Windows passwords FAQ
posted by Passcape_Admin at 15:27:13 05.10.2010
|Q: What is password protection?|
|A: Perhaps no one would argue that Windows NT-based operating systems today are the most popular all over the world. That makes them very vulnerable targets for various kinds of hackers, intruders and dishonest users. The spread of the global network only exacerbates the situation. To ensure the personalization of stored user or system data and to protect it from unauthorized access by third parties, it was proposed to use the password protection technology. Currently, the primary protection in Windows operating systems is password protection. Access to private data in this case is possible only when user knows the original password, which is normally a word or phrase. Here is what it looks like in the real life: the program or system, on an attempt to access private data, prompts user for the text passwords. That password is checked against the original password, and, if the values match, the system allows access to the private data; otherwise, it denies access. The primary disadvantage of password protection is that the program or system must store the original password somewhere, in order to have something to compare the entered value with.|
|Q: How do operating systems store passwords?|
|A: But everything is not so bad; Windows NT was developed in a way that it wouldn't store the original text value of the password. "How is that?" You may ask. - Very easy. There are special cryptographic password wrapper algorithms that work one way only. That's why sometimes they are referred to OWF - one-way functions. Roughly, you can get the hash from a password, but there's no way to get the password from a hash. How does it work in Windows? When creating an account, user enters the original password, which, however, is not stored as plain text; instead, it is hashed with an OWF function. The password hash returned by the function will be stored in the system. Further on, when attempting to log on, the system will prompt user for the password; it hashes the password again and then compares the generated hash with the original one that is stored in the system. If the two values match, the passwords, naturally, match too. Thus, the original text password is not stored in the system. Moreover, there are new algorithms out there that do not even store hash, and the number of such algorithms keeps growing. An algorithm of such kind, for example, is used for encrypting passwords in Internet Explorer 7-8. You can learn more about it in our article.|
|Q: How do passwords become encrypted?|
|A: For hashing user passwords, Windows NT uses two algorithms: LM, which we have inherited from Lan Manager networks, which is based on a simple DES encryption, and NT, based upon the MD4 hashing function.
LM, as the weaker and vulnerable one, is not supported by default by the latest Windows Vista and Windows 7; however, you can still enable it. It is important to know that when the LM hashing option is on (it is enabled by default in Windows XP), all user passwords are considered quite vulnerable. Cracking the majority of such passwords normally takes just a few minutes.
The NT hash is free from the disadvantages, common to the LM hash. Consequently, it is much harder to pick the right password to a known NT hash than to an LM hash. But the current trend of increasing the computing power of modern computers, especially when using GPU, possibly, will make this standard too vulnerable to potential attackers.
|Q: Where are password hashes stored?|
|A: So, we have found out that user passwords in Windows systems are converted to special values - hashes. LM and NT hashes both have a fixed size - 16 bytes - and can be stored in two repositories: SAM - for the regular accounts and Active Directory - for domain accounts.
The regular accounts that contain user name, password and other auxiliary information are stored in the Windows NT registry; precisely, in the SAM (Security Account Manager) file. That file is located on the hard disk, in the folder %windows%\system32\config. The %windows% stands for the path to your Windows folder. For example, С:\Windows\System32\Config\SAM.
The system has priority access to the SAM file, so access to the file is denied to anyone, even administrators, while the system is loaded; nevertheless, Windows Password Recovery bypasses that restriction with ease. Besides that, of great interest for a potential attacker would be the backup of the SAM.SAV file and the compressed archived copy of SAM in the folder %windows%\Repair.
Another way to access the SAM file is to launch a special program from a boot disk and then copy the file. Anyway you need a physical access to the computer with password hashes.
User passwords or, to be accurate, hashes are additionally encrypted with the SYSKEY utility, which stores its service data in the SYSTEM registry file. Thus, to extract hashes from SAM, you would also need the SYSTEM file, which is located in the same folder as SAM.
Domain accounts are stored in the Active Directory database. Usually, the Active Directory database is located in the file %Windows%\ntds\NTDS.DIT; it is the core of Active Directory. The way user hashes are encrypted here is a bit different than that is in SAM, but the recovery would also require the SYSTEM file. Access to the database is also under the system's complete control; however, unlike SAM, the ntds.dit database is resistant to modifications from the outside.
