Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Encryption Security Windows IT

NTLM 100% Broken Using Hashes Derived From Captures 155

New submitter uCallHimDrJ0NES writes "Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"
This discussion has been archived. No new comments can be posted.

NTLM 100% Broken Using Hashes Derived From Captures

Comments Filter:
  • OK, I did the unthinkable and skimmed the actual article, but I still have no idea what NTLM does, why it was chosen for whatever task it does, or what the potential repercussions are now that it's broken. Even the "Reminder About the Downside of Doing Nothing" section, which I hoped would explain exactly what an attacker could do, was light on details. Something about sending passwords to a remote machine?

    Can anyone shine some light on this?
    • by UnknownSoldier ( 67820 ) on Tuesday January 08, 2013 @09:21PM (#42526749)

      NTLM stands for Windows NT Lan Manager. Is was used in earlier Windows from NT 3.1 (yes THAT old) up til Win 2K3 IIRC.

      Users would authenticate their login credentials to the system. NTLM is the sub-system that does that authentication.

      For more details see wikipedia: http://en.wikipedia.org/wiki/NTLM [wikipedia.org]

      • by Curate ( 783077 ) <craigbarkhouse@hotmail.com> on Tuesday January 08, 2013 @09:29PM (#42526829)
        I distinctly remember using NTLMv2 in both NT 4.0 and Win2K, for a product I was developing for those platforms. NTLMv2 was an option. You could also choose whether the negotiation could downgrade to NTLM if the other side didn't support NTLMv2, or if the negotiation would insist on NTLMv2. But NTLMv2 didn't become the default until Vista -- the first version of Windows that strongly emphasized security.
      • If you have a web proxy (e.g. squid) with user authentification, you probably are also using NTLM for sending hashed one-time passwords. The only other alternative is Digest authentication, which only few client programs support. The NTLM version used depends on the client machine.

      • I found the following on the MS site:

        What caused the issue?
        Until January 2000, export restrictions limited the maximum key length for cryptographic protocols. The LM and NTLM authentication protocols were both developed before January 2000 and therefore were subject to these restrictions. When Windows XP was released, it was configured to ensure backward-compatibility with authentication environments designed for Windows 2000 and earlier.

        Export restrictions screw you again!

    • NTLM, you COULD go to Wikipedia - failing all else.

      This is the name for Microsoft's 2nd generation authentication protocol - for issuing challenges and responses related to encrypted passwords as a shared secret. The passwords are hashed with a salt, and the value compared with the known password, by the authentication service. This is a variant introduced by Windows NT on the LAN Manger scheme - cooked up in the remote past by MS and IBM, based on Ungerman-Bass software.

      This is important, because LM and

      • UPDATE!

        He doesn't just pass the hash - He gets THE PLAINTEXT PASSWORD. This allows anywhere, anytime auth access, instead of MITM.

        • by micheas ( 231635 )

          Not quite.

          The attacker only gets the password, however the password is never directly used, it is always converted to the hash.The hash is essentially the real password, and for injection attacks is more useful than the password as it saves you from converting the password to the hash.

      • by Nimey ( 114278 )

        XP and 2000 can be made to use NTLMv2 but you have to either use Group Policy or set it in Local Security Policy. I don't know /why/ Microsoft didn't make it default to at least use v2 if both ends agreed, but they wouldn't have forced it on because of back compatibility with NT4 domains.

    • The first paragraph on Wikipedia is excellent: http://en.wikipedia.org/wiki/NTLM [wikipedia.org] Also important to note this is only referring to NTLMv1 which is hella old. Also just because you are running Windows XP still doesn't mean you are using NTLMv1. It's a bit more complex than that.
    • by smhsmh ( 1139709 )

      My reply may be somewhat off topic, but give it a read:

      SlashDot is to journalism as COBOL is to programming.

