Windows and Secure authentication mechanism

Posted bySeyid ArshadPosted inSecurity

Storage of Password Hashes

Windows does not store passwords in plaintext; instead, it stores hashed versions of passwords. However, Windows does not use MD5 for password hashing. Instead, it uses NTLM (NT LAN Manager) hashes, specifically:

  1. LM Hash: This is the older and less secure hashing algorithm, which has significant vulnerabilities and is disabled by default in modern versions of Windows. Windows Server 2003 is the last version of Windows Server that fully supports the use of LM hashes. Starting with Windows Vista and Windows Server 2008, LM hashes are disabled by default.
  2. NTLM Hash: This is the primary method used by Windows for hashing passwords.

NTLM (NT LAN Manager) has been used in various versions of Windows for network authentication, including:

  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

NTLM continues to be supported in these versions primarily for backward compatibility, although Kerberos is the preferred authentication method in Active Directory environments

These hashes are stored in the Security Account Manager (SAM) database. The SAM file is located at:

C:\Windows\System32\config\SAM

This file is locked by the operating system and cannot be accessed while Windows is running. Additionally, the SAM file is encrypted using a bootkey stored in the SYSTEM file located at:

C:\Windows\System32\config\SYSTEM

Transmission Over the Network

When a user logs into a Windows system or accesses network resources, the password is transmitted over the network for authentication purposes. Windows typically uses the NTLM or Kerberos protocols for this process.

  1. NTLM Authentication: When NTLM is used, the process involves the following steps:
    • The client sends a username to the server.
    • The server responds with a 16-byte random challenge.
    • The client encrypts this challenge with the NTLM hash of the user’s password and sends the result (the response) back to the server.
    • The server performs the same encryption on the challenge using the NTLM hash stored in the SAM database and compares the result with the response received from the client. If they match, the authentication is successful.
  2. Kerberos Authentication: This is the preferred and more secure authentication method used in Windows domains:
    • The client authenticates to the Key Distribution Center (KDC), which is part of the domain controller.
    • The KDC issues a Ticket Granting Ticket (TGT) after verifying the user’s credentials.
    • When accessing a network resource, the client requests a service ticket from the KDC using the TGT.
    • The client presents the service ticket to the target server for authentication.

In both NTLM and Kerberos, the actual password is never transmitted over the network. Instead, the process relies on cryptographic exchanges that protect the user’s credentials.

Capturing NTLM Hashes with Wireshark

Capturing NTLM hashes over the network using Wireshark involves intercepting the network traffic during an NTLM authentication process. This requires an understanding of the network setup and legal permissions to monitor network traffic. Here’s a step-by-step guide:

Prerequisites

  1. Wireshark Installed: Ensure Wireshark is installed on the machine from which you plan to capture traffic.
  2. Network Setup: You need to be on the same network segment as the target machine or have access to a network device that can mirror traffic.
  3. Permissions: Ensure you have legal and ethical permission to capture network traffic.

Steps to Capture NTLM Hashes

  1. Open Wireshark: Launch Wireshark on your monitoring machine.
  2. Select Network Interface: Choose the correct network interface that is used for the communication between the client and the server. This could be a wired Ethernet connection or a Wi-Fi adapter.
  3. Start Capturing: Click on the “Start Capturing Packets” button (the blue shark fin icon).
  4. Filter for NTLM Traffic: Use the display filter to focus on NTLM authentication traffic. You can use the following filter:

ntlmssp

  1. Trigger NTLM Authentication: From the client machine, initiate an action that requires NTLM authentication, such as accessing a shared folder, logging into a service, or remote desktop access.
  2. Stop Capture: Once you have captured the necessary traffic, stop the packet capture by clicking on the red stop button.

Analyzing the Capture

  1. Find NTLM Packets: Look for packets that contain NTLMSSP (NT LAN Manager Security Support Provider) protocol data.
  2. Identify Authentication Packets: NTLM authentication typically involves several key packets:
    • Negotiate Message: Initiated by the client, this packet starts the NTLM authentication.
    • Challenge Message: Sent by the server, this packet includes a random challenge string.
    • Authenticate Message: Sent by the client, this packet includes the response to the challenge, encrypted using the NTLM hash of the user’s password.
  3. Extract NTLM Hash: In the “Authenticate Message,” look for the fields “NTLMv2 Response” or “NT Response.” This field contains the hash response generated by the client.

Steps to Interpret Captured Data

  1. NTLMv2 Response: This is the value you are interested in. It is a combination of several elements, including the hashed password, client nonce, and server challenge.
  2. Wireshark Display: Right-click on the packet and select “Follow TCP Stream” to see the conversation. Filter through the NTLM packets to find the response hash.

Example Analysis

  1. Filter Packets: Apply the ntlmssp filter.
  2. Locate Authenticate Message: Look for a packet labeled “Authenticate.” It typically contains the username and domain.
  3. Extract NTLMv2 Response: Within the packet details pane, expand the “NTLMSSP” section and find the “NTLMv2 Response” field.

Security Implications

Capturing NTLM hashes on a network can expose sensitive information and pose significant security risks. Always ensure that you have explicit permission to conduct such activities, typically in the context of a security audit or penetration test. Unauthorized interception of network traffic can be illegal and unethical.

Mitigations

  • Use Kerberos Authentication: Where possible, use Kerberos instead of NTLM as it is more secure.
  • Enforce SMB Signing: Enable SMB signing to protect against man-in-the-middle attacks.
  • Network Segmentation: Use network segmentation and proper access controls to limit exposure.
  • Security Protocols: Using secure communication protocols like TLS/SSL can further protect data transmitted over the network.
  • Regular Updates and Best Practices: Keeping systems updated, enforcing strong password policies, and using multi-factor authentication (MFA) can enhance security against attacks targeting hashed passwords.

In summary, Windows uses the NTLM hashing algorithm for storing password hashes in the SAM database and employs either NTLM or Kerberos protocols for securely transmitting authentication credentials over the network. Capturing and analyzing NTLM hashes can be a useful skill for understanding network security but should always be done responsibly and legally.

Leave a comment

Is this your new site? Log in to activate admin features and dismiss this message
Log In