The Password Cracker that Eats Windows NT for Breakfast "It's big. It's bad. It cuts through NT passwords like a diamond tipped, steel blade. It ferrets them out from the registry, from repair disks, and by sniffing the net like an anteater on dexadrene." This is how the creators of L0phtCrack 2.0 describe the new release of their powerful Windows NT password cracker.* And it's coming to a network near you! This article outlines how L0phtCrack can be used to steal your passwords and what you can do to fight back. Overview L0phtCrack Version 2.0, was released on 12 February, 1998 and is designed to capture Windows NT passwords. L0phtCrack exploits the fact that Windows NT does not store the actual passwords on an NT Domain Controller or Workstation, but instead stores a cryptographic hash of the passwords. L0phtCrack takes the password hashes and generates the clear-text passwords from them. Traditionally, there are two approaches to password cracking. The first is known as dictionary cracking and involves systematically comparing the password hashes of the words in a dictionary file with the password hashes of all the users on a network. A match indicates a found password. This method is extremely fast. For example, it is possible to check the passwords of thousands of users with a 100,000 word dictionary file in just a few minutes on a 200mhz Pentium Pro PC. The major drawback is that it relies on having a comprehensive dictionary file to cover all the possible words which could be used as passwords. This is not too problematic where users are required to choose their own passwords. In most cases, people choose English words, foreign words and names which are included in the expansive dictionary files used by hackers. However, if an organisation's password system involves the use of "non-words", in particular passwords comprising numerals and special characters, dictionary cracking will not be as effective. The second method of password cracking is brute force computation. This method targets a particular character set such as A-Z or A-Z plus 0-9 and computes the hash for every possible password made up of those characters. Brute force computation will eventually identify every single user password, as long as they are all based on the correct character set. The disadvantage of this method is that it is very computation intensive and takes longer, the larger the character set. Testing the character set A-Z on a Pentium Pro 200 takes about 24 hours; testing A-Z and 0-9 takes about 10 days. In many, if not most, cases, this time requirement rules out the brute force approach because it raises the chances of the intruder's activities being detected. L0phtCrack makes brute force computations feasible. L0phtCrack takes advantage of multi-processor machines and runs with lower than normal priority so that it can be used on servers with idle CPU. It can save and restore its state during a brute force computation so that previously computed work is not lost. L0phtCrack automatically saves its state every 5 minutes in case of power loss or a system reboot. The saved .LC file is in ASCII format so that it can be inspected over the network to checking on its progress. L0phtCrack can be completely hidden and be restored with a hotkey. In addition, half of a LANMAN password will be displayed if found to be correct. This feature is designed for 8-12 character passwords where the second half of the password is quickly brute forced. How to Stop a Hacker Getting your Password Hash Files A hacker can easily obtain a copy of L0phtCrack - its Web location has been published in hacker circles. Armed with the program, the hacker needs only to retrieve your password hashes. There are three main methods to get the password hashes: from the registry directly, from a SAM file on disk, or by sniffing your network. Dumping From the Registry If the hacker has obtained system administrator privileges (quite possible using various hacking tools and techniques - see the Shake Vulnerabilities Database) he or she can get the password hashes using the "Tools Dump Passwords form Registry" command. He or she then specifies a computer-name or IP address. Fortunately, you can prevent a hacker from successfully using from this approach. Firstly, configure Windows NT to disallow access to the registry remotely over the network. As a result the hacker would need to be on the local machine to proceed. You can then obstruct the attempts of both external hackers and internal hackers (employees) by running the SYSKEY utility, which Microsoft introduced in NT Service Pack 3. SYSKEY encrypts the password hashes so L0phtCrack cannot read them. Extracting From a SAM File The second method a hacker might use involves retrieving the password hashes from the SAM file on the hard disk, an NT Emergency Repair Disk, or a backup tape. The attacker can use the built-in SAMDUMP function to extract the password hashes from the registry SAM file on the hard disk, an emergency repair disk, or a backup tape. Since they are opened only by the operating system, these files cannot be accessed while NT is running. The attacker would need to physically access the NT server in order to boot the machine with a DOS floppy and use a program such as NTFSDOS to copy the SAM file from d:\winnt\system32\config to a floppy disk. He or she would then be able to use the L0phtCrack command 'File Import