Hashes and the Security Account Manager

Sunday, October 24, 2010

bitraptor bitraptor




The Security Account Manager (SAM) is a database present on servers and workstations running Windows OS that stores user accounts and security descriptors for users on the local computer or over the network using active directory.

As you probably already know, Windows saves your user password in something called the SAM Database.

It can store it using 2 different password presentations, or "hashes": The LAN Manager hash (LM hash) and the Windows NT Hash (NT hash).

They are both 16 bytes in length. NT Hashes are considered to be pretty secure, but unfortunately, LM ones are not and are prone to brute force attacks like "rainbow tables".

The Security Account Manager (SAM) database stores local user account information, including user passwords in hashed form.

However, the system key that's used to encrypt the database is stored on the local machine. This poses a security risk because a hacker might be able to access the encryption key and decrypt the database.

Windows password are based on the Unicode character set and it's sometimes referred to as "unicode hash" (because it supports full Unicode character set). This password is case sensitive and can be up to 128 characters.

The OWF version of that password is also known as the Windows password OWF. This password is calculated using the RSA encryption algorithm MD-4.

The algorithm calculates a synthesis of 16 bytes of a string of variable length of bytes of unencrypted password text. LM hashes (case insensitive, DES-based) and NTLM hashes (case sensitive, MD4-based).

NT stores user information, including encrypted versions of the passwords, in a file called 'SAM', usually found in \windows\system32\config. This file is a part of the registry, in a binary format previously undocumented, and not easily accessible.

But there's a workaround on making SAM a little bit more secure.

Microsoft provides a utility called SysKey that you can use to secure the system key by moving it to a different location or setting a password that will be required for Windows to decrypt the key and access the SAM database.

Here's how to use SysKey on a Windows NT 4.0(does anybody still use?), 2000, XP, or Server 2003 computer:

  • Choose Start | Run, type cmd, and click OK to open a command line window.
  • At the command prompt, type syskey and press [Enter].
  • A dialog box appears with a warning that once you enable encryption, it can't be disabled. Click the Update button.
  • The Startup Key dialog box appears. To set a password, select the Password Startup option button, and then type and confirm a password to be entered when the system starts up.
  • If you don't want to require the entry of a startup password, click System Generated Password.
  • If you want to move the key off the local disk, click Store Startup Key On Floppy Disk. Insert a floppy disk, and then click OK.

Note: If you choose to store the key on a floppy disk, make a backup (or two) of the disk.

Also note that when you implement Syskey security, you'll have to enter the startup password or insert the floppy disk to start Windows, so it's very important that you don't forget the password or lose the disk.

Also, note that you won't be able to start the computer remotely unless someone is present at the console to type the password or insert the floppy disk.

Important: In Windows Vista and 7 the LM hash is automatically set to disabled by default.

I agree that SAM is far from being perfect, but the real problem lies in the way these 2 concurrent hashes store the passwords, it's an old method created by Microsoft prior to the Win NT family and although Windows NT, 2000, and XP, use NT Hash, they still run the old style LM hash keys so that two concurrent hashes of the passwords are stored.

There are various tools spread all over the internet that are purpose-built to crack Windows' hashes in matter of minutes and yes, some of them in seconds!

True, I was forgetting the biggest of all problems: the human factor. If it wasn't for it, there would be no security flaws as well as no bad or good hackers, would it?

For instance, one could just set a 15+ character long password and rest in peace. Why don't we do it? Well, this is another chapter of the human cyber history.

There are a lot of tools around that are specifically made to break these hashes down, I would mention Ophcrack, pwdump and offline NT crack as pretty good tools on accomplishing this task.

These programs are able to extract NTLM and LanMan hashes from a Windows target, regardless of whether SYSKEY is enabled. It is also capable of displaying password histories if they are available.

The newest and accurate (and fast) online tool for this purpose is the ‘Objectif Sécurité' that amazingly cracks any >=14 character  password in seconds.

Please, refer to Dan Dieterle's article on cracking using Objectif Sécurité. All these tools use the cracking technique called "Rainbow tables".

Hopefully you'll ALWAYS want to use a 15+ character long passwords for Windows systems with lower and upper case letters, also use numbers and special characters in combination, this will implicate in a hard-to-crack system even using the cutting edge cracking tools available nowadays.

Possibly Related Articles:
Network Access Control
Information Security
Passwords Access Control
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.