How did I hack your Windows password? (1)

Source: Internet
Author: User

How did I hack your Windows password? (1)

Passwords can be thought of as our primary, and in some cases, the only defenses that can be used to guard against intrusions. Even if intruders are not physically exposed to the computer, they can still access services on the server through Remote Desktop protocol or authentication capabilities for external Web applications. The main purpose of this article is to tell you how Windows creates and stores password hashes (hash) and how these hashes are cracked. After describing how to hack the Windows password, I'll also introduce some tips to help you prevent such attacks.

Introduced

Passwords can be thought of as our primary, and in some cases, the only defenses that can be used to guard against intrusions. Even if intruders are not physically exposed to the computer, they can still access services on the server through Remote Desktop protocol or authentication capabilities for external Web applications.
The main purpose of this article is to tell you how Windows creates and stores password hashes (hash) and how these hashes are cracked. After describing how to hack the Windows password, I'll also introduce some tips to help you prevent such attacks.

How Windows stores passwords

A computer running Windows uses two methods to create a hash of a user's password, both of which have different security implications in nature. Both of these methods are LAN Manager (LM) and NT LAN Manager Second edition (NTLMV2). Hashing is the result of a cryptographic function that takes a string of arbitrary size, encrypts it with an algorithm, and returns a fixed-size string.

LM Password Hash

The LAN Manager Hash is one of the first password hashing algorithms used by the Windows operating system, and is the only available version until more advanced NTLMv2 are used in Windows 2000, XP, Vista, and 7. While these new operating systems can support the use of LM hashes, they are primarily intended to provide backward compatibility, but in Windows Vista and Windows 7, the algorithm is disabled by default.

The LM hash for the password needs to be calculated using the following six steps:

    1. Convert a user's password all to uppercase

    2. Add an empty (null) character to the password until the password length is equal to 14 characters

    3. Split the newly acquired password into two sets of 7-bit character value groups

    4. Use these values to create two DES encryption keys and add a parity bit for each group so that you can create a 64-bit key

    5. Use each des key to encrypt a predefined ASCII character ([email protected]#$%) so that you get two 8-byte ciphertext values

    6. These two 8-byte ciphertext values combine to form a 16-byte value, which is the resulting LM hash

For example, if you use "PassWord123" as your password, the password will be converted to:

    1. PASSWORD123

    2. PASSWORD123000

    3. Passwor and D123000

    4. PASSWOR1 and D1230001

    5. E52cac67419a9a22 and 664345140a852f61

    6. E52cac67419a9a22664345140a852f61


Figure 1: Converting a password to an LM hash

The LM stored password has some obvious deficiencies. First of all, the encryption work is based on data Encryption Standard (DES), Des was originally from IBM in the 1970s a project, the project was eventually improved by NIST, and received the support of the NSA, in 1981 as an ANSI standard release. For years, Des has been considered safe enough, but since the small key is only 56 bits, it has become less secure since the 90 's. By the year 1998, Electronic Frontier Foundation will only take about 23 hours to decode DES. As a result, DES began to become insecure and gradually replaced by triple DES (Triple-des) and AES. In short, these are all other encryption standards, but due to the powerful performance of modern computers, they are quickly cracked.

The biggest weakness of the LM hash may be the process of creating the DES key. In this process, the user-supplied password is automatically converted to all uppercase and replaced by a supplement of 14 characters (which is also the maximum length of the LM hash password), which is then divided into two sets of 7-character values. For a password consisting of 14 printable ASCII characters, there is a 95 14 chance of being halved, and once it is set to two 7-bit characters, the probability is reduced to 95 of the 7, and if you only allow uppercase ASCII characters, the likelihood is further reduced to 69 of the 7. So essentially, even if you use different uppercase and lowercase characters and use long passwords, once the password is saved to the LM hash, all efforts will be wasted, and the LM hash will be vulnerable to brute force.

NTLMv2 Password Hash

NT LAN Manager (NTLM) was developed by Microsoft to replace the LM authentication protocol. Finally, with the improvement, NTLMV2 was used as a new authentication method starting with Windows NT 4.

The creation of the NTLMV2 Hash (hereinafter referred to as the NT hash) is much simpler than what the operating system actually participates in, and requires the use of the MD4 hashing algorithm to create a hash from a series of mathematical computations. The MD4 algorithm needs to be used three times to generate an NT hash. For example, the MD4 hash of the password "PassWord123" can be expressed as "94354877d5b87105d7fec0f3bf500b33".


Figure 2: Converting a password to a NTLMv2 hash

MD4 are generally more robust than des because they can accept longer passwords, allow both uppercase and lowercase letters, and do not need to split passwords into smaller, more easily cracked fragments.

The most likely disadvantage of hashing created with NTLMV2 is that Windows cannot use a technology called salting. Salting this technique can be used to generate a random number and use that random number to calculate the hash of the password. This means that the exact same password may have a completely different hash value, which is the ideal situation.

In this case, the user can create the so-called Rainbow Table. Rainbow table does not refer to a colorful coffee table, but is actually a table that contains each hash value of each possible password that can be composed of a certain number of characters. By using Rainbow Table, we can extract the hash value of the password from the target computer and retrieve it in the table. Once you find the same content in the table, you know the password. As you can imagine, even a rainbow table with very few characters can be very large. This means that the creation, storage, and retrieval of such tables is a cumbersome task.

Conclusion

In the first part of this article, we describe the concept of password hashing and the mechanism that Windows uses to create and store these values. In addition, we describe the limitations of each approach and the possible ways in which these passwords can be cracked. In the following sections, we will describe the methods of acquiring and cracking these hashes and proving the existence of limitations. After the introduction, I'll also provide some tips for you to get further protection and create a password that meets the required strength.

This is an online search, but the translator only translated the first article, I will translate the second article

How did I hack your Windows password? (1)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.