June 1, 1998
It's about time to get cracking on Windows NT password security
Long regarded as a critical network security function in the Unix community, password cracking is still seldom broached in Windows NT circles. This is unfortunate -- NT's user account information is just as vulnerable to password cracking tools. NT administrators need to get over this hurdle. Even we were surprised by what we found when we let popular password guessing tools loose in the Test Center.
The problem lies in the fact that NT relies on a trivially attacked system of password obfuscation held over from its LANManager roots. Although more robust NT authentication has been adopted, the LANManager architecture remains for Windows 95 and Windows for Workgroups clients that require it to log onto an NT domain.
We put NT password integrity to the test using two of the more popular tools, L0phtcrack 2.0 from L0pht Heavy Industries (http://www.l0pht.com) and NTCrack, written by engineers at Secure Networks (http://www.securenetworks.com).
The first thing you need to test your NT domain is a list of user names and hashed passwords (see http://www.rsa.com/rsalabs/newfaq/q94.html to learn more about hashing). There are two ways to obtain this information: we grabbed a copy of the Security Accounts Manager (SAM) database from the Domain Controller, but L0pht's ReadSMB utility can be used to lift NT challenge/response traffic from the network.
Once the SAM was obtained, NTCrack required a utility called pwdump (see ftp://samba.anu.edu.au/pub/samba/pwdump) to first extract the SAM to a Unix-like password file format. We then supplied both programs with a custom 36MB, 3.8-million word list to hash using the NT/LANman algorithm. The results are then compared to our SAM file entries one by one (this process is called a "dictionary attack.") L0phtcrack 2.0 also applies a more robust "brute force" attack in which randomly generated alphanumeric strings are hashed and compared to the SAM data.
The results of our crack test were surprising -- illustrating critical points about password choices.
These results should warn NT administrators to add cracking utilities to their security arsenal and audit the network for adherence to a reasonable password policy. Microsoft's passfilt.dll from Service Pack 3 can help enforce your policy. We also recommend L0pht's technical rant at http://www.l0pht.com/l0phtcrack/rant.html, but temper its conclusions with NT suggestions at http://www.microsoft.com/security/l0pht20.htm. Send us your NT cracking comments.
Windows NT password-cracking test results
We used L0phtcrack 2.0 and NTCrack to test our NT password integrity. |
| # = within minutes | $ = within hours | % = not cracked at press time | ? = partially cracked at press time |
| Password type |
Username |
Password |
Length |
L0phtcrack |
NTCrack |
| Dictionary words |
Mark |
gripe |
5 |
# |
# |
| Joel |
password |
8 |
# |
# |
|
| Common names |
Betty |
betty |
5 |
# |
# |
| Randolf |
randolf |
7 |
# |
# |
|
| Conjugated words |
Stuart |
to1to |
5 |
# |
N/A |
| Melinda |
and5dime |
8 |
? |
N/A |
|
| Birth date |
Ernie |
060666 |
6 |
$ |
N/A |
|
| Phone number |
Carol |
5551212 |
7 |
$ |
N/A |
|
| Random alphanumeric |
Quasimodo |
r0Lt3 |
5 |
# |
N/A |
| Yupster |
BMW325i |
7 |
% |
N/A |
| (N/A: NTCrack is only a dictionary attack tool and would not be expected to reveal passwords not found in our dictionary.) |