Professional Documents
Culture Documents
Authentication
Urity@SecurityFriday.com
NTLM version 2
Windows
NT challenge/response
version 2 challenge/response
Kerberos
Feb 8, Windows Security 2002 Breifings
Agenda
1.
2.
3.
4.
5.
6.
LM authentication mechanism
Demonstration (1)
NTLM v2 authentication algorithm
Sniffing SMB traffic on port 139
Sniffing SMB traffic on port 445
Demonstration (2)
Agenda
1.
2.
3.
4.
5.
6.
LM authentication mechanism
Demonstration (1)
NTLM v2 authentication algorithm
Sniffing SMB traffic on port 139
Sniffing SMB traffic on port 445
Demonstration (2)
Challenge/Response sequence
Request to connect
Respond with a challenge code
Send an encrypted password
Reply with the result of authentication
LM challenge/response
-1-
uppercase(password[1..7])
as KEY
magic word
DES
LM_hash[1..8]
uppercase(password[8..14])
as KEY
magic word
0000000000
DES
LM_hash[9..16]
LM_hash[17..21]
LM challenge/response
-2-
LM_hash[1..7]
as KEY
DES
challenge code
LM_response[1..8]
LM_hash[8..14]
as KEY
DES
challenge code
LM_hash[15..21]
LM_response[9..16]
0000000000
as KEY
challenge code
Feb 8, Windows Security 2002 Breifings
DES
LM_response[17..24]
Cracking NTLMv2 Authentication
LM_hash[9..16]
AAD3B435B51404EE
DES
magic word
LM_hash[8..14]
AAD3B435B514
as KEY
challenge code
DES
LM_response[9..16]
LM_hash[15..21] 04EE0000000000
as KEY
challenge code
Feb 8, Windows Security 2002 Breifings
DES
LM_response[17..24]
Cracking NTLMv2 Authentication
BeatLM demonstration
Agenda
1.
2.
3.
4.
5.
6.
LM authentication mechanism
Demonstration (1)
NTLM v2 authentication algorithm
Sniffing SMB traffic on port 139
Sniffing SMB traffic on port 445
Demonstration (2)
NTLM 2 Authentication
unicode(password)
MD4
unicode(
uppercase(account name)
+domain_or_hostname)
as KEY
HMAC_MD5
as KEY
server_challenge
+client_challenge
Feb 8, Windows Security 2002 Breifings
HMAC_MD5
NTLMv2
Response
HMAC: RFC2104
MD5: RFC1321
MD4: RFC1320
Microsoft Knowledge Base: Q239869
NTLMv1
NTLMv2
No
Yes
Yes
56bit + 56bit
MD4
MD4
64bit + 64bit
128bit
128bit
128bit
C/R algorithm
HMAC_MD5
128bit
Agenda
1.
2.
3.
4.
5.
6.
LM authentication mechanism
Demonstration (1)
NTLM v2 authentication algorithm
Sniffing SMB traffic on port 139
Sniffing SMB traffic on port 445
Demonstration (2)
Authentication sequence
- NetBT (NetBIOS over TCP/IP) -
SMB_COM_NEGOTIATE request
SMB_COM_NEGOTIATE response
SMB_COM_SESSION_SETUP_ANDX
request
SMB_COM_SESSION_SETUP_ANDX
response
SMB_COM_NEGOTIATE request
SMB_COM_NEGOTIATE response
NT/2000
SMB_COM_XXX
request
SMB_COM_XXX
response
SMB_COM_SESSION_SETUP_ANDX
request
SMB_COM_SESSION_SETUP_ANDX
response
Feb 8, Windows Security 2002 Breifings
FF534D42
SMB command
Flags
Error code
Some
fields
FF534D42
WordCount
ByteCount
Buffer
ParameterWords
- variable length -
SMB_COM_NEGOTIATE request
over NetBT
SMB_COM_NEGOTIATE response
over NetBT
WordCount: 0x11
Buffer contains
Server challenge code: 8 bytes
SMB mark
FF534D4272
WordCount
8X
11
ByteCount
SMB_COM_SESSION_SETUP_ANDX
request over NetBT
Encrypted password
SMB mark
SMB command
ByteCount
FF534D4273
WordCount
0D
Length
Encrypted password
Account & Domain/Host name
-1-
-2-
FF534D4273
2nd
length
0D
SMB_COM_SESSION_SETUP_ANDX
response over NetBT
Error code
- correct password
0xC000006F
0xC0000070
0xC0000071
0xC0000072
0xC0000193
0xC0000224
Requisite information
Account name
Domain/Workgroup/Host name
Server challenge code
Client challenge code
Encrypted password
The result of authentication
SMB protocol
- specifications -
- encrypted password -
98/ME file
sharing
SMB_COM_NEGOTIATE request
98/ME with
DS Client
SMB_COM_NEGOTIATE response
SMB_COM_SESSION_SETUP_ANDX
request
SMB_COM_SESSION_SETUP_ANDX
response
Agenda
1.
