Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NTLM 100% Broken Using Hashes Derived From Captures

Soulskill posted about 2 years ago | from the progress-bar-complete dept.

Encryption 155

New submitter uCallHimDrJ0NES writes "Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"

Sorry! There are no comments related to the filter you selected.

Thanks alot.... (-1)

Anonymous Coward | about 2 years ago | (#42526611)

Asshole

Re:Thanks alot.... (-1)

Jeremiah Cornelius (137) | about 2 years ago | (#42526667)

Re:Thanks alot.... (-1)

Jeremiah Cornelius (137) | about 2 years ago | (#42526683)

How to harden an XP machine ? (2)

Taco Cowboy (5327) | about 2 years ago | (#42526931)

We still have quite a number of XP machines in our front office.

How to harden those XP machines and make them use NTLM2 instead?

Thanks !!

Re:How to harden an XP machine ? (5, Informative)

Dr.Who (146770) | about 2 years ago | (#42526975)

The Microsoft article http://support.microsoft.com/kb/2793313 [microsoft.com] referenced above points to http://technet.microsoft.com/library/cc960646.aspx [microsoft.com]

Re:How to harden an XP machine ? (5, Informative)

yuhong (1378501) | about 2 years ago | (#42527025)

You can also use Group Policy:
http://technet.microsoft.com/en-us/library/cc738867(v=ws.10).aspx [microsoft.com]

Many many thanks to all !! (0)

Taco Cowboy (5327) | about 2 years ago | (#42527521)

Thanks for the informative info that you've so generously shared !!

Thanks again !!

Re:How to harden an XP machine ? (1)

Anonymous Coward | about 2 years ago | (#42531417)

| You can also use Group Policy:
| http://technet.microsoft.com/en-us/library/cc738867(v=ws.10).aspx [microsoft.com]

Or just cut out the middleman. If one downloads the fixit package the result is a ridiculous 1 MB .msi file, which merely runs a small, embedded VBScript, which changes a single Registry setting:

HKLM\System\CurrentControlSet\control\LSA\LMCompatibilityLevel
DWORD value: 3

Re:How to harden an XP machine ? (2)

operagost (62405) | about 2 years ago | (#42531967)

Even on a machine without AD, you can at least use Local Security Policy to access the setting in the Network Security category. Why they tell you to hack the registry, I don't know. While you're there, you should also enable "Do not store LAN Manager hash" and "Do not allow anonymous enumeration of SAM accounts and shares" (the latter only if you have no NT 4 domains or NT/9x clients).

Re:How to harden an XP machine ? (1)

Jaime2 (824950) | about 2 years ago | (#42526989)

XP already uses NTLMv2. You really want to make it refuse to do NTLMv1 and LM. The link in the summary tells you how.

Re:How to harden an XP machine ? (3, Informative)

rb12345 (1170423) | about 2 years ago | (#42527145)

By default, XP allows inbound NTLMv2 authentication from remote clients but does not use it outbound to authenticate to remote servers. The same setting that makes XP refuse LM/NTLM also enables outbound NTLMv2.

Re:IE 6 apps wont work with NTLMv2 (0)

Billly Gates (198444) | about 2 years ago | (#42527965)

It is a big problem if you are moving to WIndows 7 on the client side and they are trying to virtualize IE 6/XP/Server 2k3 for their apps. If you upgrade then the authentication will fail. Many are dragging their feet so they do not have to deal with this until 2014.

Re:How to harden an XP machine ? (5, Funny)

Anonymous Coward | about 2 years ago | (#42527029)

How to harden those XP machines and make them use NTLM2 instead?

My blanket recommendation for hardening XP machines is to encase them in concrete.

Re:How to harden an XP machine ? (1)

Anonymous Coward | about 2 years ago | (#42527527)

How to harden those XP machines and make them use NTLM2 instead?

My blanket recommendation for hardening XP machines is to encase them in concrete.

But I sell Lucite computer encasement kits, you insensitive clod!

Simple - secpol.msc (local one or AD level) (0, Informative)

Anonymous Coward | about 2 years ago | (#42527187)

Once in either version (I'd do it from the global group policy settings from the AD admin level), follow this down thru the left-hand side pane tree items:

Security Settings -> Local Policies -> Security Options

Then, in the right-hand pane, go to Network Security grouped section.

There, use the "LAN Manager Authentication Level" & set it to NTLMv2 (refuse others, ONLY IF you don't have a "mixed mode" type domain setup, meaning machines or servers that MUST use NTLMv1).

There's about 10 others in that group too (In Windows 7 that is, I don't recall THAT many in earlier models, but that's just me operating on memory alone though & it's been YEARS since I even used Server 2003 or XP).

So - depending on the version of Windows you're doing this on?

It varies!

( & iirc, it got MORE 'stringent & complex' in each version, but all the NTLM stuff is RIGHT THERE in them all - in Windows 7/Server 2008 onwards, you can even set 'exception machines' up too).

APK

P.S.=> Of course, there's also the EASY WAY OUT, via the "FixIt Tool" Microsoft put out today as well, here -> http://support.microsoft.com/kb/2793313 [microsoft.com] which give a GOOD RUNDOWN of what's going on in it too...

... apk

Addendum: By "AD Level"? Meant gpedit.msc (-1)

Anonymous Coward | about 2 years ago | (#42527389)

That's your Group Policy tool (secpol.msc, the mmc.exe snapin that I mentioned earlier is pretty much only a SUBSET of that, but more focused on security-based policies)...

