Windows laggards still using the vulnerable hashing function: Your days are numbered.
See full article...
See full article...
Mandiant releases rainbow table that cracks weak admin password in 12 hours
- Thread starter JournalBot
- Start date
Since then you can only bring it back by the means of an extended one-year security support on NTLMv1 for $499 only !!
Upvote
34
(35
/
-1)
- Add bookmark
- Featured
- #5
It's important to understand that, by default, Windows cannot just generate NTLMv1 traffic. The use of NTLMv1 versus NTLMv2 isn't negotiated. Instead, the client decides which one to send based on the security policy "Network security: LAN Manager authentication level" which has defaulted to send NTLMv2 since Vista. Getting the computer to emit NTLMv1 requires you explicitly to shoot yourself in the foot by changing this to use the older broken protocol.
Also, creating rainbow tables as this article is about doesn't impact anything. The NTLMv1 response function uses single DES with 56 bits of the user's secret key at a time, and it's been feasible about two decades now to brute-force those 56-bit pieces of the key until you recover the entire user key. That secret user key is sufficient to authenticate as the user (see "pass-the-hash") and there's no need to reverse this secret into the actual text of the password.
P.S. NTLMv2 is still very weak and subject to brute force attacks for weaker passwords, but it's not subject to rainbow tables. The response function for NTLMv2 includes 64 bits of random entropy supplied by client meaning that, unlike NTLMv1, the client does not generate the same response every time if a malicious server sends the same challenge.
Also, creating rainbow tables as this article is about doesn't impact anything. The NTLMv1 response function uses single DES with 56 bits of the user's secret key at a time, and it's been feasible about two decades now to brute-force those 56-bit pieces of the key until you recover the entire user key. That secret user key is sufficient to authenticate as the user (see "pass-the-hash") and there's no need to reverse this secret into the actual text of the password.
P.S. NTLMv2 is still very weak and subject to brute force attacks for weaker passwords, but it's not subject to rainbow tables. The response function for NTLMv2 includes 64 bits of random entropy supplied by client meaning that, unlike NTLMv1, the client does not generate the same response every time if a malicious server sends the same challenge.
Upvote
122
(123
/
-1)
That would be grand except there's places where NTLMv1 is the only option - the primary example is RADIUS. I mean, MS-CHAP and MS-CHAP2 are both madly insecure anyway precisely because they use NTLMv1 (rainbow tables aside - as mentioned by another commenter the DES can be brute-forced by a modern smart watch probably) ... but the authentication protocols supported in RADIUS are cleartext (PAP), CHAP (requires cleartext of the password on the server), MS-CHAP, MS-CHAP2 (require the NTLMv1 hash, or cleartext of the password on the server). Brilliant stuff huh?
Up until recently, MS-CHAP2 was pretty much required for WPA enterprise/PEAP. You have to use TLS/X509 based authentication to avoid it.
And the final ingredient to the wonderful shit sandwich this already is not every use of RADIUS allows the authentication protocol to be interchangeable. Some will only accept if it's "secure" (MS-CHAPv2). I've got devices that will accept RADIUS PAP for VPN termination (great! the only place it's cleartext is over the encrypted channels!) but MS-CHAPv2 for other identity uses (what? you mean I effectively have to have the password in cleartext on the server?)
Edit: The reason for me needing cleartext on the server (and not the NTLMv1 hash) is because it's MFA - the "password" is actually the password + TOTP code, so it has to use the NTLMv1 hash of the combined password + code (and the previous code too just to allow time delays). There is a whole "challenge/response" thing for RADIUS you can use instead but that's not reliably supported so it's better to offer a pseudo-password option.
Up until recently, MS-CHAP2 was pretty much required for WPA enterprise/PEAP. You have to use TLS/X509 based authentication to avoid it.
And the final ingredient to the wonderful shit sandwich this already is not every use of RADIUS allows the authentication protocol to be interchangeable. Some will only accept if it's "secure" (MS-CHAPv2). I've got devices that will accept RADIUS PAP for VPN termination (great! the only place it's cleartext is over the encrypted channels!) but MS-CHAPv2 for other identity uses (what? you mean I effectively have to have the password in cleartext on the server?)
