Windows 3.1-XP Password Hashing Review
Windows systems like many other operating systems hash passwords instead of keeping them clear text in the event an attacker ever gets a hold of authentication data. Microsoft first developed the Lanman (LM) password hashing scheme in Windows for Workgroups 3.1. In order to maintain backward compatibility Microsoft has kept this system enabled by default all the way through Windows XP (Vista still supports LM hashing but is by default disabled). Due to the design of the original LM system it is now feasible for many people to store large sets of precomputed hashes (rainbow tables) and crack complex, non-dictionary, passwords in just a few minutes.
Assets
- E-mail, browser saved passwords, encrypted folders/volumes can all be accessed in many cases just by being able to access someones Windows user profile.
- Integrity; a system’s administrator on a Windows domain should be able to assume that the person logged on as a particular user actually owns the account. It’s worth noting that domain logins actually use NTLM for authentication, however there are similar attacks available.
- Privacy; users generally assume there’s no one watching them while they’re using their computer or profile.
Potential Adversaries/Threats
- Disgruntled employees may utilize the weaknesses in LM hashing to obtain local administrative privileges and install key loggers in an effort to escalate their privileges on a domain.
- Any person trying to impersonate the target by sending out email from another person’s user account. There would be little the owner of the account could do to deny that the email was sent by him/herself.
- Anyone looking to steal financial data could probably make off with a bank account number or two and possibly a paypal account. For instance an attacker could list a $20,000 garbage bag on eBay and have the target purchase and pay for the item without any knowledge that the transaction took place.
Weaknesses
- The LM hashing system works by taking a user supplied password and truncating it (if necessary) to 14 characters. The password is then divided into two 7 character pieces (padding the password if necessary) and the two 7 character strings are hashed separately and concatenated. The LM system is also case insensitive so the key space essentially boils down to passwords 1-7 characters long, A-Z, symbols and spaces. Since there is no random salt value like on most *nix systems, hashes may be precomputed and looked up later.
- Tools to exploit the LM hashing system are readily available. The rainbow tables have been published by several computer security groups (Shmoo, freerainbowtables.com, etc). Tools for obtaining LM hashes as well as running them against the rainbow tables are also readily available in the form of Cain & Abel (there’s also a live bootcd to recover LM hashes and run them against a reduced set of rainbow tables).
Defenses
- Since Windows 2000, Windows systems have been computing a new hash (not subject to the 7 character limitation of LM) known as NTLM. Although rainbow tables may still be generated (due to the lack of a salt), the size of tables that would be reasonably accurate for 1-14 characters and the full character space would be too large for most people to store. Disabling LM hashes would be a step in the right direction for making windows passwords harder to crack.
Conclusion
- The availability of precomputed hash tables and tools for the LM password hashing schem essentially makes passwords stored by that scheme extremely vulnerable. NTLM is a better system but is flawed in the same manner as LM in that it’s missing a salt value to make rainbow tables worthless across multiple users. Upon trying this attack out on my own system I found that I could recover randomly generated 14 character passwords in under 20 minutes. I believe it’s relatively clear that LM is dead and NTLM is dieing due to the increasing availability of storage and CPU resources.