Again - Do it as the Network AD admin, makes it simpler than doing it machine-by-machine (or even using the "FIX IT" Tool I noted from MS they released today).

* There you go!

APK

P.S.=> Sorry about that, not that it really matters, but it's best to give COMPLETE information when possible (I am beat tired today is all, had to kick out some tenants & had to clean the hell out of the place too after working ontop of it - I'm just shot, but that above should "complete the picture")...

... apk

Re:It is called WIndows 7 (5, Insightful)

Billly Gates (198444) | about 2 years ago | (#42527829)

It is time to get with the times.

Yes, I worked in corporate I.T. before and know all the tired arguments. The OS will turn 13 years old later this year. 13 years?!

Not to mention XP SP 3 after 800 or so updates is slower and not the speed daemon it once was as 9 out of 10 CPU cycles are work around exploits. Stop defining yourselves and your ego on an OS made by the same people who wrote IE 6?

The idea for security in XP is from the last century where all you needed is a good password. It lacks things a modern internet enabled OS have today. It is not a trendmill at this point nor is MS being evil to the mean old beancounters who refuse to see hidden costs and just licensing on a spreadsheet in excel. This story, the one on IE 6-8 being vulnerably last week on slashdot, and many others stating XP is so primptive because it doesn't have protected mode, ASLR, are DEP fully (only a few things have that on XP).

If you ask this because your IT department has no plans to upgrade then another job who treat your profession and seriousness with respect.. They are incompetent and when shit hits the fan and social security numbers are stolen you will get the blame as the cost center and be let go anyway.

It is obvious with the latest security issues in IE6, IE 7-8 (in non protected mode), XP, and now this that it is time to let it go instead of workaround it. Investing time and money into it is like investing cash into a car with 200,000 miles.

These costs are real and so are the liabilities. Grow a pair and sell yourself the cheap asshats at your company? You are not saving anything by keeping an outdated insecure infrastructure and it is not unreasonable to upgrade to a 3 year old OS.

Re:It is called WIndows 7 (2)

Sigg3.net (886486) | about 2 years ago | (#42530341)

Win is great for business, just turn off every bells and whistle and you will have an XP like experience.

OpenSUSE is better IMHO, but win7 should not be overlooked.

Recently did some work on a pristine Win8. It works just like Unity..

Re:It is called WIndows 7 (0)

Anonymous Coward | about 2 years ago | (#42531395)

You worked in corp IT and you think it is as easy as flipping a switch to make the change? Unlike the home enthusiast who doesn't mind learning the in/outs of a new OS many corporate users are task focused. The computer is a tool the same as a phone. For better/worse those users have no more interest in how the computer works than I have in the innards of my car's manual transmission. As long as it works I'm happy. If it doesn't I see an expert. You may consider the change from Win XP to Win 7 to be minor but for millions of corporate users any change can be huge and require training which is a double whammie of cost and lost productivity time. From a TCO perspective it is much cheaper to patch and manage than upgrade. The benefits of Win 7 are intangible to the end corporate users.

Re:It is called WIndows 7 (1)

Anonymous Coward | about 2 years ago | (#42531447)

9 out of 10 CPU cycles are work around exploits

No.

Yes it is more bloated now than the initial release and slower as a result, not helped by all the stuff installed on it now which uses more CPU than an equivalent program would have used 15 years ago, plus your AV program probably is checking every file/web access (but not Windows itself). But...

It isn't consuming most of its time actively running additional code to prevent exploits. Almost every exploit is corrected by correcting the original code to fix the bug that allows a buffer/integer overflow etc. Not by keeping the original code and installing extra code to filter the inputs to it.

Re:It is called WIndows 7 (1)

thoromyr (673646) | about 2 years ago | (#42531831)

you may have worked in corporate IT but you have no clue. What is your source for wild ass claims like "9 out of 10 CPU cycles are work around exploits"? Oh, right, you pulled that out of your ass -- an invented statistic to try and make XP look bad. The problem with that claim is that it is patently false as is obvious not only to anyone with a clue about CPUs, application execution, or anything related -- but even to anyone who gives it a passing thought (for one, your assertion implies 1/10 the performance of an unpatched XP box). Someone who runs XP and installs Vista, Win7 or Win8 is (very likely*) going to experience a slow down, not a speed up. In general, people are aware that XP is "faster" than its successors and when you use lies to bolster your case you actually weaken it.

The claim that "security in XP is from the last century where all you needed is a good password" also shows your utter and complete ignorance of XP and security architectures. Of course, you don't offer a single item to backup your claim. It would be hard to, unless you made it up on the spot like your statistic from above, as it simply isn't true.

That isn't to say that people shouldn't be moving off of XP. But they should do it for real reasons, not some made up crap, and posting obvious lies only weakens that case.

Its amazing that such a stupid post got modded insightful. Then again, this *is* slashdot...

* except for blind fans of Microsoft, it is apparent that the successors of XP require more resources. This really shouldn't come as a surprise to anyone, but one consequence is that a system spec'd for XP is going to be under spec for Vista/Win7/Win8 and run slower. Potentially a lot slower (particularly dependent on how much RAM they have). Of course, MS has managed to shave a little off of boot time and there are other minor improvements such as the infinitesimal gain from disabling recording of access times (on a local file system of decent design -- which NTFS has -- there is no perceptible improvement).

