Password crackers.

Password crackers.

Password crackers

One of the main components of the Windows NT security system is the User Account Manager. It ensures interaction between other components of the Windows NT security system, applications, and services with the user account database (Security Account Management Database, or SAM for short). This database of the Windows NT operating system (OS) is required on every computer. It stores all the information used to authenticate Windows NT users when they log on interactively to the system and when they access it remotely over a computer network.

The SAM database is one of the «hive» of the Windows NT system registry. This «hive» belongs to the «branch» (subtree) HKEY_LOCAL_MACHINE and is called SAM. It is located in the winnt_rootSystem32Config directory (winnt_root is a conventional designation of the directory with Windows NT system files) in a separate file, which is also called SAM. Most of the information in the SAM database is stored in binary form. It is usually accessible through the account manager. It is not recommended to change the records stored in the SAM database using programs that allow you to directly edit the Windows NT registry (REGEDT or REGEDT32). Moreover, this cannot be done, since access to the SAM database is prohibited for all categories of Windows NT users without exception.

It is in the SAM database accounts that the username and password information is stored, which is necessary to identify and authenticate users when they log on interactively. As in any other modern multi-user OS, this information is stored in encrypted form. In the SAM database, each password is usually represented as two 16-byte sequences obtained by different methods.

In the Windows NT method, the user password character string is hashed using the MD4.1 function. As a result, the character password entered by user 2 is converted into a 16-byte sequence — the hashed Windows NT password. This sequence is then encrypted using the DES algorithm 3, and the encryption result is stored in the SAM database. The so-called relative user identifier (Relative Identifier, or — RID for short) is used as the key, which is an automatically increasing ordinal number of the user account in the SAM database.

For compatibility with other Microsoft software (Windows for Workgroups, Windows 95/98, and Lan Manager), the SAM database also stores information about the user's password in the Lan Manager standard. To generate it, all alphabetic characters of the original password string are converted to upper case, and if the password contains fewer than 14 characters, it is padded with zeros. From each 7-byte half of the user password converted in this way, a key is separately generated for encrypting a certain fixed 8-byte sequence using the DES algorithm. The resulting two 8-byte halves of the hashed Lan Manager password are encrypted again using the DES algorithm (using the user's RID as the key) and placed in the SAM database.

Password information stored in the SAM database is used to authenticate Windows NT users. When an interactive or network logon occurs, the password entered is first hashed and encrypted, and then compared to the 16-byte sequence stored in the SAM database. If these values ​​match, the user is allowed to log on.

Typically, both hashed passwords are stored in encrypted form in the SAM database. However, in some cases, the OS calculates only one of them. For example, if a Windows NT domain user changes their password while working on a computer with Windows for Workgroups, only the Lan Manager password will remain in their account. And if the user's password contains more than 14 characters or these characters are not included in the so-called original equipment manufacturer (OEM) set, only the Windows NT password will be entered into the SAM database.

Usually, the increased interest of the OS password protection cracker is caused by administrative powers. They can be obtained by learning the hashed or symbolic form of the system administrator password, which is stored in the SAM database. Therefore, it is the SAM database that is the main target of the Windows NT password protection cracker.

By default, in Windows NT, access to the winnt_rootSystem32ConfigSAM file is blocked for all users without exception. However, using the NTBACKUP program, anyone with the right to backup Windows NT files and directories can transfer this file from the «hard» disk to a magnetic tape. A registry backup can also be created using the REGBAK utility from the Windows NT Resource Kit. In addition, of undoubted interest to any hacker are the backup copy of the SAM file (SAM. SAV) in the winnt_rootSystem32Config directory and the compressed archive copy of SAM (SAM._ file) in the winnt_rootRepair directory.

With a physical copy of the SAM file, extracting the information stored in it is easy. By loading the SAM file into the registry of any other Windows NT computer (for example, using the Load Hive command of REGEDT32), you can examine user accounts in detail to determine the user RID values ​​and encrypted versions of their hashed passwords. Knowing the RID and having an encrypted version of the hashed password, a computer hacker can try to decrypt this password in order to use it, for example, to gain network access to another computer. However, to log on interactively, knowing the hashed password alone is not enough. You need to obtain its symbolic representation.

