KERBEROS, NTLMAND LM-HASH

By: Ankit Mehta

CONTENTS

Kerberos Working of Kerberos Kerberos Version 5

LM-Hash LM-Hash Mechanism LM-Hash Weaknesses

NTLM NTLM Situations NTLM Authentication Messages NTLM Authentication Steps NTLM Vulnerabilities

KERBEROS

Kerberos is the name of “The Three Headed Dog” guarding the gates of Hades according to the Greek Mythology.

Developed at MIT to protect network services provided by Project Athena.

Uses Symmetric Key Cryptography algorithm.

Needs a trusted third party.

Steve Miller and Clifford Neuman were the designers of Kerberos Version 4.

Current version of Kerberos is Version 5.

WORKING OF KERBEROS

There are four parties involved: The client (say A) Authentication Server (say AS) Ticket Granting Server (say TGS) The server (say B)

STEP 1: LOGIN

OutputASA

ASession

Key (KS)

Encrypt

Session Key (KS)

TGT

KS + TGT

Encrypt

Output

Symmetric Key derived from A’s password (KA)

Symmetric Key shared with the Ticket Granting Server (TGS)

STEP 2: OBTAINING A SERVICE GRANTING TICKET (SGT)

Request for SGTTGSA

EncryptSession Key

(KS)

Encrypted Timestamp

(ET)

Output (Request for SGT)

TGT B

KABTimestamp

STEP 2: OBTAINING A SERVICE GRANTING TICKET (SGT)

OutputTGSA

A KAB

Encrypt

B KAB

Encrypt

Output

Session Key (KS)

B’s Secret Key

STEP 3: USER CONTACTS ‘B’ FOR ACCESSING THE SERVER

OutputA B

EncryptSecret Key to be shared by ‘A’

and ‘B’ (KAB)

Encrypted Timestamp

(ET)

Output

(‘A’ + KAB) encrypted with ‘B’s secret key

Timestamp

‘A’ received this combination from the previous step

STEP 3: USER CONTACTS ‘B’ FOR ACCESSING THE SERVER

AcknowledgementA B

EncryptSecret Key to be shared by ‘A’ and

‘B’ (KAB)

Encrypted Timestamp

(ET)

Timestamp sent initially by Alice + 1

Encrypted Timestamp (ET)

KERBEROS VERSION 5

There are 3 new ticket types in Kerberos version 5 which were not there in version 4. They are as follows:

1. Forwardable

2. Renewable

3. Postdatable

LM-HASH

LAN Manager hash is a compromised password hashing function that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords.

Support for the legacy LAN Manager protocol continued in later versions of Windows for backward compatibility.

Since Windows Vista, the protocol is disabled by default.

LM-HASH MECHANISM

The user's password is restricted to a maximum of fourteen characters.

The user’s password is converted to uppercase.

The user's password is encoded in the System OEM Code page

This password is null-padded to 14 bytes.

The “fixed-length” password is split into two seven-byte halves.

These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream with the most significant bit first, and inserting a null bit after every seven bits (so 1010100 becomes 10101000).

This generates the 64 bits needed for a DES key.

LM-HASH MECHANISM

Each of the two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”,resulting in two 8-byte cipher text values.

These two cipher text values are concatenated to form a 16-byte value, which is the LM hash.

LM-HASH MECHANISM

Key

Constant

Seattle1 SEATTLE 1****** = +

LM Hash

Key

Constant

Concatenate

DES DES

LM-HASH WEAKNESSES

Passwords are limited to a maximum of only 14 characters, giving a theoretical maximum keyspace of 9514 \ (approx) 292 with the 95 ASCII printable characters.

Passwords longer than 7 characters are divided into two pieces and each piece is hashed separately.

By mounting a brute force attack on each half separately, modern desktop machines can crack alphanumeric LM hashes in a few hours.

All lower case letters in the password are changed to upper case before the password is hashed, which further reduces the key space for each half to:

697 \ (approx) 243.

LM-HASH WEAKNESSES

Any password that is shorter than 8 characters will result in the hashing of 7 null bytes, yielding the constant value of 0xAAD3B435B51404EE, hence making it easy to identify short passwords on sight.

Many cracking tools, e.g. RainbowCrack, L0phtCrack and Cain, now incorporate similar attacks and make cracking of LM hashes fast and trivial.

LM-Hash values only change when a user changes his password.

NTLM

NTLM is a suite of authentication and session security protocols used in various Microsoft network protocol implementations and supported by the NTLM Security Support Provider.

NTLM is also used throughout Microsoft's systems as an integrated single sign-on mechanism.

It is recognized as part of the "Integrated Windows Authentication" stack for HTTP authentication.

It is also used in Microsoft implementations of SMTP, POP3, IMAP (all part of Exchange), CIFS/SMB, Telnet, SIP, and possibly others.

NTLM

The NTLM Security Support Provider provides authentication, integrity, and confidentiality services within the Window Security Support Provider Interface (SSPI) framework.

The SSPI specifies, and the NTLMSSP implements, the following core operations: Authentication -- NTLM provides a challenge-response authentication

mechanism Signing -- The NTLMSSP provides a means of applying a digital

"signature" to a message. Sealing -- The NTLMSSP implements a symmetric-key encryption

mechanism, which provides message confidentiality.

NTLM

unicodePwd

Seattle1 MD4

NTLM SITUATIONS

The client is authenticating to a server using an IP address

The client is authenticating to a server that belongs to a different Active Directory forest that has a legacy NTLM trust instead of a transitive inter-forest trust

The client is authenticating to a server that doesn't belong to a domain

No Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer")

Where a firewall would otherwise restrict the ports required by Kerberos (typically TCP 88)

NTLM AUTHENTICATION MESSAGES

NTLM authentication is a challenge-response scheme, consisting of three messages:

1. Type 1 (negotiation)

2. Type 2 (challenge)

3. Type 3 (authentication)

NTML AUTHENTICATION STEPS

1. The first step provides the user's NTLM credentials and occurs only as part of the authentication (logon) process.

2. A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.

3. The client sends the user name to the server (in plaintext).

4. The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.

5. The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response.

6. The server sends the following three items to the domain controller: User name Challenge sent to the client Response received from the client

NTML AUTHENTICATION STEPS

7. The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge.

8. The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.

NTLM VULNERABILITIES

But it remains vulnerable to the “pass the hash” attack, which is a variant on the “reflection attack”.

“Metasploit” can be used in many cases to obtain credentials from one machine which can be used to gain control of another machine.

The “Squirtle toolkit” can be used to leverage web site “cross-site scripting” attacks into attacks on nearby assets via NTLM.

One of the attacks is the ability to predict pseudo-random numberss and challenges/responsess generated by the protocol.

THANK YOU