Password crackers.

Апр 27, 2024
logo11d 4 1

Password crackers

Password crackers

User account database

One of the main security components of Windows NT is the User Account Manager. It allows other security components, applications, and Windows NT services to interact with the Security Account Management Database (SAM). This Windows NT operating system (OS) base is required on every computer. This is where all the information used to authenticate Windows NT users for interactive logon and remote access over a computer network is stored.

The SAM database is one of the «hives» of the Windows NT registry. This «hive» belongs to the «branch» (subtree) HKEY_LOCAL_MACHINE and is called SAM. It is located in the winnt_rootSystem32Config directory (winnt_root is a symbol for the directory with Windows NT system files) in a separate file, also called SAM. Most of the information in the SAM database is stored in binary form. It can usually be accessed through the Account Manager. It is not recommended to modify entries stored in the SAM database using programs that allow you to directly edit the Windows NT registry (REGEDT or REGEDT32). Moreover, this cannot be done, since access to the SAM database is prohibited for all categories of Windows NT users without exception.

Storing user passwords

It is within the SAM database accounts that the user name and password information is located, which is necessary to identify and authenticate users when they log in online. As in any other modern multi-user OS, this information is stored in encrypted form. In the SAM database, each password is usually represented as two 16-byte sequences obtained by different methods.

In the Windows NT method, the user's password character string is hashed using the MD4.1 function. As a result, the symbolic password entered by user 2 produces a 16-byte sequence — a hashed Windows NT password. This sequence is then encrypted using DES Algorithm 3 and the encryption result is stored in the SAM database. In this case, the so-called relative user identifier (Relative Identifier, or RID for short) is used as a key, which is an automatically increasing sequence number of a given user’s account in the SAM database.

For compatibility with other Microsoft software (Windows for Workgroups, Windows 95/98 and Lan Manager), the SAM database also stores user password information in the Lan Manager standard. To form it, all alphabetic characters in the original password string are converted to upper case, and if the password contains less than 14 characters, it is padded with zeros. From each 7-byte half of the user's password converted in this way, a key is separately generated to encrypt a certain fixed 8-byte sequence using the DES algorithm. The resulting two 8-byte halves of the Lan Manager hashed password are once again DES-encrypted (using the user's RID as the key) and placed in the SAM database.

Password Usage

Password information stored in the SAM database is used to authenticate Windows NT users. When logging on online or online, the entered password is first hashed and encrypted, and then compared to a 16-byte sequence stored in the SAM database. If these values ​​match, the user is allowed to log in.

Typically, both hashed passwords are stored encrypted in the SAM database. However, in some cases the OS only calculates one of them. For example, if a Windows NT domain user changes his password while working on a computer running Windows for Workgroups, then only the Lan Manager password will remain in his account. And if the user's password contains more than 14 characters or these characters are not included in the so-called set of the equipment supplier (original equipment manufacturer, or OEM for short), then only the Windows NT password will be entered into the SAM database.

Possible attacks on the SAM database

Administrative powers are usually of great interest to an OS password protection hacker. They can be obtained by finding out the system administrator password in hashed or symbolic form, which is stored in the SAM database. Therefore, it is the SAM database that the main blow of a Windows NT password protection attacker is aimed at.

By default, in Windows NT, access to the winnt_rootSystem32ConfigSAM file is blocked for all its users without exception. However, with the help of the NTBACKUP program, anyone with permission to back up Windows NT files and directories can transfer this file from the “hard” disk to magnetic tape. You can also create a registry backup using the REGBAK utility from the Windows NT Resource Kit. In addition, a backup copy of the SAM file (SAM. SAV) in the winnt_rootSystem32Config directory and a compressed archive copy of SAM (file SAM._) in the winnt_rootRepair directory are of undoubted interest to any attacker.

If you have a physical copy of the SAM file, retrieving the information stored in it is not difficult. By loading the SAM file into the registry of any other Windows NT computer (for example, using the REGEDT32 Load Hive command), you can drill down into user accounts to determine user RID values ​​and encrypted versions of their hashed passwords. Knowing the RID and having an encrypted version of the hashed password, a computer attacker can try to decrypt that password in order to use it, for example, to gain network access to another computer. However, for interactive login, just knowing the hashed password is not enough. It is necessary to obtain its symbolic representation.

