would take a much longer time to perform 10 Window and Help Menu • The Window menu contains the following options: – Minimize to tray – Hide, Ctrl+Atl+l to show • The Help menu contains the following options: – About L0phtCrack – L0phtCrack web site – L0pht web site L0phtCrack – SANS GIAC LevelOne ©2000, 2001 20 The following are the two options are available under the Windows menu: The Minimize to tray option minimizes the program to a small icon in the system tray The program window is reactivated by clicking on the small icon This is useful when you are intending to crack for several days If the SMB Packet Capture window is open it is minimized also The Hide, Ctrl+Alt+L so show command hides the program window completely It does not show up as a program in the task manager You can make the program visible again using the Ctrl+Alt+L key combination If the SMB Packet Capture window is open it is hidden also The following are three options are available under the Help menu: The About L0phtCrack command shows the program version information, serial number, and registration code (if any) The L0phtCrack Website command launches your browser and brings you to the L0phtCrack website where you can find updates an additional program information when it becomes available The L0pht Website command launches your browser and brings you to the L0pht home page where you can find out about other L0pht products, search our archives, and read our security advisories 20 Extracting the Password Hashes L0phtCrack – SANS GIAC LevelOne ©2000, 2001 21 L0phtCrack must first retrieve the password hashes to start the cracking process If you have Administrator rights, you can use the Tools → Dump Passwords from Registry command on the L0phtCrack menu to retrieve the hashes You can dump the password hashes from you local machine or over the network if the remote machine allows network Registry access Enter the NT machine name or IP address into the Dump Passwords from Registry dialog box and press OK The usernames and password hashes are now loaded into L0phtCrack If this is the way you have retrieved the password hashes, you may now proceed to crack the password hashes This method is shown in the above slide NOTE: L0phtCrack 2.5 is limited to dumping and opening 65K users In addition, large numbers of users can take a long time Be prepared to wait a few minutes for greater than 10,000 users The second method is to access the password hashes from the file system Since the operating system holds a lock on the SAM file where the password hashes are stored on the file system, it is not possible to just read them from this file while the operating system is running Sometimes a backup of this file is made on tape or on an Emergency Repair Disk or in the repair (%systemroot%\repair) directory of the system hard drive Also, another operating system such as DOS can be booted from a floppy and the password hashes can be read directly from the file system This is especially useful if you have physical access to the machine and it has a floppy drive You load the password hashes from a "SAM" or "SAM._" file into L0phtCrack by using the File → Import SAM File menu command and specifying the filename L0phtCrack will automatically expand compressed "SAM._" files on NT (NOTE: If you are running on Windows 95/98 you will need to expand the "SAM._" file to "SAM" using the expand utility on an NT system The command is expand sam._ sam) The final method L0phtCrack offers is to capture the encrypted hashes over the network That will be covered in the next slide 21 Capturing Passwords off the Network L0phtCrack – SANS GIAC LevelOne ©2000, 2001 22 The final method L0phtCrack offers is to capture the encrypted hashes over the network Your machine must have one or more Ethernet devices to access the network Use the Tools → SMB Packet Capture command to bring up the SMB Packet Capture window which is shown above You will now be capturing any SMB authentication sessions that your network device can capture If you are on switched network, you will only see sessions originating from your machine or connecting to your machine NOTE: If you have a previous version of L0phtCrack installed, you must remove the NDIS packet driver from the Protocols tab in the Network Control Panel Other low-level packet drivers that are known to cause problems are the Asmodeus and ISS packet drivers You will want to remove them also As SMB session authentications are captured, they are displayed in the SMB Packet Capture window The display shows source and destination IP addresses, the user name, the SMB challenge, the encrypted LANMAN hash and the encrypted NTLM hash, if any The capture can be saved at any time using the Save Capture button To crack these hashes, you must save the capture and then open the captured file using the File → Open Password command You can capture and crack other passwords at the same time 22 Extracted Password Hashes L0phtCrack – SANS GIAC LevelOne ©2000, 2001 23 The above screen shows the extracted password hashes 23 Loading a Dictionary File L0phtCrack – SANS GIAC LevelOne ©2000, 2001 24 In order to run a dictionary attack, you must select a dictionary file for L0phtCrack to use L0phtCrack comes with a small dictionary file called words-english but can use any dictionary There are several sites on the Internet that contain large dictionary files you can download 24 Options for Cracking Passwords L0phtCrack – SANS GIAC LevelOne ©2000, 2001 25 This slide shows the options for configuring L0phtCrack The first method L0phtCrack uses to crack passwords is called a dictionary attack This method tries to encrypt each word in a dictionary or word file It then tests each encrypted word