SAM' to extract the password hashes from the SAM file. An alternative approach which does not require rebooting the machine is to access the hash files from the d:\winnt\repair directory or from an Emergency Repair floppy disk. Whenever a repair disk is made the contents of the SAM in the registry are saved and compressed into the file 'sam._'. This file can be uncompressed and the expanded SAM file imported into L0phtCrack. The SAM file is also backed up onto tape when a full backup is performed. If a hacker obtains access to a backup tape he or she can restore the SAM file from d:\winnt\system32\config to another machine and import it into L0phtCrack. You can prevent a hacker from successfully utilising this approach by encrypting the SAM files. This is achieved by installing SYSKEY from NT 4.0 Service Pack 3: the SAM files will be encrypted and will not be capable of being read by L0phtCrack. Sniffing on the Network Network sniffing is a third method which an intruder might use. This approach avoids a confrontation with SYSKEY or any other obstacles you might place in front of network access to the registry or physical access to the NT server. In order to use this approach the hacker must be on a physical segment of the network resource users are accessing. Also, the sniffer, readsmb.exe, included with L0phtCrack 2.0 will only work on Windows NT 4.0. Unfortunately, there is little you can do to stop the capture of passwords via network sniffing. Even if you have installed Windows NT Service Pack 3 and SAM encryption, your passwords will still be vulnerable as they travel over the network. This is because when a client (for example, a Windows 95 PC) tries to connect with the Windows NT server, the client takes the 16 byte OWF and pads with 5 null characters, producing a 21 byte OWF. It then DES ECB encrypts the OWF with the 8 byte challenge, and sends the resulting 24 byte string to the server. The server performs the same operations on the OWF stored in its registry and compares the resulting two 24byte strings. If they match the user used the correct password. As a result, an attacker can take sniffer logs of NT logons and retrieve the plain-text passwords. Neither an account on the NT machine nor knowledge of the ADMINISTRATOR password is required! Bundled with L0phtCrack 2.0 is the SMB session network sniffer which enables hackers to collect LANMAN password hashes without administrator rights. Prevention is the only cure against network sniffing. So thoroughly check your network (including all workstations and/or PC systems) for any sniffers and remove them. How Fast will L0phtCrack Crack your Passwords? L0phtCrack performs both dictionary attacks and brute force attacks. By default, it uses both methods. It first runs a dictionary computation using the default (English) dictionary that comes with L0phtCrack and then runs a brute force computation using the default character set, A-Z. The user can alter these selections to a dictionary attack and/or brute force attack L0phtCrack's dictionary cracking is extremely fast. Tests by the makers of the crack found that running on a Pentium Pro 200 PC, L0phtCrack checked a password file with 100 passwords against a 8 Megabyte dictionary file in under one minute. The previous release, L0phtCrack 1.5, allowed a hacker to select one of 5 character sets in order to brute force passwords that use more characters than A-Z. In Version 2.0 custom character sets are supported and brute force computation has been optimised. The benchmark performance for L0phtCrack 2.0 utilising a multi-processing brute force algorithm is 6 hours for A-Z characters and 62 hours for A-Z, 0-9 on a quad Pentium Pro 200. In fact, the makers say that is now feasible to brute force 10,000 users at a time. Conclusions and Recommendations Many organisations simply don't have the policies, procedures and controls in place to guard against an attack using a tool like this. Yet once an unauthorised person has access to your network, he or she can cause all sorts of damage, depending on his or her motives and abilities. It is therefore imperative that you take all possible steps to combat the use of such a program. In particular, network managers running Windows NT should take such precautions as the following: * upgrade to the most recent version of NT or at least download and install the latest patch ( from Microsoft or the Shake Vulnerabilities Database at http://www.shake.net ); * enable all security facilities in Windows NT including SYSKEY; * deny remote access to the server; * separate and keep locked away, the server machine, the emergency and repair disks, and the back-up tapes; * check all machines connected to the network for devices that might be used to facilitate network sniffing; * encrypt all data traffic; * consider installing a one-time password smart card system, or at least run a computer-generated password system (with alpha-numeric and special characters constituting passwords). See the article on Password Management for more information on how to improve the security of your password system. * stay informed about all the vulnerabilities, hacking tools and patches which apply to your systems. * Shake Communications reserves the right not to disclose the sources for this articles for confidentiality and security reasons. [WB01337_.gif (904 bytes)][ssjgry.gif (6058 bytes)] [WB01339_.gif (896 bytes)]