9. Countermeasures: Stealing the Passwords, Syskey, Salting
Now there are just a couple more things that I wanted to reiterate before we moved on out of the password cracking. And I probably should mention the password cracking that is offline in nature. I’m hoping you put two and two together at this point where the online password cracking was where we threw of wouldbe password at the operating system trying to log on with it and the operating system told us yay or nay on offline cracking. We have already grabbed the password hashes using one of the many methods that I’ve showed you already. And then we’re able to try hundreds, possibly thousands, possibly millions of guesses per second to be able to achieve a password crack.
Now, obtaining the LM and NTLM hash required access of some kind to the computers are stored on, as we know. However, once this has been copied, tools such as John the Ripper, which is a Linux tool now that’s a test question. I want to make sure and get that in. John the Ripper is a password cracking tool. Under Linux, John the Ripper are able to retrieve stored passwords in very little time. NTLM hashes are harder to crack, but even highly complex passwords are crackable using rainbow tables as we’ll talk about in a couple of moments. You’ve heard me talk about the Sys key encryption and I’m just going to briefly touch on this because this is really pretty old. In service pack three of Windows and T, microsoft introduced Sys key.
What it did was it took 128 bit symmetric key and encrypted that Sam database file. Whenever the local machine needed to use the Sam database file, it decrypted it on the fly. But if someone was able to steal the Sam database file, they would not have that SIS key. It was obfuscated in some place and Microsoft never told us where it was. Well, of course obfuscation is not a good mechanism for hiding anything. With the advent of the Internet, somebody somewhere is going to find it. And you saw where I was able to retrieve the key from the system file. So one of the favorite methods of attacking in the past was to obtain a copy of the Sam file and then utilize a program like Loft Crack to crack the passwords with Sys key.
The attacker must now break that additional encryption as you saw me do before. Okay, so rainbow table seems like oh my gosh, this is just awful because if we are using LM hashes, we’re only really storing seven characters forced upper case. And if we were able to flesh out the key space for everything that could have been typed within seven characters forced to uppercase I mentioned it would be anywhere from 40 to 60GB in size. Now there is not a password in the world using an English keyboard. I should probably add that I could not crack with the complete rainbow tables of LM hashes provided I’m cracking the LM hash, the computer engineers that b decided to try and do something to make it a little bit harder to do this.
What they did was they took assault value. An assault value is nothing more than an X number of bit value, and normally it’s twelve. So the twelve bit salt value increases the search space by a factor of 4096. So even if we salted the LM hashes, that 40 or 60 gig rainbow table would have to be 4096 times as large to get all of the salt value. Every single word on the Word list has 4096 possible ways of appearing encrypted form. This is a great idea. Unfortunately, Microsoft didn’t implement it. Not all systems that use Kerberos Five use salting. For example, Windows 2012 and above simply have no support at this point. You’re probably saying at this point it’s like, gosh, why don’t they just implement that? And let me tell you a story.
There’s an old saying that said god created the world in seven days, but he didn’t have an installed base to have to provide backward compatibility to. That’s the reason that they don’t change things, because they can’t simply draw the line in the sand and say, oh, all of your previous clients that you paid good money for and you’re still using, well, you just need to upgrade. Right now that probably would not go over too well. So we are going to have to work 4096 times harder to be able to crack passwords that are salted. Now there’s two ways of being able to salt the passwords, and I’m going to kind of shift over just a little bit. And I’m going to assume we’re now talking about web passwords because just like the Sam database where we store passwords, the web has its own database.
For example, maybe we’re going to log in and we want to make sure that that password is stored securely. In most SQL databases, they allow you to put a salt on the database and you tell us how big that salt is and you tell it the column or the field that you want to have salted. Now that’s all well and good because it does it for that entire field. But if you’ve guessed what that salt value is, you could pretty much add that to the password guess and then try and crack your password. So a better way of actually doing this would be to salt each and every row in that database table. So just imagine for me real quick, I want you to imagine we’ve got a username, Bob, and in this database table I’m looking at, it just like a table, all right? Bob Smith and he logged on last at some time, and here’s the last time he logged on and all this type of stuff.
And here’s where he stored his password hash. Now the password hash, if the table itself was salted, the entire table would contain the entire hash, although we could take and create another field called salt, or call it whatever you want and put in an arbitrary value that you would add to the plaintext password before it was hashed. So each and every person would have a different salt value, making it very, very difficult to crack your passwords. Now, think about this as well. If you go out to a website and log into that website, or attempt to log into the website, I should say, but you’ve forgotten your password, and they have a way of recovering what that password is.