against the password hash If it gets a match, it knows the user's password is that dictionary word L0phtCrack comes with a nice 25,000-word file named words-english that contains many common words This file or another word file is loaded into L0phtCrack using the File → Open Wordlist menu command The default dictionary file is the words-english file After the dictionary attack is completed the hybrid attack begins The hybrid attack uses simple patterns that users use when creating passwords from common words By slightly modifying dictionary words the way users do, L0phtCrack is able to make educated guesses to decide which passwords to try An example would be to try 'BOGUS11' Many users just append a few numbers or symbols to a dictionary word in an attempt to make it a non-guessable password L0phtCrack can guess these passwords quickly – in much less time than it would take for a brute force attack L0phtCrack 2.5 checks to see if any number of number and symbol characters are appended to each word in the word file you have selected The default number of number and symbol characters is two This can be changed editing the characters box under dictionary/bruce hybrid under the the Tools → Options command After the dictionary and hybrid attacks have completed, the brute force attack begins Brute force can take a long time, but it usually takes far less time than most password policies specify for password changing This makes passwords found during the brute force attack still too weak You may configure the character set that the brute force attack uses with the Tools → Options command The default character set is all the alphanumeric characters and the numbers through The general rule is that passwords’ change interval should be less than the time it takes to brute force a password 25 Successful Crack L0phtCrack – SANS GIAC LevelOne ©2000, 2001 26 To start the cracking process select Run Crack from the Tools menu The default options for cracking are to run a dictionary attack, then a hybrid attack, and then the brute force attack L0phtCrack runs these attacks on the password hashes in succession by default During any crack attack, the L0phtCrack window displays status information to show the progress of the attack During dictionary attacks, the number of dictionary words tried is displayed along with the percentage complete 26 How to Protect Against It? • • • • Disable LAN Manager authentication Enforce the use of strong passwords Have password policy Implement SYSKEY security enhancement with SP3 L0phtCrack – SANS GIAC LevelOne ©2000, 2001 27 The four main ways to protect against passwords attacks are to: • disable LAN Manager authentication; • enforce the use of strong passwords; • have password policy; • implement SYSKEY security enhancement with SP3 27 Enforcing Strong Passwords • Windows NT 4.0 SP2 introduced a password filter called passfilt.dll which enforces the following: – length characters – passwords must contain of the following: uppercase, lowercase, numbers, special characters – password can not contain username or full name • Above restrictions can not be changed • Can write custom DLL to meet your needs L0phtCrack – SANS GIAC LevelOne ©2000, 2001 28 Windows NT 4.0 Service Pack introduced a new password filter, passfilt.dll, which can be used to enforce strong passwords The DLL can either be used by default or customized by the user The dll implements the following restrictions by default: • Passwords must be at least characters long • Passwords must meet at least three of the following criteria: - include uppercase letters (A-Z) include lowercase letters (a-z) include numbers (0-9) Include non-alphanumeric characters (i.e !, #, etc.) • Password may not contain your user name or any part of your full name These requirements are hard-coded in the passfilt.dll file and cannot be changed through the user interface or Registry If you wish to customize these requirements, you must write your own dll and implement it in the same fashion as the Microsoft version that is available with Windows NT 4.0 Service Pack 28 Enabling Passfilt.dll • passfilt.dll must be located in %systemroot%\system32 • Start regedt32.exe • Find the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa \Notification Packages • Add value PASSFILT • Close the Registry and reboot the machine • Load on all domain controllers L0phtCrack – SANS GIAC LevelOne ©2000, 2001 29 In order to enable the passfilt.dll, you have to go in and modify the Registry Whenever you modify the Registry be extremely careful because you can crash Windows if you accidentally add or delete an entry To ensure that strong password functionality occurs throughout your domain structure, make the following changes on all Primary and Backup Domain Controllers (or stand-alone servers, where needed) 1) Install the latest Windows NT 4.0 Service Pack 2) Make sure that 'Passfilt.dll' is located in the %systemroot%\system32 folder 3) Start regedt32.exe 4) Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa 5) If not already there, add the value 'Notification Packages', of type REG_MULTI_SZ: a) Select the 'LSA' key b) b) Select the 'Edit' menu and select 'Add Value ' (An 'Add Value' dialog box appears.) c) Type Notification Packages in the 'Value Name' text box, select 'REG_MULTI_SZ' from the 'Data Type' drop-down list box, and click 'OK' (The 'Multi-String Editor' dialog box appears.) d) Type PASSFILT in the 'Data' box and click 'OK' 6) Exit the registry 7) Shut down and restart the computer running Windows NT Server Passfilt.dll must be loaded on all Primary domain controller and backup domain controllers in the domain 29 Have a Password Policy • Mandatory for all accounts – Passwords change every 30 days – Accounts locked after failed attempts – All passwords must contain: • one alpha, one number and one special – Can’t re-use previous passwords L0phtCrack – SANS GIAC LevelOne ©2000, 2001 30 This page intentionally left blank 30 Have a Password Policy (2) • Password should not contain: – birthdays, names, sports teams, etc • Tips for picking good passwords: – pick a phrase and use the first letter of each word – example - When I stub my toe I say !