Re:It is called WIndows 7 (1)

operagost (62405) | about 2 years ago | (#42532059)

It is not a trendmill at this point nor is MS being evil to the mean old beancounters who refuse to see hidden costs and just licensing on a spreadsheet in excel. This story, the one on IE 6-8 being vulnerably last week on slashdot, and many others stating XP is so primptive because it doesn't have protected mode, ASLR, are DEP fully (only a few things have that on XP).

Anyone have a Gibberish-English dictionary?

Re:Thanks alot.... (3, Insightful)

hairyfeet (841228) | about 2 years ago | (#42527585)

Somebody needs to get with the last decade since MSFT made Kerberos [wikipedia.org] the preferred authentication method waaaaay back in Win2K, so if you are still using NTLM for authentication after it has been depreciated for 13 years? I'd say you have bigger problems than NTLM being hacked.

Re:Thanks alot.... (4, Insightful)

Billly Gates (198444) | about 2 years ago | (#42527877)

I already replied to someone saying the best way to harden XP is called Windows 7.

I do not understand the strange obsession of keeping XP. Does it save money. No.

Geeks with aspergers lack the social skills to grow a pair and tell the cost accountants they are morons as if these companies who handle customer social security numbers, credit numbers, and other things with their billing department are ripe pickings with XP.

XP has been proven time and time again to be old, insecure, and has security features from a different era. It comes with IE 6. I mean did MS really make it that secure? Oh it is password protected. THat is good enough ... check.

IE 6 - 8 are being exploited right now under XP because it lacks protected mode and even the Mr. Fixit from that exploit has already been circumvented. But those on XP claim they are saving money and how great and secure their OS is that wont listen. Just because it runs on machines with 256 megs of ram doesn't mean it is supperiorly coded and of high quality. THe misinformation many supposedly IT professionals are astounding.

I should start bookmarking these so when someone mods me down and says how great XP is and why change to an inferior bloated OS like win 7 I can cite this and the IE 6 -8 hole links?

Re:Thanks alot.... (1)

jones_supa (887896) | about 2 years ago | (#42528311)

Just because it runs on machines with 256 megs of ram doesn't mean it is supperiorly coded and of high quality.

XP SP3 doesn't even cut that anymore. A bare installation hovers around 384 megs already.

Re:Thanks alot.... (1)

thoromyr (673646) | about 2 years ago | (#42531871)

of course, anyone taking your advice has their head screwed on wrong. Maybe your going about your advice wrong. First, try to learn something about the topic on which you want to give advice. Second, don't insult the people you are talking to at every turn. You really like the phrase "grow a pair", for example. Grow up.

Of course, the same criticism could be leveled at this post. Except I'm not trying to give you advice, just pointing out why your "sage advice" is falling on deaf ears.

Re:Thanks alot.... (1)

Anonymous Coward | about 2 years ago | (#42527983)

lol. Yeah, wikipedia said it, it has to be true. Oh, wait... you didn't even read the complete subsection of the wikipedia article. Your position in IT management awaits.

Re:Thanks alot.... (1)

strikethree (811449) | about 2 years ago | (#42530075)

I have been noticing this a lot lately but I decided to offer this friendly little help to you:

depreciated is not the word you are wanting to use. The word that you actually want is deprecated.

http://en.wikipedia.org/wiki/Depreciation [wikipedia.org]

http://en.wikipedia.org/wiki/Deprecation [wikipedia.org]

Cheers :)

Re:Thanks alot.... (0)

Anonymous Coward | about 2 years ago | (#42531543)

Yes, Kerberos is fun.

But don't use CNAMEs in DNS to point domains to a proxy.
Or don't authenticate to localhost for a webservice.
etc...

Not to mention patches for certain issues that are available for windows 7, but not for Windows server. with no intention to release patches.

Kerberos is better, but it is still broken in real world setups.

And this is important because? (1)

maugle (1369813) | about 2 years ago | (#42526689)

OK, I did the unthinkable and skimmed the actual article, but I still have no idea what NTLM does, why it was chosen for whatever task it does, or what the potential repercussions are now that it's broken. Even the "Reminder About the Downside of Doing Nothing" section, which I hoped would explain exactly what an attacker could do, was light on details. Something about sending passwords to a remote machine?

Can anyone shine some light on this?

Re:And this is important because? (5, Informative)

UnknownSoldier (67820) | about 2 years ago | (#42526749)

NTLM stands for Windows NT Lan Manager. Is was used in earlier Windows from NT 3.1 (yes THAT old) up til Win 2K3 IIRC.

Users would authenticate their login credentials to the system. NTLM is the sub-system that does that authentication.

For more details see wikipedia: http://en.wikipedia.org/wiki/NTLM [wikipedia.org]

Re:And this is important because? (3, Informative)

Curate (783077) | about 2 years ago | (#42526829)

I distinctly remember using NTLMv2 in both NT 4.0 and Win2K, for a product I was developing for those platforms. NTLMv2 was an option. You could also choose whether the negotiation could downgrade to NTLM if the other side didn't support NTLMv2, or if the negotiation would insist on NTLMv2. But NTLMv2 didn't become the default until Vista -- the first version of Windows that strongly emphasized security.

Re:And this is important because? (1)

buchner.johannes (1139593) | about 2 years ago | (#42526987)

If you have a web proxy (e.g. squid) with user authentification, you probably are also using NTLM for sending hashed one-time passwords. The only other alternative is Digest authentication, which only few client programs support. The NTLM version used depends on the client machine.