To recover user Windows NT OS passwords in symbolic form, there are special password crackers that perform both direct password guessing and dictionary searches. Sometimes, for this purpose, a combined method of cracking password protection is used: a file with pre-computed hashed passwords corresponding to character sequences that are often used as passwords for operating system users is used as a dictionary. One of the most famous Windows NT password cracking programs is LOphtCrack.

Protecting Windows NT from password crackers

So, the conclusion is clear: the most important task of a Windows NT system administrator is to protect the information stored in the SAM database from unauthorized access. For this purpose, it is necessary to limit physical access to network computers and, above all, to domain controllers. Additionally, if you have the appropriate software and hardware, you should set BIOS passwords for turning on computers and changing their BIOS settings. Then, using the BIOS settings, it is recommended to disable the computers from booting from floppy disks and CDs. And to ensure access control to files and folders in Windows NT, the system partition of the “hard” disk must be in NTFS format.

The winnt_rootrepair directory must be closed to all users, including administrators, using the operating system, and access to it must be allowed only while the RDISK utility is running, which creates backup copies of the Windows NT system registry in this directory. System administrators should also be careful about where and how Emergency Repair Disks and tape backups are stored if they contain a duplicate of the Windows NT system registry.

If a computer running the Windows NT operating system is part of a domain, then by default the names and hashed passwords of the last ten users who registered on this computer are saved (cached) in its local system registry (in the SECURITYPolicySecrets section of the hive » HKEY_LOCAL_MACHINE). To disable password caching on domain computers, you need to use the REGEDT32 utility to add the CashedLogonsCount parameter to the MicrosoftWindowsNTCurrentVersionWinlogon section of the HKEY_LOCAL_MACHINE hive, setting its value to zero and its type to REG_SZ. To protect the SAM database, you can use the SYSKEY utility, included in Windows NT Service Pack 3. It allows you to enable additional encryption for password information stored in the SAM database. A unique 128-bit key for additional password encryption (the so-called Password Encryption Key, or PEC) is automatically saved in the system registry for future use.

Before being placed in the system registry, the PEC key is encrypted using a 128-bit system key (System Key) and can be stored either in the system registry or in a file named STARTUP.KEY in the root directory on a separate floppy disk. You don't have to save the system key on magnetic media, and then every time you start the operating system, it will be calculated using the MD5 algorithm based on the password typed on the keyboard in the SYSKEY utility dialog box. The last two methods of storing the system key provide maximum protection for passwords in the SAM database, but make it impossible to automatically reboot the OS, since to complete the reboot process you will need to either insert a floppy disk with the system key and confirm its presence in the drive by clicking OK in the dialog box that appears, or manually enter the system key from the keyboard.

To increase the resistance of Windows NT operating system user passwords to hacking, it is recommended that you use the User Manager utility to set the minimum length of user passwords to at least 8 characters and activate the password aging mode so that users periodically update them. Moreover, the higher the likelihood of attacks on Windows NT password protection, the shorter the period of such obsolescence should be. To prevent users from re-entering their old passwords, it is necessary to enable the storage mode for a certain number of previously used passwords.

The PASSPROP utility from the Windows NT Resource Kit, launched with the /COMPLEX switch, forces users to enter more crack-resistant passwords that either combine letters in different case, or letters with numbers, or letters with special characters. More stringent rules for filtering weak passwords can be set after installing any of the Windows NT service packs, starting with Service Pack 2. Then the special library PASSFILT.DLL, located in the winnt_rootSystem32 directory, will ensure that each user password contains at least of five characters, did not contain the user name, included characters from at least three sets of four possible, composed of upper and lowercase letters, numbers, special characters (punctuation marks, etc.), respectively. To set this mode for checking user passwords, you need to add the Notification Packages parameter of type REG_MULTI_SZ to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa section of the system registry using the REGEDT32 program and enter the PASSFILT line into it. If this parameter already exists, then a new line should be added after the existing one.

In conclusion, it should be noted that although in the capable hands of an attacker, operating system password cracking programs pose a huge threat to password protection, password crackers themselves are still an equally valuable tool for system administrators who are interested in identifying weaknesses in password protection of their operating systems. The main problem with countering hacking is not that password crackers exist, but that system administrators do not use them often enough. I would like to hope that after the publication of this article the situation will change for the better.

Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.