[cryptography] NTLM Challenge Response is 100% Broken (Yes, this is still relevant)

Jeffrey Walton noloader at gmail.com
Tue Jan 8 20:17:15 EST 2013


First off, I can’t say I broke the NTLM handshake; the march of time
did it.  Apparently I am just the one who bothered to put it together.

There have been numerous whitepapers, hacker conference sessions, and
blog posts dedicated to the weaknesses of NTLM (and LM)
authentication.  However, the weaknesses described in previously
published works were theoretical, or required stealing hashes using
admin rights. This means the host was already compromised, thus the
exploits themselves are a bit boring and redundant.  One couldn’t just
phish for the hashes or MITM the hashes; due to the challenge response
mechanism.   The best case for getting to the hash or password from
outside the host was to do a MITM attack (or a phish) and substitute a
chosen challenge.  This only worked if the victim was willing to
negotiate NTLM without the Session Security Flag. This would then
allow an attacker to build rainbow tables to get the hash or password.
Rather, the attacker probably already had tables built for the chosen
challenge.  This scenario is a pretty high bar to reach.

To frame the conversation, there are actually 4 handshakes in the NTLM
suite that move up in security and complexity. They are LM, NTLM, NTLM
with session security, and NTLMv2.  As of now, only NTLMv2 stands as
secure.  There is no way, other than encrypting your link with say
IPSec, to secure the 3 weak handshakes.  The good news is, all
Microsoft OSs already have a registry key that can control the
handshakes options.  MS will release a KB and Advisory on 1/8 on this
and the information can be found below.

Now, thanks to Moxie Marlinspike’s Cloudcracker, an attacker can skip
the pre-chosen challenge and brute force the challenge response to get
the NTLM hash.  If the victim is running XP, the situation is even
worse, as Cloudcracker will return the LM hash which can always be
broken overnight to derive the user’s password .

** Why Does this Matter Now? **
Before I get to the exploit details, let me clarify how relevant these
technologies still are in today’s world. You might think that with all
the papers and presentations, no one would be using NTLM...or, God
forbid, LM. NTLMv2 has been around for quite some time. Surely,
everyone is using it. Right?


According to the last data from the W3 Schools, 21% of computers are
running XP, while NetMarketShare claims it is 39%.  Unless someone has
hardened these machines (no MS patches do this), these machines are
sending LM and NTLM responses!  While these lists leave out server
OSs, 2003 Server still sends NTLM responses by default.  Yes, every MS
OS since NT 4.0 SP4 has supported NTLMv2, but NTLM and LM were not
excluded by default until Vista.

But wait, there’s more! It is also very common for companies that have
heterogeneous environments to use Active Directory Group Policy to
keep the settings weak, usually out of fear of breaking Samba
connectivity.  Sure, Samba has supported NTLMv2 for a long time, but
most IT folks tend to think “Why beef up security if you might break
something? No one is claiming to have broken NTLM.”

Well, here it is: I’VE BROKEN NTLM.

Now, get to fixin’.

More on fixin’ later.  (I can’t take credit for breaking NTLM. I’m no
math whiz. I just happen to specialize in applied crypto, and I looked
in the right place at the right time.)

** The Attack **
When I read a summary of Moxie’s MS-CHAPv2 crack, I saw that the big
deal was not that the implementation had some crazy flaw, it was that
Moxie had affordably built a system that can brute force the DES keys
that make up the heart of the challenge response mechanism.  In less
than 24 hours, given a known 64 bit plaintext (challenge) and a
ciphertext (response), Cloudcracker can return the key to you.

This made me wonder what else was broken, given affordable DES brute
forcing now exists.

I didn’t dig a lot deeper into the attack at the time, as I was
researching NTLM so I could write a blog post on Pass the Hash
Attacks.  I know this is well covered territory, but I never found a
paper that covered all my questions, so I figured I’d do it myself.
Much of my research was done by reading the protocol details on Eric
Glass’s exhaustive page on the topic. I’ve found no better source for
understanding the protocols.

That’s then I stumbled across this: (Bold added for emphasis.)

More information about the cryptography mailing list