@#$% times – password - WIsmtIs!@#$%5t L0phtCrack – SANS GIAC LevelOne ©2000, 2001 31 This page intentionally left blank 31 Implementing SYSKEY • Provided with Service Pack • Allows 128-bit “strong” encryption • Works on all domain controllers • No uninstall option • Additional information at Microsoft Knowledge Base article Q143475 L0phtCrack – SANS GIAC LevelOne ©2000, 2001 32 SYSKEY allows 128-bit ("strong") encryption of passwords in the SAM, and should be installed on all domain controllers A thorough discussion of SYSKEY is beyond the scope of this document, but readers are referred to Knowledge Base article Q143475 at http://www.microsoft.com/technet SYSKEY is mainly for environments with very high security needs There is no uninstall option for SYSKEY! If you enable the SYSKEY solution, you need to initiate measures for key recovery in case your key is lost or degraded From the Microsoft KB article: The Windows NT Server 4.0 System Key hotfix provides the capability to use strong encryption techniques to increase protection of account password information stored in the Registry by the Security Account Manager (SAM) Windows NT Server stores user account information, including a derivative of the user account password, in a secure portion of the Registry protected by access control and an obfuscation function The account information in the Registry is only accessible to members of the Administrators group Windows NT Server, like other operating systems, allows privileged users who are administrators access to all resources in the system For installations that want enhanced security, strong encryption of account password derivative information provides an additional level of security to prevent Administrators from intentionally or unintentionally accessing password derivatives using Registry programming interfaces The strong encryption capability with the Windows NT 4.0 System Key hotfix is an optional feature Administrators may choose to implement strong encryption by defining a System Key for Windows NT Strong encryption protects private account information by encrypting the password data using a 128-bit cryptographically random key, known as a password encryption key Only the private password information is strongly encrypted in the database, not the entire account database Every system using the strong encryption option will have a unique password encryption key The password encryption key is itself encrypted with a System Key Strong password encryption may be used on both Windows NT Server and Workstation where account information is stored Using strong encryption of account passwords adds additional protection for the contents of the SAM portion of the registry and subsequent backup copies of the registry information in the %systemroot%\repair directory created using the RDISK command and on system backup tapes The System Key is defined using the command Syskey.exe Only members of the Administrators group can run the Syskey.exe command The utility is used to initialize or change the System Key The System Key is the "master key" used to protect the password encryption key and therefore protection of the System Key is a critical system security operation 32 Additional Information • http://www.l0pht.com/l0phtcrack • http://www.ntfaq.com/ntfaq • http://www.microsoft.com • http://www.webspan.net/~tas/pwd ump2 L0phtCrack – SANS GIAC LevelOne ©2000, 2001 33 L0phtCrack can be downloaded from l0pht’s website You can also download documentation and articles and get links to Microsoft’s website NTFAQ provides additional details on NT security and L0phtCrack Microsoft’s website provides additional information on enabling strong passwords on NT and additional details on implementing the passfilt.dll At webspan you can find a free utility that can dump the password hashes on a local machine if the SAM has been encrypted with the SYSKEY utility that was introduced in Service Pack This utility is available at http://www.webspan.net/~tas/pwdump2/ Follow the instructions on the web page to retrieve the password hashes You can then load the hashes into L0phtCrack using the File → Open Password File command (Editor’s note: PWDUMP2 is also available from http://razor.bindview.com/tools/ – JEK) 33 Course Revision History L0phtCrack – SANS GIAC LevelOne ©2000, 2001 34 v1.1 – Eric Cole – 17 Aug 1999 v1.2 – edited by Eric Cole – 22 Aug 1999 v1.3 – edited by F Kerby – 17 May 2000 v1.4 – edited by J Kolde – 19 Sept 2000 v1.41 – edited by J Kolde – Oct 2000 v1.5 – edited by J Kolde, adjusted grayscale for b/w printing – 22 Nov 2000 v1.6 – edited by J Kolde, update some graphics – 10 Jan 2001 34 ... code Therefore if you run L0phtCrack on multiple machines, you need to get multiple unlocking codes 16 Start L0phtCrack L0phtCrack – SANS GIAC LevelOne ©2000, 2001 17 When L0phtCrack starts, the... alpha-numeric-all symbols - 480 hours L0phtCrack – SANS GIAC LevelOne ©2000, 2001 14 The above results are from the L0pht’s web site 14 Using L0phtCrack • Installation • Running L0phtCrack – pull password... instructions and follow the defaults • Double-click on L0phtCrack icon to start the program L0phtCrack – SANS GIAC LevelOne ©2000, 2001 16 To install L0phtCrack, go to http://www.l0pht.com and download