Edit: The reason for me needing cleartext on the server (and not the NTLMv1 hash) is because it's MFA - the "password" is actually the password + TOTP code, so it has to use the NTLMv1 hash of the combined password + code (and the previous code too just to allow time delays). There is a whole "challenge/response" thing for RADIUS you can use instead but that's not reliably supported so it's better to offer a pseudo-password option.
Last edited:
Upvote
35
(35
/
0)
YetAnotherAnonymousAppellation
Ars Praefectus
Once again this is beyond my technical expertise so I have to ask, does this have any implications for choosing passwords for logging into Windows 10/11 Home?
As for rainbow tables, do they deal with using a character not from the 96-character standard ASCII set (using ALT+###)? I've thought of doing this before, but was reluctant because it might break something in some case and it never seemed to be worth the risk.
edit: clarification of question
As for rainbow tables, do they deal with using a character not from the 96-character standard ASCII set (using ALT+###)? I've thought of doing this before, but was reluctant because it might break something in some case and it never seemed to be worth the risk.
edit: clarification of question
Last edited:
Upvote
10
(10
/
0)
Thankfully no. This has mostly to deal with enterprise environments. Possibly super-ancient small business or retro-home networks. Although I'm willing to bet that Pro could have its settings adjusted to make it relevant, Home won't let you touch those.
Upvote
22
(22
/
0)
Rainbows tables don't produce "the" password; they produce a password that has an equivalent hash. A truly complete rainbow table has a password for every hash. So it doesn't matter what your real password is, they may be able to derive one that works just as well.
Edit: In theory a rainbow table can product passwords with 0-9 as the only characters, just some of them might be really long....
Upvote
21
(22
/
-1)
MSCHAPv2 is definitely a problem. The worst part, IMO, is how it's presented to users. If you navigate to an HTTPS site with an invalid certificate, the browser makes it very hard to bypass the scary warnings and continue on. If you try to connect to a wireless access point that asks for MSCHAPv2 but doesn't have a valid cert, you get that prompt that says "Do you expect to find this wireless network in this location?" which users will almost always click through. One click in a very non-threatening dialog never should have been enough to send what's practically equivalent to your password to some random WAP with no credentials.
Upvote
20
(20
/
0)
“Typically tools including Responder, PetitPotam, and DFSCoerce are involved in attacks against Net-NTLM. Typically tools including Responder, PetitPotam, and DFSCoerceare involved.”
Upvote
1
(2
/
-1)
While I get your point. Nobody who cares should be using password auth with radius anyway. PAP and CHAP are even worse options v MS-CHAPv2 so there are no good options for it. WPA2-PSK is actually much stronger (and WPA3 really strong) and many business targeted (e.g. Unifi) Wifi setups allow per device WPA secrets to avoid the one key to rule them all problem of WPA.
X509 is surprisingly not that hard to manage in an enterprise setting (e.g. with an Active Directory integrated Certificate Authority) and has the advantage of allowing machine certs so your devices can connect to Wifi/VPN without a user logging in first avoiding the bootstrap problem or just allowing device sharing
Upvote
3
(5
/
-2)
RADIUS is used in an amazing amount of places where it's the only option. And it's only security is based on bad use of MD5 hashing and XOR encryption of clear text passwords. There's an optional HMAC-MD5 attribute, and that's the best part of it. There's also a TLS variant of RADIUS, also barely supported.
Wifi is only one small part of the picture.
Edit: I've implemented RADIUS in an IDP before. Lots of "oh this is such a load of bullshit" and comments to the linter "no, really, I do want to use MD4, MD5 and DES modules, I swear, I'm deliberately doing this, not being stupid"
Edit 2: RADIUS authentication of packets is done by an MD5 hash of a challenge by a secret tied to the source IP. That's it. Not a HMAC, but one readily broken use of MD5. Encryption of cleartext passwords in the RADIUS packet is done by XORing the password with another hash generated similar to the MD5 packet authentication. So weak as all hell. There is an optional HMAC-MD5 attribute (which incidentally screws with RADIUS design in that it must be the first attribute, so when adding it/checking it, you have to rebuild etc in just the right order). Fortunately the TLS version of RADIUS does away with all that - the "secret" is just a fixed string, you're supposed to use TLS certificates to validate client/server stuff. All the meaningless RADIUS shit is still there, but it doesn't matter and everything is encrypted over TLS.
Last edited:
Upvote
9
(9
/
0)
Ninth paragraph needs re-edit. Duplicated cut and pasted text and misspelled word. “Accont”
Upvote
-2
(0
/
-2)
Crap and ancient history so now you tell me pwdb are applied to existing like when I would use pwdb to apply brute force attacks on everyone. Databases in guessing your passwords has been along for a long time and now you say ai has improved. I think you mean "suck my datacenter".
Upvote
-13
(0
/
-13)
They could just ask for the password twice, first for the actual password, then for the 2fa code. (For example by pretending the first password was wrong even if it wasn't).
Or switch to something more secure than ssh tunnels.
Upvote
-1
(0
/
-1)
RADIUS has a "keep asking for more responses" feature, but most clients don't work very well with it - there's no facility to keep prompting/asking at their end; you could use it for MFA in theory (that's what it's for after all), but support for it is patchy to say the least. And if you reject, that's it - you're starting a whole new sequence. RADIUS is an old protocol but every flexible, and most good stuff is completely optional. RADIUS configuration can be more of an art form than anything else (and the traditional configuration files are sort of 0.7 on the sendmail.cf scale)
Edit: the whole point of the RADIUS "keep asking" sequence is to tie them together with a state. If you reject it, you're gone. At that point you're indistinguishable from a completely new request (is it the same person trying again, or is it a new person on the same port because the other person gave up?)
Upvote
2
(2
/
0)
Can anybody with access to the Google Cloud link tell us what the size of the rainbow table is? I guess it's 1TB+?
Upvote
4
(4
/
0)
How do you know there's no porn on your unsecured computer? Just because you didn't put it there doesn't mean somebody else, anywhere in the world, hasn't hacked your machine and is now using it to run a kiddie porn server (or fentanyl store, etc.). You won't know anything about it until the police come knocking on your door with a search/arrest warrant.
Hackers aren't just after your data. The computer itself is a valuable ressource for any number of criminal activities. It's a bit like thinking you don't need to lock your car doors because there's nothing worth stealing in the glove compartment.
Upvote
22
(23
/
-1)
MilanKraft
Ars Tribunus Angusticlavius
RIght??
I know more about security than the averge Joe, so maybe a little biased, but this kind of shit boggles the mind. When identity theft is about as common as car theft (maybe more in some places), knowledge of botnets widespread, large corporate networks hacked with millions of user datapoints stolen (or the network brought down), hospital networks ransomwared, and all the other twisted shit we've seen — much of it in the news — that someone could still have the attitude (more or less) of: "I don't work with sensitive information, so I don't need to do all this security crap — here's my three computers with no (or very weak) passwords, and see I'm fine." lol
Do you leave the front and back door to your home unlocked at night too because "I don't have much money or valuables in the house" or "we don't have much property or violent crime in this area"? Yes, sometimes the extra layer or two of security for your home network and computers can be a minor hassle, but fer fucksakes, protect yourself.
Whether you realize it or not, you owe it to yourself (and your partner / spouse / kids if you have any) on the same level of you owe to put quality deadbolts and latches on your doors and windows, etc. Obviously nothing is bullet-proof and so a really determined / skilled hacker (or house-breaker) will get in if they really want to, but the other 98% of assholes out there who might do you harm will move on to someone else. (And in theory, if they have to move on enough times, maybe they'll decide they're in the wrong line of work, or have to relocate to some other area where the percentage of lazy people — let's face it, this scenario is about lazyness — is higher.)
Upvote
4
(4
/
0)