      I read SlashDot because it is an important and timely source of technical news. But all too often articles are incomprehensible (without research) to readers outside some particular narrow discipline. Writing a lead in to an article is a skill that requires more than technical knowledge -- it requires knowledge (and some assumptions) about the experience of the intended readership. Like several oth

      • As a working reporter/writer for two decades, I offer some other tips:

        Each sentence should be less important than the one before it. This is called pyramiding in the trade; it allows the reader to quit once he/she understands enough, or for an editor to cut from the bottom.

        Never use a big word when a small, familiar one will do.

        Keep sentences to less than thirty words, if at all possible. This is mandatory for the lead (first sentence.)

        Be brave in paragraphing; do it often.

        Read the AP, Chicago or other on

        • by fatphil ( 181876 )
          Pah. You should have left it at 4 points.

          Do paragraphing not often, but only as often as makes sense. One-sentence paragraphs are for those with grade 2 reading and writing level.

          See Anna Merkin.

          See Anna Merkin paragraph.

          Paragraph, Anna Merkin, paragraph.

          And commit Strunk and White to the *bin*, not to memory. See the many comments by Pullum on Language Log and elsewhere, for example, for reasons why. Pay special attention to the fact that White apparently doesn't even know what the passive voice is before
      • I have a friend who is a retired newspaper journalist. I wonder if I could interest him in devising some guidelines for ShashDot postings that even amateurs could apply with some improvement to the quality of their posts. Anyone enthusiastic about this?

        This will remain irrelevant until the editors do some editing rather than accepting article submissions that are no more than the output of a script that scrapes an RSS feed.

      • I wonder if I could interest him in devising some guidelines for ShashDot postings that even amateurs could apply with some improvement to the quality of their posts. Anyone enthusiastic about this?

        Not in the slightest. I am, in fact, enthusiastically unenthusiastic about bringing the assumption that your reader needs all the 'the five Ws' answered or technical background spoon-fed to him onto the web.

        Newspaper style guides were written for a time when a person who didn't understand the technical background had to pedal down to the library and find a book on the subject, read it, and come back to finish the story days or weeks later. It was better to give them a layman's understanding of the science

    • The submitter has a hardon for Linux and is giddy that the authentication mechanism for an OS that is over a decade old now can be broken.

      • Re:Here's why (Score:5, Informative)

        by arth1 ( 260657 ) on Tuesday January 08, 2013 @11:26PM (#42527703) Homepage Journal

        I'd say this affects Linux too - a bunch of machines with Samba are quite possibly vulnerable, and need a different settings change than what Windows does.
        At a minimum, the following in the smb.conf

            client ntlmv2 auth = yes
            lanman auth = no
            ntlm auth = no

        For winbindd, a recompile might be required.

  • by Anonymous Coward

    This is one of the worst summaries I have ever read here. I can easily imagine the joy in the submitter as they are dancing to their own over the top writing style. NTLM is 100% broken. Oh no! Microsoft stopped recommending it and switched to Kerberos starting with Windows 2000. Who the hell cares that someone broke a protocol from 10+ years ago? If anything, it makes NTLM look really good. What sensationalist trash this is.

    • Re: (Score:2, Informative)

      If you knew this well enough, XP - a significantly deployed OS - sends these hashes anyway. It takes a Registry Change through group-policy to change the behavior.

      You want fun? Sit on the corp net of any silicon valley company with Wireshark. It's still XP heaven out there... And all the SAMBA servers? Easy pickings, Kerb5 or not.

      • So ... everyone joined to ActiveDirectory then eh? Its been known that NTLM hashes could be reused for years.

        And for the record, my Samba servers have been using kerberos for years, not sure why yours aren't. Shitty admin perhaps? Must be as the previous stated reason is what causes a clueful admin to move to kerberos back in 2001 when XP made it possible to use network wide.

        When you start mixing unix and windows servers on a domain you pretty much start off by switching everything to kerberos so everyt

    • by Anonymous Coward

      "This summary is terrible"...
      Agree... this is being overblown. Any competent admin of a network of any size already followed guidelines issued nearly a decade ago to start forcing NTLMv2 only unless there was some very specific reason not too. Back in say 2004 time frame there were reasons, by 2008 there really was no excuse. Even if someone missed it it's a simple GPO change and refresh to mitigate as already pointed out throughout the thread. Yawn.