|Q: If everything is so easy, why not Windows simply deny access to SAM or Active Directory for all users?|
|A: That's the way it's done. By default, only the system has access to those files. However, these restrictions can be easily overridden. For example, Windows Password Recovery can import hashes from the current (locked by the system) SAM and Active Directory files. Besides, the system stores hashes in the computer memory to speed up access to them, so dumping the computer's memory is also an option.|
|Q: I didn't quite understand it; what do I need to copy from the computer to recover the passwords?|
|A: If that's a regular computer, copy the following registry files: SAM, SYSTEM (the SECURITY and SOFTWARE files are also desired). If that's a server, you will need the same files plus ntds.dit one.|
|Q: How long does it take to pick the password if the LM hash is available?|
|A: The greatest disadvantage of the LM algorithm is that it splits the password into halves of 7 characters long. If user enters a password that is shorter than 14 characters, the program trails it with zeros to get a 14-character long string. If user password exceeds 14 characters, the LM hash appears the same as for an empty password. Each of the 7-character halves is encrypted independently; that considerably eases and speeds up the password recovery process. Another major disadvantage of the LM hash relates to the fact that during the encryption all the alphabetic characters of the password are converted to uppercase. In other words, the hashes for PASSWORD, password, Password or pAsswOrd will be completely identical. By running a brute force attack against each half, modern personal computers can guess the password for an alphanumeric LM hash within a few minutes (or even seconds, when using the Rainbow attack). Let's do a bit of calculation. To recover a password for any alphanumeric combination, we need to split the password into two 7-character long parts and then search 36+32^2+..36^7=80 603 140 212 combinations. Besides, all the hashes will be searched simultaneously. The search speed in Windows Password Recovery on a computer Intel Core i7 is over 100 million passwords per second. Let's round it downward to 100. 80 603 140 212 / 100 000 000 = 806 seconds. That means, we are guaranteed to get the original alphanumeric password within just a bit over 10 minutes using the brute force attack.|
|Q: Can I see the encryption sources?|
|A: Sure. Let's review a working password encryption program for the LM algorithm.|
|Q: How much time is it required to guess the password if its NT hash is known?|
|A: With NT hashes it's a bit more complicated. The NT hash does not have the disadvantages that are common to LM. Therefore, the probability of the recovery of the password completely depends on its length and complexity, and drops like a snowball. Even despite the fact that the NT conversion algorithm is faster. Let's take a look at the following table that demonstrates the how search time depends on password length and complexity (assuming that the brute-force recovery speed is 100 mln passwords per second).
|Q: What's the difference between a regular brute-force and GPU brute-force attack?|
|A: There's no difference to the end user except that GPU brute-force runs several time faster. Or even tens times, depending on the hardware used. For example, nowdays even a schoolboy can build a GPU-based super PC which handles 10 billions passwords per second or even faster. So our table would look like this:
|Q: How much time is it needed to guess NT password by it's LM hash?|
|A: Almost instantly.|
|Q: Why can't I just remove or zero out the hash, i.e. set a blank password?|
|A: Who said you couldn't? You can. For instance, using this powerful utility. This way is just fine for those who need to regain access to their (or someone else's - e.g., when talking about the respective authorities) account at any cost. Moreover, with the above mentioned utility, you can do the following: remember the hash, then reset the hash, log on to the account with an empty password, do necessary manipulations with it, and then restore the remembered hash back. But that's not as simple as it seems. Even if you have reset the password and gained access to the account, you still won't be able to recover the majority of other passwords. Why? - Because the user password participates in the creation of the user's master key, which is used in the DPAPI and EFS encryption and other Windows subsystems. In other words, even if you reset the password, you will not be able to recover any of the following data: EFS-encrypted files, Outlook account passwords, Internet Explorer 7-9 passwords, network connection passwords (RAS, DSL, VPN etc.), network passwords to other computers, wireless network keys, MSN Messenger credentials, Google Talk & Google Chrome passwords, Skype, etc.|
|Q: So, in order to recover, for example, an Internet Explorer password, I would need to get the account password first, right?|
|A: Exactly. Or you should have a physical access to the already loaded and running user account.|
|Q: Are there any backdoors?|
|A: Like anywhere else. For example, sometimes the account password can be stored in the plain-text form in the secrets. Passwords to many system accounts can also be recovered with ease.|
|Q: Is that what the SECURITY registry file is requested for when importing hashes from the local computer?|
|A: Yes. The Security's main purpose is to be a storage for the so-called LSA Secrets. These secrets (but not they alone) can store plain-text passwords. Artificial Intelligence attack implements a check-up for possible vulnerabilities in the system and, as the consequence, chances to recover some passwords.|
|Q: Can I tuck an existing hash instead of the password when logging on to the system?|
|A: There are programs that do that. Here is how they work. Before booting up the system, they extract user password hashes from SAM. Then, when loading the account, they tuck the known hash instead of the password. However, the result of such manipulations is the same as of merely resetting the password; i.e. you won't be able to recover the majority of other passwords.|
|Q: What can I do if the SAM file is hopelessly corrupt? Is there a way to recover the original password in this case?|
|A: Yes, there is. However, you will no longer have access to the system. You can, for example, recover the password using the user's master key. Passcape Software has means for doing that. If the computer belongs to a domain, the names and hashed passwords of the last ten users are cached in its local system registry, in the SECURITY\Policy\Secrets section. You can take advantage of Reset Windows Password for dumping those hashes (they are also referred to as MSCACHE) and then try to decrypt them using Network Password Recovery Wizard.|
|Q: I need to regain access to my account. Would you draw a picture "for dummies" - what's the best way to do that, and how do I do that?|
|A: Briefly, there are two ways to regain access to an account:
|Q: Where can I find word-lists for dictionary attacks?|
|A: It is not necessary to search it. You can download dictionaries from within the Windows Password Recovery. We have a huge set of dictionaries at our Web site.|
|Q: How do I make my password more secure?|
|A: There are several ways how you can secure yourself from picking your passwords by potential attackers: