Wednesday, March 3, 2010

What is LanManager Hash?

Example: Lets say your password is: '123456qwerty' •When this password is encrypted with LM algorithm, it is first converted to all uppercase: '123456QWERTY'


•The password is padded with null (blank) characters to make it 14 character length: '123456QWERTY_'


•Before encrypting this password, 14 character string is split into half: '123456Q and WERTY_'


•Each string is individually encrypted and the results concatenated.


•'123456Q' = 6BF11E04AFAB197F


'WERTY_' = F1E9FFDCC75575B15


•The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15


The first half of the hash contains alpha-numeric characters and it will take 24 hrs to crack by LOphtcrack and second half only takes 60 seconds.
All Windows clients including Windows 2000, Windows Server 2003, and Windows XP are configured by default to send LM and NTLM authentication responses, except Win9x clients, which only send LM. The default setting on servers allows all clients to authenticate with servers and use their resources. However, this default setting allows for LM responses (the weakest form of authentication response) to be sent over the network. This makes it attractive to attackers who can sniff the traffic and crack passwords with relatively less effort.
Microsoft Windows NT stores two types of passwords: A LAN Manager (LM) password and a Windows NT password. We have seen in our discussion in module four how the domain controller gives out an eight byte challenge and the twenty four byte challenge response the client (server or workstation) replies with. These hashes are transmitted without encryption over the network. If the domain controller authenticates the challenge response, it replies with an NT session key and a LAN Manager (LM) session key. These session keys are encrypted between the client and the Domain Controller.
Let us now take a look at the LAN Manager hash. LAN Manager uses a fourteen byte password. If the password is less than fourteen bytes, it is concatenated with zeros. After conversion into upper case, it is split into seven byte halves. From each seven byte half an eight byte odd parity DES key is constructed. Each eight byte DES key is encrypted with a "magic number". The results of the magic number encryption are concatenated into a sixteen byte one way hash value. This value is the LAN Manager one-way hash of the password.


It is easy for password crackers to detect if there is an eighth character when the LM password is used. The challenge response can then be brute-forced for the LM-hash. The number of possible combinations in the LM password is relatively low compared to the Windows NT password.
While encryption forms such as Kerberos are considered as effective countermeasure, the Windows 9x and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. Therefore in Windows Server 2003 also, these systems authenticate by default with both the LM and NTLM protocols for network authentication. What is possible though is for Windows 9x and Windows NT to use a more secure authentication protocol such as NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Therefore these systems have to set LAN Manager Authentication Level to "Send NTLMv2 responses only".
..................................................................................................................................................................... .....................................................
..................................................................................................................................................................... .................................................
..................................................................................................................................................................... .............................................  

0 comments:

Post a Comment