And so you go through the recovery process and they send you back your original password. Okay, guys, what does that tell you about the way they’re storing their passwords? They are not hashing them. They would not be able to send you back the original password. Now, they could reset it using a technique called password hash insertion that we’ll talk about in just a little bit, but they would not be able to determine what it is. So consequently, it’s a very good idea to always store your passwords as a hash. Some people will argue that, well, you can store the passwords in the same database as long as they’re encrypted. And I want you to hold that thought because I’m going to show you where Microsoft made a tremendous boo boo.
10. Cloud Cracking Techniques
You know, guys, every once in a while I run across a really neat utility that’s out on the Internet. And I ran across this yesterday when I was just simply exploring for some cloud cracking techniques. I had mentioned earlier that Marley Moxenspikes cloud cracker has gone offline for some reason, and I found something that’s similar, although he at this point is only cracking various passwords microsoft Word, Excel, that kind of stuff. But the guy is very helpful and cordial. Just to give you an example of the way he works. This is the name of the site is password online, and if you upload a file, he will open the file, and he’ll only charge you if he’s able to crack the file, and then he’ll send it to you by email. And I had, like, about ten of these files, and I said, well, gosh, could you tell me what the password is.
He said, well, we actually did something called a password hash insertion, which is what I’m going to talk about in the next couple of slides. But he said, I don’t know what the password is. He said, Tell you what, send me another ten year old for cracking another one, and I’ll just go ahead and give you the rest of them. I said, well, that’s that’s fantastic. So I just wanted to mention this to you because to tell you the truth, he cracked all of these and gosh, I think it was probably less than an hour. So I just popped that thing up there and bing, bang, boom, I’m done. This is a picture of his website right here. So he’ll crack PDF files, Word, Excel, zip files, raw files, PDF recovery online, and there’s a number of other ones that can be cracked. When we go to the WiFi section, we’ll explain how we need to crack the handshake.
11. Generating Rainbow Tables, Free Rainbow Tables
Now there’s a number of utilities that you can obtain to generate your own rainbow tables. Generating your own rainbow tables. Remember, there’s a trade off here. Are you going to pay me now or pay me later? Pay me now. Meaning I’m going to hash whatever characters I could have typed on the keyboard and hash all of those, putting it into, for lack of a better way of describing it, an SQL database so we could look it up very easily so we don’t have to do that trade off when we’re trying to crack the password. To give you an idea, and this is a pretty old story, but I was getting a divorce from my first wife.
And I remember some friends of mine had decided to rent a cabin that was on the water there in Amsterdam. And I had just gotten a book deal. And I was kind of down in the dumps and they said, Come on over here. I said, Well, I’ve got to write this book. And he said, you could write it over here. And so before I left, I actually had a 1 GHz machine. It had one gig of memory, so you can see how dated the story is. I put onto it a Ups and an external large hard drive. I told it that I wanted to generate the land man or password hashes. And I wanted to generate, if you look at the graphic here, all of the characters that I could have typed on the keyboard. Well, I was over there in Amsterdam for about four months. When I came back, it had just finished.
So it kind of gives you an idea of how long it takes. Now, of course, we’ve got much faster machines nowadays to do this, but the trade off is what I’m talking about is actually there. Come to think of it, I didn’t get that book written, but I had a heck of a good time over in Amsterdam. This utility right here comes with Cane enable, and you can download it from their website for free. It will create password hashes for fast LM, NTLM, MD, two, four, five, shaw, one, Ripe, MD, MySQL, a number of the different hashes that are popular. You tell it the minimum, maximum link, the number of tables you want to have, and you just simply click OK and let it go to town. There are places that you could obtain rainbow tables from somebody who’s already generated them.
The rainbow tables are often native datable to be used with software that implements timememory trade off for brute force passing for brute forcing passwords that are hashed using algorithms that don’t include assault. Remember we talked about the salt because assault is going to defeat this. These tables were first released, like at Schmoocon, um, back in 2005. In order to use the tables, you need to have a utility for searching the tables, tables themselves and a file that contains that landman hash. Most of your popular password cracking programs have the capability to utilize these tables. Cane Enable has it. And as you saw before, Loft Crack had it as well.
12. Password Hash Insertion Attack
You’ve heard me talk already about a password hash insertion attack and let me see if I can explain that. The utility that I’m going to use to demonstrate this is really not my favorite utility. There’s a lot of easier ones, but this is the one that they ask you about on the test. So let’s Grant and Barrett and use this utility. It’s called Chntpwd or for change Nt password. First thing you need to make sure is you have physical access to the Windows server. Otherwise it’s going to be very difficult to do this. Sometimes you can have virtual physical access, which is what I’m going to show you in just a bit. But unless you can get it to boot off of a CD, it’s going to be very difficult to do this. As we already know, physical access to a Windows server is a huge security hole.