2.
3.
4.
5.
6.
LM authentication mechanism
Demonstration (1)
NTLM v2 authentication algorithm
Sniffing SMB traffic on port 139
Sniffing SMB traffic on port 445
Demonstration (2)
Authentication sequence
- MS-DS (Direct SMB Hosting Service) SMB_COM_NEGOTIATE request
2000
SMB_COM_NEGOTIATE response
2000
SMB_COM_SESSION_SETUP_ANDX
request
SMB_COM_SESSION_SETUP_ANDX
response
SMB_COM_SESSION_SETUP_ANDX
request
SMB_COM_SESSION_SETUP_ANDX
response
Feb 8, Windows Security 2002 Breifings
Challenge/Response
Request to authenticate
with NTLMSSP
1st SMB_COM_SESSION_SETUP_ANDX
request over MS-DS
WordCount: 0x0C
Buffer contains
SecurityBlob
SMB_COM_SESSION_SETUP_ANDX
- WordCount
Type 3 has
OS name, LM type, Domain name
Type 4 has
SecurityBlob, OS name, LM type, Domain name
Type 12 has
SecurityBlob, OS name, LM type
Type 13 has
Password, Account name, Domain name, OS
name, LM type
SMB_COM_SESSION_SETUP_ANDX
command - Type 12 (0x0C)
SMB mark
SMB command
ByteCount
FF534D4273
WordCount
0C
SecurityBlob
length
SecurityBlob
- variable length -
NTLMSSP 1 in SecurityBlob
4E544C4D53535000
01000000
0000000000000000
0000000000000000
1st SMB_COM_SESSION_SETUP_ANDX
response over MS-DS
WordCount: 0x04
Buffer contains
SecurityBlob
SMB_COM_SESSION_SETUP_ANDX
command - Type 4 (0x04)
SMB command
SMB mark
SecurityBlob length
FF534D4273
WordCount
8X
04
SecurityBlob
- variable length -
NTLMSSP 2 in SecurityBlob
4E544C4D53535000
02000000
30000000
0000000000000000
2nd SMB_COM_SESSION_SETUP_ANDX
request over MS-DS
WordCount: 0x0C
Buffer contains
SecurityBlob
SMB_COM_SESSION_SETUP_ANDX
command - Type 12 (0x0C)
SMB mark SMB command
ByteCount
FF534D4273
WordCount
0C
SecurityBlob
length
SecurityBlob
- variable length -
NTLMSSP 3 in SecurityBlob
4E544C4D53535000
03000000
40000000
2nd SMB_COM_SESSION_SETUP_ANDX
response over MS-DS
Error code
WordCount: 0x04
Requisite information
Account name
Domain/Workgroup/Host name
Server challenge code
Client challenge code
Encrypted password
The result of authentication
NTLMSSP structure
also used in NTLM authentication of
IIS
DCOM
NT Terminal Server
2000 Terminal Service
NNTP Service
Agenda
1.
2.
3.
4.
5.
6.
LM authentication mechanism
Demonstration (1)
NTLM v2 authentication algorithm
Sniffing SMB traffic on port 139
Sniffing SMB traffic on port 445
Demonstration (2)
Demonstration
Sixteen-Beat
NTLMv2 challenge/response
cracking performance
4
5
6
7
8
numeric
numeric
numeric
numeric
numeric
&
&
&
&
&
alphabet characters:
alphabet characters:
alphabet characters:
alphabet characters:
alphabet characters:
< 5 seconds
< 4 minutes
< 4 hours
about 10 days
about 21 months
Conclusion
For NTLMv2, the key space for
password-derived keys is 128 bits. This
makes a brute force search infeasible,
even with hardware accelerators, if the
password is strong enough.
from Microsoft Knowledge Base