RE: Sniffing a windows domain authentication

Carlos,

Windows generates and stores user account passwords by using two
different password representations, generally known as "hashes." When
you set or change the password for a user account, Windows generates
both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the
password. These hashes are stored in the local Security Accounts Manager
(SAM) database or in Active Directory. The LM hash is relatively weak
compared to the NT hash, and it is therefore prone to fast brute force
attack.

The NTLM authentication package in Windows 2000 supports three methods
of challenge/response authentication:

LAN Manager (LM). This is the least secure form of challenge/response
authentication. It is available so that computers running Windows 2000
Professional can connect in share level security mode to file shares on
computers running Microsoft(r) Windows(r) for Workgroups, Windows 95, or
Windows 98. 
NTLM version 1. This is more secure than LM challenge/response
authentication. It is available so that clients running Windows 2000
Professional can connect to servers in a Windows NT domain that has at
least one domain controller that is running Windows NT 4.0 Service Pack
3 or earlier. 
NTLM version 2. This is the most secure form of challenge/response
authentication. It is used when clients running Windows 2000
Professional connect to servers in a Windows NT domain where all domain
controllers have been upgraded to Windows NT 4.0 Service Pack 4 or
later. It is also used when clients running Windows 2000 connect to
servers running Windows NT in a Windows 2000 domain. 

By default, all three challenge/response mechanisms are enabled. You can
disable authentication using weaker variants by setting the LAN Manager
authentication level security option in local security policy for the
computer.


Since the days of Windows NT, Microsoft has upgraded its default
authentication protocol to Kerberos, a considerably more secure option
than NTLM. Every Windows 2000, Windows XP and Windows Server 2003 OS
platform includes a client Kerberos authentication provider. Kerberos is
considered a strong authentication protocol -- considerably stronger
than NTLM and it was designed to thwart many known attacks on
authentication systems. 

Windows 2000-based servers and Windows Server 2003-based servers can
authenticate users who connect from computers that are running all
earlier versions of Windows. However, versions of Windows earlier than
Windows 2000 do not use Kerberos for authentication. For backward
compatibility, Windows 2000 and Windows Server 2003 support LAN Manager
(LM) authentication, Windows NT (NTLM) authentication, and NTLM version
2 (NTLMv2) authentication. The NTLM, NTLMv2, and Kerberos all use the NT
hash, also known as the Unicode hash. The LM authentication protocol
uses the LM hash.

                                                     Authentication in
Windows 2000
Windows 2000 supports several protocols for verifying the identities of
users who claim to have accounts on the system, including protocols for
authenticating dial-up connections and protocols for authenticating
external users who access the network over the Internet. But there are
only two choices for network authentication within Windows 2000 domains:

* Kerberos Version 5. The Kerberos version 5 authentication protocol is
the default for network authentication on computers with Windows 2000.
 
* Windows NT LAN Manager (NTLM). The NTLM protocol was the default for
network authentication in the Windows NT(r) 4.0 operating system. It is
retained in Windows 2000 for compatibility with downlevel clients and
servers. NTLM is also used to authenticate logons to standalone
computers with Windows 2000.

If your going to try and crack the NTLM password hash, I suggest you
research and utilize Rainbow Tables.

In the limited amount of time that I had, it is all I came up with and I
hope it of some use to you.

-Nav


-----Original Message-----
From: l00t3r [mailto:l00t3r@gmail.com] 
Sent: Thursday, March 16, 2006 6:43 PM
To: spambox@barrossecurity.com
Cc: pen-test@securityfocus.com
Subject: Re: Sniffing a windows domain authentication

LC5 might do what your looking for.  I know they have an option to
import network sniffer files but not sure if it will actually crack what
your looking to do.  Might be worth looking into.

Ryan

On 16 Mar 2006 16:32:32 -0000, spambox@barrossecurity.com
<spambox@barrossecurity.com> wrote:
> Hello list!
> Sometime ago I was wondering if it is possible to
> capture the authentication packets sent from a Windows Workstation to
the PDC and then crack the password. I've setup this scenario in the lab
environment and sniffer these packets, but did'n find any referece about
cracking the password.. Any   one knows how the authentication works,
and if it can be broken??
> best regards
>
> Carlos Barros
> http://www.barrossecurity.com/
>
> ----------------------------------------------------------------------
> --------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> As attacks through web applications continue to rise, you need to 
> proactively protect your applications from hackers. Cenzic has the 
> most comprehensive solutions to meet your application security 
> penetration testing and vulnerability management needs. You have an 
> option to go with a managed service (Cenzic ClickToSecure) or an
enterprise software (Cenzic Hailstorm).
> Download FREE whitepaper on how a managed service can help you:
> http://www.cenzic.com/forms/ec.php?pubid=10025
> And, now for a limited time we can do a FREE audit for you to confirm 
> your results from other product. Contact us at request@cenzic.com
> ----------------------------------------------------------------------
> --------

------------------------------------------------------------------------
------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to
proactively protect your applications from hackers. Cenzic has the most
comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go
with a managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm
your results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------
------


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------