Now a utility that can change a local administrator password no matter what flavor of Windows is running or whether it’s a domain controller or even a member server, now we’re talking about the local administrator account. Keep in mind the domain controller or even member server has a local administrator. We typically use this when we’re restoring directory, that kind of thing, but it still has one. What we’re saying here basically is we’re going to be attacking the Sam database, not the Ntdit. So as a system is booted with a floppy or CD or thumb drive that runs Linux, the change into password runs and walks the user through the process of changing any password that they want to change. It does make a note here to ensure you don’t run any check disk operation after the attack because it could fail.
All right. Now I want you to use your imagination. Think about a database field or think about that table that I pulled up the other day, if you recall, on that table. So I went ahead and stuck in that table just to make it a little easier for us to imagine. So let’s say this was the Sam database, all right, and where the password hash was stored. What we did was we put in Aad three, B four. It ended up in EE. If this was an LM hash, of course, or whatever, the Nt hash is for blank characters or for whatever character that you may have changed it to. So we’ve surgically put in where that goes inside the field with a password hash. So when the system boots back up, it says, oh, here’s your password hash right here and it doesn’t know any different. There’s a couple of caveats to this.
Let me explain those before we get started. I need to start by asking you a question. With the advent of Windows 2000 and above, we have something called the encrypting file system. And in the encrypting File system we can encrypt files. But let’s say, for example, we had a user that encrypted a number of his files and had told us to shove off and quit. And we didn’t know how to decrypt those files. More than likely someone in the class would say, well, yes, but the administrator is the recovery agent. And you’re absolutely correct, the administrator is the recovery agent. That begs the question, who is the recovery agent for administrator? Pause, pause. Cricket trip, cricket trip. There is not one.
So if that’s the case and we did a password hash insertion on the administrator account, any encrypted files are lost forever. You will never get those files back. A better alternative might be to save the password hash, then do a password hash insertion and if somebody comes back and says, oh, I can’t get back this file, it’s encrypted, you could still go back and crack that password and put it back in. So I just wanted to make you aware of that before we did our little demo here. Okay, so here we are at our online lab and what I’ve got right here is I went in underneath manage settings, I went down to the hard drive. I want to make sure that it’s connected to the local client and I’m going to use the ISO image of chntpw, all right? And I’m going to just simply click OK.
Now the next thing I’m going to do is I’m going to need to restart this machine, but I want to make sure it restarts it underneath the BIOS. Okay? So basically I told it using the console application to force it into the BIOS next time the machine. So hopefully that would work because what I’m wanting to do is I want to make sure it boots off of that CD and I want to make sure that our CD is the one that’s at the top. Okay? So I’m just simply going to go out here and I’m going to restart the guest. And there we have it. Okay, so I’m going to just come over here and I’m going to click anywhere in that black screen. I’m going to use my left and right arrow keys to move over to boot. Now I want you to notice the Cdrom is the third one from the top.
I really want it to be on top so it picks that first. So I’m going to push the down arrow twice and then I’m going to use the plus and minus keys on the right side of the keyboard, mainly the plus to move that up to the top. Once I have that done, I’m simply going to press F ten to save an egg and say yes, theoretically. Now it should boot off of that Linux CD. And here we go. Now the first thing it asks us is press entered and also okay, so now it’s asking us please select the partition by number or quit. Okay, so and as you can see here, the partition we’re going to be interested in is the partition labeled as one. So I’m going to pick it which part of the registry to load, use predefined choices and so on. Number one is the default because that’s what we’re going to use to reset the password.
So I’m just going to choose that. So it’s loaded all the information from the Sam database. It wants to edit user data and passwords. We could list the groups, the registry editor. I’m just going to pick the default again. The next thing it says is enter the user number, the relative ID, or zero to exit. All right, so we’re going to want to change. Let’s go ahead this is the same machine that I used for the mimicats. So let’s go ahead and change Sam. The user number for Sam is going to be zero three f zero. Then it wants to know clear or blank the user’s password. That’s what I want to do. I’m just going to press one right there, right? And notice what it did when I pressed one is it took aad three b four and put it into that field or whatever the appropriate hash was in Nt, thus zeroing out the password.
And then I’m just simply going to quit. Do I want to write the files back? Yes, I do. Okay. And then I’m going to go ahead and pick underneath manage. And I’m going to go ahead and pull that CD out because I don’t want to boot off that CD again. So I’m just going to say use physical drive that’s in here. Okay. And I’m going to click. Okay. Looks like it’s booting up now. Okay. And I think we did Sam, didn’t we? If I click once right here, you can see that Sam had the password of you’ll never guess, and now he has no password at all. So there’s a perfect way of removing any windows into your above password. As long as you have physical access or physical version virtual access to the particular machine.