Re:And this is important because? (2)

Mikkeles (698461) | about 2 years ago | (#42530893)

I found the following on the MS site:

What caused the issue?
Until January 2000, export restrictions limited the maximum key length for cryptographic protocols. The LM and NTLM authentication protocols were both developed before January 2000 and therefore were subject to these restrictions. When Windows XP was released, it was configured to ensure backward-compatibility with authentication environments designed for Windows 2000 and earlier.

Export restrictions screw you again!

Re:And this is important because? (2)

Jeremiah Cornelius (137) | about 2 years ago | (#42526759)

NTLM, you COULD go to Wikipedia - failing all else.

This is the name for Microsoft's 2nd generation authentication protocol - for issuing challenges and responses related to encrypted passwords as a shared secret. The passwords are hashed with a salt, and the value compared with the known password, by the authentication service. This is a variant introduced by Windows NT on the LAN Manger scheme - cooked up in the remote past by MS and IBM, based on Ungerman-Bass software.

This is important, because LM and NTLM are trivial to ether crack or spoof. Backwards compatbility was the bugbear for NTLM. v2 addresses many of the issues - but is relatively recent. Every XP / Server 2003 era machine sends the old-style hashes, as a part of Auth handshake sequences.

It's now been demonstrated that this is not a trivial matter - that the hash may be derived simply by performing computation on the artifacts for challenge and response. Then a legitimate hash can be injected by an attacker, in standard "pass-the-hash" fashion.

Re:And this is important because? (1)

Jeremiah Cornelius (137) | about 2 years ago | (#42526819)

UPDATE!

He doesn't just pass the hash - He gets THE PLAINTEXT PASSWORD. This allows anywhere, anytime auth access, instead of MITM.

Re:And this is important because? (-1)

Anonymous Coward | about 2 years ago | (#42527001)

You COULD stop sucking dicks too but who are we to complain?

Re:And this is important because? (0)

Anonymous Coward | about 2 years ago | (#42527115)

v2 addresses many of the issues - but is relatively recent.

compared to LM maybe, but still it has been in windows since NT4.0 days, that is hardly recent in IT terms.

Re:And this is important because? (2)

Nimey (114278) | about 2 years ago | (#42527769)

XP and 2000 can be made to use NTLMv2 but you have to either use Group Policy or set it in Local Security Policy. I don't know /why/ Microsoft didn't make it default to at least use v2 if both ends agreed, but they wouldn't have forced it on because of back compatibility with NT4 domains.

Re:And this is important because? (-1)

Anonymous Coward | about 2 years ago | (#42527995)

Because it breaks intranet sites that rely on IE 6.

The whole point of upgrading to IE 6 from Netscape is you can write VBscript that used NTLM for authentication with the domain controller. I see no way to do this with NTLMv2 so we stay with NTLM1 and XP/IE6 as the years go by.

Re:And this is important because? (1)

Nimey (114278) | about 2 years ago | (#42528091)

Dear god, I hope you're exaggerating.

Re:And this is important because? (1)

Billly Gates (198444) | about 2 years ago | (#42528507)

I think he is right.

Iwrote some simple asp site that did just that with IE 5.5 when Windows 2000 was brand new.

Hopefully these dinosaurs are going down since XP is getting EOL. Can a recent web developer tell me if you can use NTLDMv2 today with a modern browser?

Re:And this is important because? (0)

Anonymous Coward | about 2 years ago | (#42532159)

I prefere to use integrated windows authentication when developing intranet sites and locking it down with A/D permissions via IIS.

Re:And this is important because? (0)

Anonymous Coward | about 2 years ago | (#42529473)

I could be incorrect, but it sounds like he's still using NT Domains and not Active Directory (which supposedly uses kerberos instead of ntlm).

In any case keeping NTLM around in XP/2003 was reasonable because there were so many Win9x clients around at the time. However that was 10+ years ago.

Re:And this is important because? (1)

azulcactus (583146) | about 2 years ago | (#42526761)

The first paragraph on Wikipedia is excellent: http://en.wikipedia.org/wiki/NTLM [wikipedia.org] Also important to note this is only referring to NTLMv1 which is hella old. Also just because you are running Windows XP still doesn't mean you are using NTLMv1. It's a bit more complex than that.

Re:And this is important because? (1)

smhsmh (1139709) | about 2 years ago | (#42527039)

My reply may be somewhat off topic, but give it a read:

SlashDot is to journalism as COBOL is to programming.

I read SlashDot because it is an important and timely source of technical news. But all too often articles are incomprehensible (without research) to readers outside some particular narrow discipline. Writing a lead in to an article is a skill that requires more than technical knowledge -- it requires knowledge (and some assumptions) about the experience of the intended readership. Like several other readers -- who know a lot about lotsa things, but not everything about everything -- without some research I couldn't decide immediately whether I ought pursue the article contents further. My apologies to everyone else who knows s/he knows everything about everything.

I think SlashDot would be a better place (and more worth more people perusing every day) if more posters were familiar with basic tenets of reportage: "Don't bury the lead." "Answer the 5 questions in the lead." "Know no more than your stupidest reader knows." (The last quote isn't a real tenet of journalism -- I just invented it, and it is arguably baaaad advice.)

I have a friend who is a retired newspaper journalist. I wonder if I could interest him in devising some guidelines for ShashDot postings that even amateurs could apply with some improvement to the quality of their posts. Anyone enthusiastic about this?