To recover Windows NT user passwords in symbolic form, there are special password crackers that perform both direct password selection and dictionary search. Sometimes, a combined method of cracking password protection is used for this purpose: a file with pre-calculated hashed passwords corresponding to symbolic sequences that are often used as passwords for operating system users is used as a dictionary. One of the most famous programs for cracking Windows NT passwords is LOphtCrack.

So, the conclusion is clear: the most important task of the Windows NT system administrator is to protect the information stored in the SAM database from unauthorized access. To this end, it is necessary to restrict physical access to network computers and, above all, to domain controllers. Additionally, if the appropriate software and hardware are available, BIOS passwords should be set for turning on computers and changing their BIOS settings. Then, using the BIOS settings, it is recommended to disable booting computers from floppy disks and CDs. And to ensure access control to Windows NT OS files and folders, the system partition of the «hard» disk must have the NTFS format.

The winnt_rootrepair directory should be closed to all users, including administrators, using the operating system, and access to it should be allowed only while the RDISK utility is running, which creates archive copies of the Windows NT system registry in this directory. System administrators should also carefully monitor where and how Emergency Repair Disks and archive copies on magnetic tapes are stored, if the latter contain a duplicate of the Windows NT system registry.

If a computer with the Windows NT operating system is part of a domain, then by default the names and hashed passwords of the last ten users who logged on to this computer are saved (cached) in its local system registry (in the SECURITYPolicySecrets section of the HKEY_LOCAL_MACHINE hive). To disable password caching on domain computers, use the REGEDT32 utility to add the CashedLogonsCount parameter to the MicrosoftWindowsNTCurrentVersionWinlogon section of the HKEY_LOCAL_MACHINE hive, setting its value to zero and the type to REG_SZ. To protect the SAM database, you can use the SYSKEY utility, which is included in Windows NT Service Pack 3. It allows you to enable additional encryption of password information stored in the SAM database. A unique 128-bit key for additional password encryption (the so-called Password Encryption Key, or PEK) is automatically saved in the system registry for future use.

Before being placed in the system registry, the REK key is encrypted using a 128-bit System Key and can be stored either in the system registry or in a file named STARTUP.KEY in the root directory on a separate floppy disk. You can choose not to save the system key on a magnetic medium, in which case it will be calculated using the MD5 algorithm each time the operating system is started, based on the password typed on the keyboard in the SYSKEY utility dialog box. The last two methods of storing the system key provide maximum protection for passwords in the SAM database, but lead to the impossibility of automatic reboot of the OS, since to complete the reboot process you will need to either insert a diskette with the system key and confirm its presence in the drive by clicking the OK button in the dialog box that appears, or manually enter the system key from the keyboard.

To increase the resistance of Windows NT operating system user passwords to hacking, it is recommended to use the «User Manager» utility to set the minimum length of user passwords to at least 8 characters and activate the password aging mode so that users update them periodically. At the same time, the higher the probability of attacks on Windows NT password protection, the shorter the aging period should be. And to prevent users from re-entering their old passwords, it is necessary to enable the mode of storing a certain number of previously used passwords.

The PASSPROP utility from the Windows NT Resource Kit, when run with the /COMPLEX switch, forces users to enter more resistant passwords that either combine letters in different cases, or letters with numbers, or letters with special characters. More stringent rules for filtering weak passwords can be set after installing any of the Windows NT service packs, starting with Service Pack 2. Then the special PASSFILT.DLL library, located in the winnt_rootSystem32 directory, will ensure that each user password consists of at least five characters, does not contain the user name, includes characters from at least three of the four possible sets, consisting of uppercase and lowercase letters, numbers, special characters (punctuation marks, etc.), respectively. To set up such a user password verification mode, you need to add the Notification Packages parameter of the REG_MULTI_SZ type to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa section of the system registry using the REGEDT32 program and enter the PASSFILT line into it. If this parameter already exists, then the new line should be added after the existing one.

In conclusion, it should be noted that although in the hands of a skilled attacker, programs for cracking operating system passwords pose a huge danger to password protection, password crackers themselves are no less a valuable tool for system administrators who are interested in identifying weaknesses in the password protection of their operating systems. The main problem with counteracting hacks is not that password crackers exist in the world, but that system administrators do not use them often enough. I would like to hope that after the publication of this article, the situation will change for the better.