Myths and legends: The passwords in Windows III (LM and NTLM)
SAM has improved Microsoft gradually the safety of his file, but also it has supported the compatibility backwards with inherently insecure systems as Windows 9x. With the every time major sophistication of hardware capable of attacking by brute force the hashes LM and NTLM, the coding (especially the LM) has become virtually useless if the password is not really entrópica and complex. In Sight, finally, there has been eliminated at least the weakest link, the hash LM. En Vista, por fin, se ha eliminado al menos el eslabón más débil, el hash LM.
If the result of the overturned one is studied online or offline (after ’the syskey skips’) of SAM, we will see something like that:
Administrador:500:42f29043y123fa9c74f23606c6g522b0:71759a1bb2web4da43e676d6b7190711:::
that there conceals in fact the hash LM of the password
(42f29043y123fa9c74f23606c6g522b0) and the hash NTLM
(71759a1bb2web4da43e676d6b7190711)
The coding LM (Lan Manager)
As we said, SAM stores two codings for password, LM and NTLM. LM is weak and insecure for design, and also, bearing in mind the potency of the current computers capable of proving hundreds of thousands of passwords per second, his 'coding' is virtually useless. LM does not make use well of the characters of the passwords and also it commits another series of important mistakes. To calculate the hash LM it consists of refilling one of the steps of ‘0 ′ the password up to coming to 14 characters (in case it is shorter) and to divide the result in two pieces of 7 bytes each one (the second filling of those ‘0 ′ if it is necessary). Also it converts to capital letters all the characters. On these two pieces it applies a standard algorithm (GIVE) to code an arbitrary, well-known and fixed chain (4b47532140232425) and the concatena. LM no aprovecha bien los caracteres de las contraseñas y además comete otra serie de fallos importantes. Uno de los pasos para calcular el hash LM consiste en rellenar de ‘0′ la contraseña hasta llegar a los 14 caracteres (en caso de que sea más corta) y partir el resultado en dos trozos de 7 bytes cada uno (el segundo relleno de esos ‘0′ si es necesario). También convierte a mayúsculas todos los caracteres. Sobre estos dos trozos aplica un algoritmo estándar (DES) para cifrar una cadena arbitraria, conocida y fija (4b47532140232425) y los concatena.
The algorithm commits a series of inexcusable errors, even for the epoch in which it was designed. To convert everything to capital letters allows to the brute force programs to attack straight using capital letters and reducing this way the calculation time, diminishes greatly the combinations. But the most serious thing is that the fact of dividing the password in two, allows to the brute force programs, to divide the work and to act in parallel on both pieces. Like that is that for example, in a password of 10 characters, a brute force program will have to attack in fact two different parts: a password of seven characters and other one of three, almost trivial of foreseeing. A user with a password of 14 characters would be almost equal of exhibited that one that was using one of 7 characters long, since instead of raising exponentially the attack time, only would take the double (two pieces of seven instead of one) or the same time if one is employed at parallel. To obviate the differentiation between capital letters and small letters does not turn out to be, by no means, a good idea either. Pero lo más grave es que el hecho de partir la contraseña en dos, permite a los programas de fuerza bruta, dividir el trabajo y actuar en paralelo sobre ambos trozos. Así es que por ejemplo, en una contraseña de 10 caracteres, un programa de fuerza bruta tendrá que atacar en realidad dos partes diferentes: una contraseña de siete caracteres y otra de tres, casi trivial de adivinar. Un usuario con una contraseña de 14 caracteres estaría casi igual de expuesto que uno que utilizase una de 7 caracteres de longitud, pues en vez de elevar exponencialmente el tiempo de ataque, sólo se tardaría el doble (dos trozos de siete en vez de uno) o el mismo tiempo si se trabaja en paralelo. Obviar la diferenciación entre mayúsculas y minúsculas tampoco resulta, en absoluto, una buena idea.
The coding NTLM (NTLan Manager)
NTLM supposes the second "attempt" of Microsoft for improving the protocol of the passwords. Finally it differs between capital letters and small letters and internally it is simpler and robust: he calculates the hash coding with the standard MD4 after a small modification of the value hexadecimal of the password. calcula el hash cifrando con el estándar MD4 tras una pequeña modificación del valor hexadecimal de la contraseña.
But by many progress that it introduces, NTLM remains annulled. Because by defect the passwords are stored and used in two formats, the archaic LM and NTLM, meetings in the same SAM. A clear example of how is the safety so strong as the weakest of his links. Un ejemplo claro de cómo la seguridad es tan fuerte como el más débil de sus eslabones.
Curiosities
For the long time it gave itself certainly that the ideal password in Windows had to be 14 characters. First because before Windows 2000 (that allows passwords of 127 characters) the pictures of dialogue of NT who were asking for the password, they did not allow to write any more than 14 letters.
And second for the proper nature of LM, who does not support any more than 14 characters. But … if in Windows 2000 more than 14 characters are accepted for the password, and the coding LM has been supported up to Sight for compatibility reasons. What was happening then with the coding LM when the password was composed by more than 14 characters? How does Windows divide it internally to calculate the hash LM if this one needs to divide it in two pieces of 7 bytes each one? The protocol LM refills the zeros password when he is a minor of 14 letters to be able to divide it in two … ¿Qué pasaba entonces con el cifrado LM cuando la contraseña estaba compuesta por más de 14 caracteres? ¿Cómo lo divide internamente Windows para calcular el hash LM si éste necesita partirla en dos trozos de 7 bytes cada uno? El protocolo LM rellena la contraseña de ceros cuando es menor de 14 letras para poder partirla en dos…
how to divide then in two pieces of 7 characters a password of 15? Interesting question for which answer does not exist.
Of this type of passwords, simply, the hash LM is not calculated. In these cases the operating system does not store the hash LM, the algorithm does not support it. In addition to improving the safety for the fact in itself of using a password of major length, giving an amazing nut return, this protects against brute force attacks. Además de mejorar la seguridad por el hecho en sí de usar una contraseña de mayor longitud, dando una asombrosa vuelta de tuerca, esto protege contra ataques de fuerza bruta.
Windows, when the password has more than 15 characters, stores the constant aad3b435b51404eeaad3b435b51404ee like hash LM (been the result of applying the coding LM to two void chains of seven characters each one and concatenarlas), which also is equivalent to a void password. As the password obviously is not void, the attempts of attacks against the hash will fail systematically. This does not mean that a password of any more than 14 characters is 'equivalent' to a void password. Although LM indicates that the password is void, if it it is not, logically there it is (next to you, literally) the hash NTLM to confirm that it is not like that. The programs of brute force that look for the password in the hash LM will not work correctly. Esto no significa que una contraseña de más de 14 caracteres sea ‘equivalente’ a una contraseña nula. Aunque LM indique que la contraseña es nula, si no lo es, lógicamente ahí está (a su lado, literalmente) el hash NTLM para confirmar que no es así. Los programas de fuerza bruta que busquen la contraseña en el hash LM no funcionarán correctamente.
In any case, there has always existed the possibility of indicating him Windows that should not store the hash LM of the password (although it is of less than 14 characters) in the system. Sight, for defect, does not store it.
More information:
one an una-al-dia (01/04/2008) Myths and legends: The passwords in Windows I (Types of attacks) http://www.hispasec.com / unaaldia / 3447/mitos-leyendas-las-contrasenas-windows-tipos-ataq
one an una-al-dia (09/04/2008) Myths and legends: The passwords in Windows II (Syskey) http://www.hispasec.com / unaaldia / 3455/mitos-leyendas-las-contrasenas-windows-syskey
Author: Sergio de los Santos (Hispasec.com)