BTW, I mean no disrespect to the original poster DrJONES. His article is otherwise useful and relevant, at least to some in the community. I'm suggesting only that SlashDot style ought be more self aware and aware of the readership...

Re:And this is important because? (1)

Anna Merikin (529843) | about 2 years ago | (#42527467)

As a working reporter/writer for two decades, I offer some other tips:

Each sentence should be less important than the one before it. This is called pyramiding in the trade; it allows the reader to quit once he/she understands enough, or for an editor to cut from the bottom.

Never use a big word when a small, familiar one will do.

Keep sentences to less than thirty words, if at all possible. This is mandatory for the lead (first sentence.)

Be brave in paragraphing; do it often.

Read the AP, Chicago or other online style guides, and commit to memory E.B.White's Elements of Style.

Re:And this is important because? (2)

fatphil (181876) | about 2 years ago | (#42530879)

Pah. You should have left it at 4 points.

Do paragraphing not often, but only as often as makes sense. One-sentence paragraphs are for those with grade 2 reading and writing level.

See Anna Merkin.

See Anna Merkin paragraph.

Paragraph, Anna Merkin, paragraph.

And commit Strunk and White to the *bin*, not to memory. See the many comments by Pullum on Language Log and elsewhere, for example, for reasons why. Pay special attention to the fact that White apparently doesn't even know what the passive voice is before deciding you should follow anything he recommends.

Re:And this is important because? (2)

Fnord666 (889225) | about 2 years ago | (#42528095)

I have a friend who is a retired newspaper journalist. I wonder if I could interest him in devising some guidelines for ShashDot postings that even amateurs could apply with some improvement to the quality of their posts. Anyone enthusiastic about this?

This will remain irrelevant until the editors do some editing rather than accepting article submissions that are no more than the output of a script that scrapes an RSS feed.

Re:And this is important because? (2)

Cid Highwind (9258) | about 2 years ago | (#42531145)

I wonder if I could interest him in devising some guidelines for ShashDot postings that even amateurs could apply with some improvement to the quality of their posts. Anyone enthusiastic about this?

Not in the slightest. I am, in fact, enthusiastically unenthusiastic about bringing the assumption that your reader needs all the 'the five Ws' answered or technical background spoon-fed to him onto the web.

Newspaper style guides were written for a time when a person who didn't understand the technical background had to pedal down to the library and find a book on the subject, read it, and come back to finish the story days or weeks later. It was better to give them a layman's understanding of the science than hope he would come back. Those assumptions don't hold when we have tabbed browsers and wikipedia.

Here's why (0)

ArchieBunker (132337) | about 2 years ago | (#42527463)

The submitter has a hardon for Linux and is giddy that the authentication mechanism for an OS that is over a decade old now can be broken.

Re:Here's why (5, Informative)

arth1 (260657) | about 2 years ago | (#42527703)

I'd say this affects Linux too - a bunch of machines with Samba are quite possibly vulnerable, and need a different settings change than what Windows does.
At a minimum, the following in the smb.conf

[global]
    client ntlmv2 auth = yes
    lanman auth = no
    ntlm auth = no

For winbindd, a recompile might be required.

Re:Here's why (0)

Anonymous Coward | about 2 years ago | (#42527843)

Yeah, totally not because this affects 40% of the computers in production.

This summary is terrible (2, Insightful)

Anonymous Coward | about 2 years ago | (#42526775)

This is one of the worst summaries I have ever read here. I can easily imagine the joy in the submitter as they are dancing to their own over the top writing style. NTLM is 100% broken. Oh no! Microsoft stopped recommending it and switched to Kerberos starting with Windows 2000. Who the hell cares that someone broke a protocol from 10+ years ago? If anything, it makes NTLM look really good. What sensationalist trash this is.

Re:This summary is terrible (1, Informative)

Jeremiah Cornelius (137) | about 2 years ago | (#42526949)

If you knew this well enough, XP - a significantly deployed OS - sends these hashes anyway. It takes a Registry Change through group-policy to change the behavior.

You want fun? Sit on the corp net of any silicon valley company with Wireshark. It's still XP heaven out there... And all the SAMBA servers? Easy pickings, Kerb5 or not.

Re:This summary is terrible (0)

Anonymous Coward | about 2 years ago | (#42527273)

What do you do for a living that you're doing that?

Re:This summary is terrible (2)

Jeremiah Cornelius (137) | about 2 years ago | (#42527343)

Used to do pen/vuln. No more.

Now, I'm a PowerPoint engineer!

Learn to spell Jeremiah Cornelius (0, Troll)

Anonymous Coward | about 2 years ago | (#42529887)

It's PENETRATION, not "Pentration" as you spell it on your resume, BOY -> http://www.linkedin.com/pub/jeremiah-cornelius-cissp-issap/2/620/a58 [linkedin.com]

* So much for your "I am a black man" b.s. too (which also makes you a liar)...

Ah yes - NOW?

Now, I know who & WHAT you are, as well as where you are/from, too, you troll...

(A "San Fran Man" TOO I see, lol... you KNOW what they say about those, rotflmao!)

* Your location pretty much EXPLAINS why you act more like a WOMAN than a MAN then, & why you 'troll' others -> http://slashdot.org/comments.pl?sid=2238996&cid=36457426 [slashdot.org]

(OH, don't worry - I took a screenshot of that, so that even AFTER you alter it for CORRECT SPELLING, I can laugh @ you about it too... HOW MANY YEARS HAVE YOU LEFT IT THAT WAY?)

APK

P.S.=>

"Used to do pen/vuln. No more." - by Jeremiah Cornelius (137) on Tuesday January 08, @09:32PM (#42527343) Homepage

So you're also MERELY A USER OF TOOLS THAT GUYS LIKE MYSELF WROTE FOR YOU TO "USE"... nothing more - figures!

That's ALL THAT TYPE IS - even the CISSP's I've met as well!

I also saw a LOT of "consultant" in there too - the BULLSHITTERS of the INDUSTRY, no questions asked, lol!

(Fact, because WITHOUT those tools? You couldn't do a DAMNED THING!)...

... apk

JC the troll can dish it out, but can't take it (-1)

Anonymous Coward | about 2 years ago | (#42531451)

Trying to "hide this" Jeremiah Cornelius? LMAO -> http://slashdot.org/comments.pl?sid=3368135&cid=42529887 [slashdot.org] via downmods?

Yes - that's YOUR STYLE, bullshit artist troll that you are. YOU CAN'T EVEN SPELL WHAT IT IS YOU CLAIM TO DO RIGHT, lol, for Pete's sake!

Jeremiah Cornelius = 'evangelist/consultant' (bullshitters), & yes, troll too (by his OWN admission quoted in the link above). CISSP? Bah - CHUMP work (you merely use tools guys like MYSELF, actual coders, produce for you to USE, user!).

* YOU have been trolled - you like?

(You, your pals webmistressrachel, countertrolling, gmhowell, & the LONG NOW GONE Barbara, not Barbie alias tomhudson MULTIPLE ACCOUNT USING TROLL I busted & ran off sure like to dish it out, but you can't TAKE IT in return...)

APK

P.S.=> No, like I said, for all of you trolling me for years here? I am going to do it back to YOU, so you & yours learn a lesson!

(I already took care of webmistressrachel, & tomhudson/Barbara, not Barbie (showing them BOTH terribly technically weak in computing MANY times) - & I told you YOU were next - just to teach YOU & YOURS ala trolltalk.com a lesson... here 'tis, & it's JUST THE START! Payback is a BITCH, troll!)

... apk

Re:This summary is terrible (2)

BitZtream (692029) | about 2 years ago | (#42527735)

So ... everyone joined to ActiveDirectory then eh? Its been known that NTLM hashes could be reused for years.

And for the record, my Samba servers have been using kerberos for years, not sure why yours aren't. Shitty admin perhaps? Must be as the previous stated reason is what causes a clueful admin to move to kerberos back in 2001 when XP made it possible to use network wide.

When you start mixing unix and windows servers on a domain you pretty much start off by switching everything to kerberos so everything works properly.

Re:This summary is terrible (1)

davester666 (731373) | about 2 years ago | (#42528953)

I don't know, maybe everybody didn't immediately switch every machine in their company to XP on day one?

Re:This summary is terrible (0)

Anonymous Coward | about 2 years ago | (#42527387)

lol. Clearly you are clueless. Kerberos is tricky to configure correctly. More auth traffic in a AD domain falls back to NTLM than uses Kerberos. Also, it looks like the post was intended for a technical audience. Go back to your Cheers reruns on Hulu. You may want to try the kitten RSS feeds rather than Slashdot.

Re:This summary is terrible (1)

Anonymous Coward | about 2 years ago | (#42527925)

"This summary is terrible"...
Agree... this is being overblown. Any competent admin of a network of any size already followed guidelines issued nearly a decade ago to start forcing NTLMv2 only unless there was some very specific reason not too. Back in say 2004 time frame there were reasons, by 2008 there really was no excuse. Even if someone missed it it's a simple GPO change and refresh to mitigate as already pointed out throughout the thread. Yawn.

Re:This summary is terrible (0)

Anonymous Coward | about 2 years ago | (#42528439)

That isn't what this article is about. NTLM has been 100% broken by black-hats for years. This is a white-hat write up on how it was done.
This is purely informational, who cares how the submitter submitted it? You got the fuckin point right? No you didn't, because you are stupid and clearly obsessed with irrelevant details.

For the record, you post was nothing but sensationalist trash as well.

To disable ntlm on old computers (0)

Anonymous Coward | about 2 years ago | (#42526807)

To disable ntlm on old computers I believe that if you enforce 14 character paswords it will stop working.

But don't take my word for it.

Re:To disable ntlm on old computers (0)

Anonymous Coward | about 2 years ago | (#42527407)

>14 chars disables LM, but not NTLM.

Re:To disable ntlm on old computers (2, Funny)

Anonymous Coward | about 2 years ago | (#42527555)

>14 chars disables LM, but not NTLM.

>14 character passwords also disables some users.

Re:To disable ntlm on old computers (0)

Anonymous Coward | about 2 years ago | (#42528035)

^^This^^

A very real attack (1)

enlefo (738946) | about 2 years ago | (#42526813)

I'm been a victim of pass the hash attack... they can fuck you up pretty up pretty good.

Re:A very real attack (1)

Anonymous Coward | about 2 years ago | (#42527073)

they can fuck you up pretty up pretty good

From that... it sounds more likely you were the victim of a man-in-the-middle attack, either that or trojan horse or malware insersion.....

Re:A very real attack (4, Funny)

Aardpig (622459) | about 2 years ago | (#42527441)

In fact, I think he may have been penetrated via a back-door.

Re:A very real attack (1)

enlefo (738946) | about 2 years ago | (#42529639)

Clearly y'all haven't been passed hash before...

So... (1)

futhermocker (2667575) | about 2 years ago | (#42526815)

Smoking hashes is bad for your windows?

Re:So... (1)

Mike Frett (2811077) | about 2 years ago | (#42529513)

No, Windows is bad for your Hash. Just add some Penguins to your Hash and it should be alright.

Secure Networks vs. Insecure Networks (4, Insightful)

Cassini2 (956052) | about 2 years ago | (#42526957)

The crucial detail is whether the physical layer of the network can be trusted. If the physical layer is trusted, then NTLM works fine. Historically, lots of corporate networks controlled every computer on the office network, and air-gapped the internet.

Many modern networks, including wireless networks, have a non-trust worthy physical layer. In this case, only end-to-end encryption protects the network. Yes, the newer versions NTLM protect against the most obvious password scanning attacks. However, with a non-trust worthy physical layer, it is possible to simply scan all the network traffic and get the file contents from the network directly. Also, some (almost all?) ODBC and database servers send passwords in the clear. This makes it straightforward to do simple network traffic analysis attacks, and directly gather valuable information from the company network.

The bottom line is that only protocols like SSH work against a non-trustworthy physical layer.

Re:Secure Networks vs. Insecure Networks (1)

petermgreen (876956) | about 2 years ago | (#42527247)

. If the physical layer is trusted, then NTLM works fine. Historically, lots of corporate networks controlled every computer on the office network, and air-gapped the internet.

To what extent did they control them though? The bigger a network gets the more chance of a rouge device getting on it either through compromise of a machine that was legitimately there or through introducing a machine illegitimately.

Re:Secure Networks vs. Insecure Networks (0)

Anonymous Coward | about 2 years ago | (#42527545)

What kind of rouge device runs Windows?!

Re:Secure Networks vs. Insecure Networks (1)

Cassini2 (956052) | about 2 years ago | (#42527773)

To acheive any kind of security with Windows NT 3.5/4.0, you really need to control the physical layer thoroughly. Any device on the network is a potential source for untrusted code. Once you had untrusted code running on the computer, the network was compromised.

With Windows XP and Windows 7, it's pretty much impossible to lock down the computers. The security certifications that Microsoft had for Windows NT 4.0 no longer exist.

The only current desktop operating system technology that is equivalent to the security I was deploying with Windows NT 4.0 is SE Linux.

Re:Secure Networks vs. Insecure Networks (1)

operagost (62405) | about 2 years ago | (#42531857)

I'm not sure what you mean with XP and 7 (and I assume Vista). Those are client systems. No, they don't offer Kerberos services. You need the server product. As client systems, they are far superior to NT 3.x and 4.0. Your "impossible to lock down" statement is just a setup for Linux fanboyism.

Re:Secure Networks vs. Insecure Networks (0)

Anonymous Coward | about 2 years ago | (#42527657)

He shows a phishing attacker where the user sends the hash. The attacker doesn't have to compromise your network.

Re:Secure Networks vs. Insecure Networks (0)

Anonymous Coward | about 2 years ago | (#42528129)

Or Kerberos [slashdot.org] . You can secure ssh sessions with Kerberos, and AD is actually a very good implementation of it.

Re:Secure Networks vs. Insecure Networks (3, Informative)

greg1104 (461138) | about 2 years ago | (#42528765)

Also, some (almost all?) ODBC and database servers send passwords in the clear.

Many database servers allow encrypted passwords, but there are surely a lot of database installations that don't take advantage of it. In PostgreSQL you can use SSL for the client network connection [postgresql.org] , which ODBC passes through. Setup SSL as the only way to connect, and encryption has to happen before it hits the wire. MySQL has a similar trick [mysql.com] . Both are just using the OpenSSL library under the hood to encrypt the network traffic.

On the commercial side, Oracle does the same thing with ORA_ENCRYPT_LOGIN [oracle.com] . SQL Server has client and server settings [microsoft.com] that enforce encryption. Basically, if your database traffic isn't encrypted, it's more likely because someone didn't think that was important than because it was impossible. It's a simple checkbox to add to database selection requirements, and it's not hard to find a DBMS that has the capability.

I find people who just stuff user passwords into the database (which can be the same passwords as other services) rather than putting password encryption into their application can also leak data. In PostgreSQL using the built-in pgcrypto [postgresql.org] makes that easy. You also have to be careful to use the same network encryption approach for any replication client, or it's possible to just sniff that instead to get the data. In Postgres those connect with the same encryption possible options as any other client. Most of the tutorials on setting up replication don't cover this though.

Re:Secure Networks vs. Insecure Networks (1)

codewarren (927270) | about 2 years ago | (#42530831)

The crucial detail is whether the physical layer of the network can be trusted

Someone maintains that physical layer. Even if they are employees of the company, it doesn't follow that they can be trusted. Someone with access to the physical layer and an NTLM hack could "become" anyone else on the network and do whatever he wanted with little fear of getting caught.

Put another way, If everyone that was employed by the company could be trusted, they could all share the same login with unlimited access. If that makes you cringe, then so should NTLM. I think that's the point of the article.

