LM/NTLM Verification Mechanism

Author: 4th <scz@nsfocus.com>
Home: http://www.nsfocus.com
Date: 2002-12-02
Directory:

☆Overview
☆Challenge/response mode
☆L0pht document
☆Vulnerability of Windows NT authentication mechanism
☆Str_to_key () function
☆How to generate LM Hash from plaintext passwords
☆Standard DES encryption
☆How to generate an NTLM Hash from a plaintext Password
☆Standard MD4 unidirectional hash
☆The SMB Message uses des lm Hash and des ntlm Hash.
☆Observe an instance
☆Negotiate response Decoding
☆Session_setup_andx request Decoding
☆Summary
☆Reference Resources

--------------------------------------------------------------------------

☆Overview

Early SMB protocols transmit plaintext passwords over the network. Later, "LAN Manager Challenge/Response"
The verification mechanism, LM for short, is so simple that it is easily cracked. Microsoft raised the WindowsNT challenge/response
The verification mechanism should be called NTLM. Now we have an updated NTLMv2 and Kerberos verification system.

Microsoft acknowledges that the inherent features of LM Hash greatly compromise security, but they think this was the first time IBM was designed.

☆Challenge/response mode

When the plaintext password mode is used, the plaintext password itself is transmitted over the network, which is easily captured by Sniffer.
The attempt to challenge/respond to the mode does not disclose the plaintext password itself, which proves that the client indeed has the correct password:

1. The server randomly generates an 8-byte challenge and sends it to the client.

2. The server and client respectively use the secret key from the plaintext password to encrypt the 8-byte challenge. Customer
The server sends the computing result to the server. This is the so-called response (divided into three groups, a total of 24 bytes ).

Response = DES (key derived from plaintext password, challenge)

The standard DES algorithm is used here. Anyone who knows the key can decrypt the reponse to obtain
Challenge.

3. If the response matches the computing result of the server, the server determines that the client has the correct plaintext password.

☆L0pht document

In July 12, 1997, L0pht's Mudge <mudge@l0pht.com> released
Verification Documents (refer to resource [1]).

+ ---------------------------- +
| 14 bytes Plaintext Password |
+ ---------------------------- +

+ -------------------------------------------------------------------------- +
| First 7 bytes of Plaintext Password | second 7 bytes of Plaintext Password |
+ -------------------------------------------------------------------------- +

+ ----------------- +
| 16 bytes LM Hash |
+ ----------------- +

+ ---------------------------------------------------- +
| First 8 bytes of LM Hash | second 8 bytes of LM Hash |
+ ---------------------------------------------------- +

+ ------------------------- +
| 16 bytes NTLM Hash (MD4) |
+ ------------------------- +

+ ------------------ +
| 8 bytes Challenge |
+ ------------------ +

+ ------------------ +
| 24 bytes Response |
+ ------------------ +

The first 8 bytes of LM Hash are derived from the calculation of the first 7 bytes of the plaintext password. The last 8 bytes of LM Hash are derived from the plaintext port.
The last 7 bytes. If the plaintext password contains a maximum of 7 bytes, the LM Hash in the second part is always "AA D3 B4 35 ".
B5 14 04 EE "(explained here later ). For example, if "WELCOME" is used as the plaintext password, the corresponding LM Hash is
"C23413A8A1E7665FAAD3B435B51404EE ".

Assume that server B sends an 8-byte challenge "0001020304050607" to Client"

Server B -- 8 bytes Challenge --> Client

A now has LM Hash, C23413A8A1E7665FAAD3B435B51404EE, and then add 5 0x00
"C23413A8A1E7665FAAD3B435B51404EE0000000000", divided into three groups, each group of 7 bytes

+ ---------------- +
| C23413A8A1E766 | 5FAAD3B435B514 | 04EE0000000000 |
+ ---------------- +

Each group of 7 bytes is passed as the form parameter to the str_to_key () function, and three groups of keys are obtained, each group of 8 bytes.

+ -------------------------------------------------------- +
| 8 bytes DESKEY1 | 8 bytes DESKEY2 | 8 bytes DESKEY3 |
+ ------------------ +
| C21A04748A0E9CCC | 5ed4b47642acd428| 0476800000000000 |
+ -------------------------------------------------------- +

Three sets of token keys are used to perform standard DES encryption on the 8-byte challenge "0001020304050607 ".

C21A04748A0E9CCC-standard DES encryption for 0001020304050607-> ca316723c41d577
5ED4B47642ACD428-perform standard DES encryption on 0001020304050607-> AB18C764C6DEF34F
0476800000000000-standard DES encryption for 0001020304050607-> A61BFA0671EA5FC8

Finally, get a 24-byte response "ca316723c41d577ab18c764c6def34fa61bfa0671ea5fc8 ",
To server B. Perform the same calculation on server B and compare the calculation result with the response from server,
If yes, authentication is successful.

