PPS to last post
IPsec does (or at least can and I am not going into a page of detail to
describe this now) authenticate the client system BEFORE the Kerberos
exchange starts
There are 2 parts -
1 authenticating the client system
2 authenticating the user
IPsec "includes" an authentication protocol. Further - (and should we
change this section to a separate topic?) 802.1x with certs is also
supported to add a further layer.
I also understand that all traffic from any IP port 88 is assumed by MS
systems to be Kerberos traffic and thus exempt from all IPsec filters
allowing scanning etc etc. This would be a separate issue and discussion
if you wish to take that up.
Craig
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
Sent: 22 September 2005 3:46
To: Craig Wright; pand0ra.usa@gmail.com; pen-test@securityfocus.com
Subject: Re: Passwords with Lan Manager (LM) under Windows
Well, that's an issue with the client, not NTLMv2. NTLMv2 is tight. LM
sucks- that's obvious (and it was IBM, not MS that gave us that one.)
And yes, you can use precomputed tables against NTLM hashes, but not
against NTLMv2... The NTLM hash is keyed off of the password, but NTLMv2
hashes up the password with the user's domain/user data when generating
the key...
You can't precompile that data into a rainbow, you know?
Regarding the "IPsec based auth" reference (here I go again), I'd have
to say that there is no such thing... IPSec negotiation in Windows can
be based on one of three mechanisms: A pre-shared key, Kerberos, or a
cert-- it is not an authentication protocol in itself... (the cert being
the strongest IMO).
t
----- Original Message -----
From: "Craig Wright" <cwright@bdosyd.com.au>
To: "Thor (Hammer of God)" <thor@hammerofgod.com>;
<pand0ra.usa@gmail.com>; <pen-test@securityfocus.com>
Sent: Wednesday, September 21, 2005 10:05 PM
Subject: RE: Passwords with Lan Manager (LM) under Windows
Further to the last post
There are a number of issues with NTLMv2 and legacy applications such as
Windows RAS that cause lower levels of authentication
I still say that Kerberos or IPsec based auth is the best policy in
windows. LanMan, NTLMv1 or V2 are vulnerable.
Precomputed tables may have been uncommon 12 months ago - but that was
then and this is now.
Cain & Abel will use sorted Rainbow Tables for Cryptanalysis attacks
Craig
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
Sent: 22 September 2005 12:00
To: Craig Wright; pand0ra.usa@gmail.com; pen-test@securityfocus.com
Subject: Re: Passwords with Lan Manager (LM) under Windows
----- Original Message -----
From: "Craig Wright" <cwright@bdosyd.com.au>
To: <pand0ra.usa@gmail.com>; <pen-test@securityfocus.com>
Sent: Wednesday, September 21, 2005 12:32 PM
Subject: RE: Passwords with Lan Manager (LM) under Windows
Even NTLMv2 will break the hashing into chunks which are able to be
individually broken down.
I'm not sure what you mean... NTLMv2 uses a single 128bit key for the
hash, challenge and response... Or are you referring to the NTLM2
session response key (56+56+16)? If so, that is not the same thing as
NTLMv2...
Can
you elaborate please ?
t
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