Old news (0)

Anonymous Coward | about 2 years ago | (#42527391)

Folks have known, for years, that windows hashes are password equivalent. Grab a hash, don't bother decrypting the pword, since you can use the hash directly.

With all the issues with windows pwords/pword hashes, it appears if MS could do something wrong with handling pwords, they did.

Re:Old news (0)

Anonymous Coward | about 2 years ago | (#42527625)

Great reading skills dude. This is not about pass the hash. It's about getting the hash without admin rights. Getting the user to send the hash. The hash can now be derived in a day via the observed challenge and response. It might be good to actually read the article.

Net Net use the settings recommended for years now (0)

Anonymous Coward | about 2 years ago | (#42527827)

While the blog is interesting and useful all it does it reenforce what any windows network admin worth his salt has known and been told for years from Microsoft.
I've not seen a domain where that policylevel 3 (or higher) isn't force by gpo in a couple years, though no doubt I'm sure they're out there, the last case i did see involved a company that just refused to migrate two win2k boxes they were still using on their network for some other piece of software they refused to upgrade. If your company has competent admins and doesn't have a bunch of old win2k or not service packed win3k boxes you should already be set, and even if your not it's easy fix in most environments.

.

And the big question is ... (-1, Flamebait)

GNUALMAFUERTE (697061) | about 2 years ago | (#42527917)

Why the fuck people still trust microsoft?

They keep coming up with more retarded, proprietary technologies that don't seem to solve any particular issue, and are solutions looking for a problem ... and eventually turn into huge problems themselves.

Re:And the big question is ... (0)

Anonymous Coward | about 2 years ago | (#42528151)

Why the fuck people still trust microsoft?

Because Open Sores trolls and Apple fanboys still have no fucking answer to MSSQL, Exchange, or Office.

That's fucking why.

Hey, you asked.

Re:And the big question is ... (0)

Anonymous Coward | about 2 years ago | (#42528241)

So why do home users use Windows?
MSSQL and Exchange are totally irrelevant at home, and there are any number of word processors (the only part of Office that matters to a home user) people could use.

Re:And the big question is ... (0)

Anonymous Coward | about 2 years ago | (#42528505)

Runs faster than Linux desktop.

Re:And the big question is ... (3, Insightful)

BradleyUffner (103496) | about 2 years ago | (#42528715)

So why do home users use Windows?

Because they don't want to deal with stuff like this just to get sound working.
https://wiki.archlinux.org/index.php/Advanced_Linux_Sound_Architecture [archlinux.org]

Re:And the big question is ... (1)

mstefanro (1965558) | about 2 years ago | (#42531319)

I remember trying most of the relevant stuff on that page on archlinux and still not getting the sound to work properly.

Re:And the big question is ... (1)

aztracker1 (702135) | about 2 years ago | (#42528245)

Although GP is flamebait at best.. Because when LM and original NTLM were created it was an issue, and in 2003 compatibility was an issue, is why it is still around.

That said, I will say that for most people's needs there are plenty of adequate solutions. I find that LibreOffice(and OOo) do a decent job. PostgreSQL in many ways exceeds what MS-SQL does, and there are some decent integrated mail/calendar servers... I do think that Exchange is to this day best in it's class, and there are some features of MS Office that will lock some in. However, the fact is, most people don't need any MS software.

NOTE: I make my living doing software dev in an MS centered environment.

Re:And the big question is ... (0)

Anonymous Coward | about 2 years ago | (#42528275)

I don't see how this relates to this article. Security experts are constantly looking for vulnerabilities in all platforms.

The most notable nike free 3.0 dame (-1, Offtopic)

nikenfljerseyss (2801813) | about 2 years ago | (#42529687)

The most notable nike free 3.0 dame [billigefreerun.com] building cheap nike [cheapnikefreeruning.com] is Prince Lucien asics shoes [asicsrunningshoesxr.com] Campbell Nike Free Shoes [nikefree-newzealand.com] Hall, asics running shoes [asicsaustraliaxr.com] the nike free run [fwbonyc.org] tallest, ugliest building on nike free [halterforsenate.org] campus. cheap nike frees [cheapnikefreerunnz.com] According to nike free kids [bibleride.org] legend, visit [nikefreerunwomensau.com] a grad student committed suicide by home [nikefreeru...tralia.com] jumping from click [nikerunningaustralia.com] the Billige Nike Free Tilbud [dkfreerun3.com] 8th floor. nike free running [nikefreerunners5.com] Veronica Lee welcome [nakties-namai.com] is really nike free 3.0 [visitfresno.org] hot nike free norge [billigfreenorge.com] and nike free run norge [freerun30norge.com] she used Nike Free Danmark [dkfreerun2.com] to work in Prince Lucien Campbell Hall, nike free run womens [cheapnikefreerun30au.com] she went nike free nz [nikefreeru...hoesnz.com] on jeopardy's nike free run dk [awakeninganewworld.com] college nike free 3 [nikefree30...ealand.com] championships Nike Free Sko [dkfreeruntilbud.com] and lost.

god DAMMIT (0)

Anonymous Coward | about 2 years ago | (#42529707)

Oh FUCK. ME. Sigh. "Guess I know what I'm doing tomorrow."

Wait, you're telling me XP is insecure? (1)

Arancaytar (966377) | about 2 years ago | (#42530063)

Holy SHIT!

W3 schools (1)

mstefanro (1965558) | about 2 years ago | (#42531275)

Who would've thought a day would come when W3-schools is used as a reference in a non-humorous way?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?