  • I'm been a victim of pass the hash attack... they can fuck you up pretty up pretty good.
  • Smoking hashes is bad for your windows?
  • by Cassini2 ( 956052 ) on Tuesday January 08, 2013 @09:44PM (#42526957)

    The crucial detail is whether the physical layer of the network can be trusted. If the physical layer is trusted, then NTLM works fine. Historically, lots of corporate networks controlled every computer on the office network, and air-gapped the internet.

    Many modern networks, including wireless networks, have a non-trust worthy physical layer. In this case, only end-to-end encryption protects the network. Yes, the newer versions NTLM protect against the most obvious password scanning attacks. However, with a non-trust worthy physical layer, it is possible to simply scan all the network traffic and get the file contents from the network directly. Also, some (almost all?) ODBC and database servers send passwords in the clear. This makes it straightforward to do simple network traffic analysis attacks, and directly gather valuable information from the company network.

    The bottom line is that only protocols like SSH work against a non-trustworthy physical layer.

    • . If the physical layer is trusted, then NTLM works fine. Historically, lots of corporate networks controlled every computer on the office network, and air-gapped the internet.

      To what extent did they control them though? The bigger a network gets the more chance of a rouge device getting on it either through compromise of a machine that was legitimately there or through introducing a machine illegitimately.

      • To acheive any kind of security with Windows NT 3.5/4.0, you really need to control the physical layer thoroughly. Any device on the network is a potential source for untrusted code. Once you had untrusted code running on the computer, the network was compromised.

        With Windows XP and Windows 7, it's pretty much impossible to lock down the computers. The security certifications that Microsoft had for Windows NT 4.0 no longer exist.

        The only current desktop operating system technology that is equivalent t

        • I'm not sure what you mean with XP and 7 (and I assume Vista). Those are client systems. No, they don't offer Kerberos services. You need the server product. As client systems, they are far superior to NT 3.x and 4.0. Your "impossible to lock down" statement is just a setup for Linux fanboyism.
    • by greg1104 ( 461138 ) <gsmith@gregsmith.com> on Wednesday January 09, 2013 @02:17AM (#42528765) Homepage

      Also, some (almost all?) ODBC and database servers send passwords in the clear.

      Many database servers allow encrypted passwords, but there are surely a lot of database installations that don't take advantage of it. In PostgreSQL you can use SSL for the client network connection [postgresql.org], which ODBC passes through. Setup SSL as the only way to connect, and encryption has to happen before it hits the wire. MySQL has a similar trick [mysql.com]. Both are just using the OpenSSL library under the hood to encrypt the network traffic.

      On the commercial side, Oracle does the same thing with ORA_ENCRYPT_LOGIN [oracle.com]. SQL Server has client and server settings [microsoft.com] that enforce encryption. Basically, if your database traffic isn't encrypted, it's more likely because someone didn't think that was important than because it was impossible. It's a simple checkbox to add to database selection requirements, and it's not hard to find a DBMS that has the capability.

      I find people who just stuff user passwords into the database (which can be the same passwords as other services) rather than putting password encryption into their application can also leak data. In PostgreSQL using the built-in pgcrypto [postgresql.org] makes that easy. You also have to be careful to use the same network encryption approach for any replication client, or it's possible to just sniff that instead to get the data. In Postgres those connect with the same encryption possible options as any other client. Most of the tutorials on setting up replication don't cover this though.

    • The crucial detail is whether the physical layer of the network can be trusted

      Someone maintains that physical layer. Even if they are employees of the company, it doesn't follow that they can be trusted. Someone with access to the physical layer and an NTLM hack could "become" anyone else on the network and do whatever he wanted with little fear of getting caught.

      Put another way, If everyone that was employed by the company could be trusted, they could all share the same login with unlimited access. If that makes you cringe, then so should NTLM. I think that's the point of the ar

  • Who would've thought a day would come when W3-schools is used as a reference in a non-humorous way?

They are called computers simply because computation is the only significant job that has so far been given to them.