The plaintext password cannot exceed 7 bytes.

First, check whether the plaintext password is less than 8 bytes. Use the str_to_key () function to process "04EE0000000000 ".
The 8-byte counter ey, "0476800000000000", uses it to standard the challenge "0001020304050607"
DES encryption. If the result matches the "A61BFA0671EA5FC8" transmitted over the network, the plaintext password may be less than 8
Bytes, of course, cannot be absolutely certain.

Next, use the str_to_key () function to process "?? AAD3B435B514 ", get the 8-byte token ey, use it to challenge
Performs standard DES encryption. If it matches the "AB18C764C6DEF34F" transmitted over the network, a match is found.
We can be sure that the plaintext password is less than 8 bytes. Here "?? "It is generated by a loop, and 256 possibilities are exhausted.

Due to some inherent features of LM Hash, the computation workload has been greatly reduced.

Assume that the plaintext password is 8 bytes or more. The LM Hash is as follows:

+ ---------------- +
| C23413A8A1E766 | AC435F2DD90417 | CCD60000000000 |
+ ---------------- +

First, check whether the plaintext password is less than 8 bytes. Use the str_to_key () function to process "04EE0000000000 ".
To 8-byte encryption ey, "0476800000000000", uses it to perform standard DES encryption on the challenge, if the result is
If the content transmitted over the network is inconsistent, the plaintext password must be greater than or equal to 8 bytes.

Next, use the str_to_key () function to process "???? 0000000000 ", get the 8-byte token ey, use it to challenge
Standard DES encryption. If it matches the content transmitted over the network, the matching is found. Here "???? "Cycle
65536 possibilities.

The above describes how to obtain LM Hash Based on Challenge/Response brute force cracking.

Even if NT4 SP3 and des lm Hash Response are sent together with des ntlm Hash Response,
In this case, the NTLM Hash strength is meaningless.

If des lm Hash Response is disabled, Windows 95 cannot communicate with NT normally.

If your Windows system supports a password of more than 14 bytes, try to use a password of more than 14 bytes.

☆Vulnerability of Windows NT authentication mechanism

February 6, 1997, Dominique Brezinski <dominique.brezinski@CyberSafe.COM> external
A document on the vulnerability of the Windows NT authentication mechanism is published (refer to resource [8]).

Assume that host B and

(1) A initiates A connection request to B

(2) B sends challenges to A (A group of random data)

(3) A uses the token key from the plaintext password to encrypt the standard DES to respond to the challenge and send it to B

(4) B obtains LM Hash and NTLM Hash of A from SAM, calculates the token ey, and brings forward challenges to.
Line standard DES encryption

(5) If (4) The calculation result matches the response sent by A, A is allowed to access B

Assume that an attacker C is involved in the attack.

(1) C. Initiate a connection request to B

(2) B sends challenge D to C (a group of random data)

(3) C. Wait for A to initiate A connection request to B.

(4) When A initiates A connection request to B, C forges B to send challenge D to

(5) A uses the token key from the plaintext password to encrypt the standard DES of challenge D to obtain the response E and send it to B.

(6) C intercepts response E and sends it to B as A response to challenge D in (2) and claims that it is

(7) B obtains LM Hash and NTLM Hash of A from SAM, calculates the token ey, and carries out standard DES for challenge D.
Encryption

(8) If the calculation result in (7) matches the response sent by C, C is allowed to access B as

Next we will analyze this process in detail. Attacker C is involved in communication between A and B, and C establishes NBT session concurrency to B.
Send SMB_COM_NEGOTIATE (0x72) Request Message, specifying "nt lm 0.12" dialect. At the user level
"Nt lm 0.12" is the preferred SMB dialect for sharing (relative to shared-level sharing. B will be in the Response Message
The Challenge of returning 8 bytes in the encryption key (actually called Challenge) field. C. Save the 8-byte
Challenge and start waiting. If B terminates the connection due to timeout, C must repeat the previous step. When A tries
When B is connected, an NBT session is established and the SMB_COM_NEGOTIATE (0x72) request packet is sent.
Row negotiation. Generally, "nt lm 0.12" dialect is used as the final negotiation result. C. noted this negotiation request,
Therefore, B is disguised as sending A Response Message to A, and the encryption key field is set as the challenge saved previously.
Set the source IP address of the response packet to the IP address of B. Analyze the SMB_COM_NEGOTIATE (0x72) sent by A to B)
Request Message to set the th_ack field of the Response Message. The spoofed response message must be in B's normal response
Before the packet arrives at. This is not A problem if cben assumes the role of vro between A and B. From
B's normal response packet is discarded as duplicated data. At this time, A generates two groups of 24-byte responses and sends them to B.
SMB_COM_SESSION_SETUP_ANDX (0x73) Request message. C noticed this request and obtained the two
Group of 24-byte responses, and C also constructs a SMB_COM_SESSION_SETUP_ANDX (0x73) request packet,
These two