Optimized Attack for NTLM2 Session Response - PowerPoint PPT Presentation

About This Presentation
Title:

Optimized Attack for NTLM2 Session Response

Description:

Title: LM authentication Author: seki Last modified by: seki Created Date: 9/3/2004 4:44:22 AM Document presentation format: Company – PowerPoint PPT presentation

Number of Views:46
Avg rating:3.0/5.0
Slides: 53
Provided by: sek46
Category:

less

Transcript and Presenter's Notes

Title: Optimized Attack for NTLM2 Session Response


1
Optimized Attack for NTLM2 Session Response
  • Daiji Sanai Hidenobu SekiSecurityFriday.Com
  • 2004.10.15

2
ReadMe
  • ????

3
????????
  • Windows?????????
  • Windows??????????
  • Windows?????
  • ????????
  • ????????????
  • NTLM2 Session Response
  • ???????????

4
? Windows ?????!
  • ?????????
  • ???????
  • POP3?FTP?HTTP?TELNET.....
  • Windows?????????????????????????!

5
?????????????
  • ????......??!
  • ?????????
  • ????????????????
  • ??????????????????
  • ?????????????????

6
?????????(??)
  • ????????
  • ???????????????????????
  • ?????????????
  • ??
  • ???
  • ?????????????
  • ????
  • ?????

????????!
7
??????????
  • Windows????????????????
  • ?????????
  • SAM (Security Account Manager)
  • ?????????
  • Active Directory

8
?????????????
  • Windows 9x/Me
  • ???????????????(RC4)
  • PWL????
  • Windows NT/2000/XP/2003
  • LM?????NTLM????

9
LM ????
  • ??????????????DES???
  • ??????14????
  • 7??????????
  • ????????????
  • ????????????7?5???

10
NTLM ????
  • ??????MD4??????
  • ??????127??????
  • ??????????
  • 7?????????
  • ???8

11
???????????????
  • LM ??
  • NTLMv1 ??
  • NTLMv2 ??
  • NTLM2 Session Response
  • Windows Kerberos

12
LM ????
????
??????
?????????(A)8byte
(A)
8byte
8byte
8byte
DES
LM????(16byte)
KGS!_at_
DES
????(?????)
13
LM ?????
  • LM ????
  • ????????????7?5???
  • ??????7?????8??????????
  • ??????????????????
  • ??????????????

14
NTLMv1 ????
????
??????
?????????(A)8byte
(A)
8byte
8byte
8byte
DES
NTLM????(16byte)
MD4
unicode(?????)
15
NTLMv1 ?????
  • NTLM ????
  • ??????????????????
  • ??????????????
  • ????
  • DES?????????????? 256 ?7??

16
NTLMv2 ????
??????
????
?????????(B)8byte
?????????(A)8byte
(A)
(B)
(B)
16byte
HMAC-MD5
HMAC-MD5
??????????
NTLM????
17
NTLMv2 ?????
  • NTLM ????
  • DES ?????
  • ??????????????
  • ?????????????????
  • ?????????/?????????????
  • ????/???????????????????
  • ???????????

18
Windows Kerberos ????
????
??????
?????????(A)16byte
(A)
36byte
????????
RC4
HMAC-MD5
HMAC-MD5
1
NTLM????
19
Windows Kerberos
  • NTLM ????
  • DES ?????
  • ??????????????
  • ?????????????????
  • ???????
  • ????(??????)??????????
  • ???????????????

20
Windows ????
LM NTLMv1 NTLM2 session response NTLMv2 Windows Kerberos
Password case sensitive No Yes Yes Yes Yes
Hash algorithm DES (ECB mode) MD4 MD4 MD4 MD4
Hash value length 64bit 64bit 128bit 128bit 128bit 128bit
Client challenge No No Yes Yes Yes
Response key length 56bit 56bit 16bit 56bit 56bit 16bit 56bit 56bit 16bit 128bit 128bit
Response algorithm DES (ECB mode) DES (ECB mode) DES (ECB mode) HMAC_MD5 HMAC_MD5 RC4
Response value length 64bit 64bit 64bit 64bit 64bit 64bit 64bit 64bit 64bit 128bit 36byte
21
OS??????????
????????? LM NTLMv1 NTLM2 session response NTLMv2 Windows Kerberos
9x/Me ?? ? ?
NT4.0 LM/NTLM ? ? ?
2000 LM/NTLM ?SP2 ? ?SP2 ? ? ?SP3 ? ?
XP LM/NTLM ? ? ? ? ?
2003 LM/NTLM ? ? ? ? ?
22
? Windows ??????
  • ????????
  • ????????????
  • ?????????
  • 7???????(LM?????LM??)
  • ?????(LM?????LM??)
  • ?????????(LM?????NTLM????)

??!
???????????????????
23
?????????
  • ?????????????????
  • ???????????????????
  • ???????????

24
Rainbow Table
  • ????????????????
  • ??Windows????????
  • ???????????????????????????????
  • ????
  • ???????????
  • ????????LM/NTLM????????

25
Rainbow Table???
  • RainbowCrack??
  • LM ????
  • ???????806?(???)/7?5??(???)
  • ??????????? 5?/2?
  • ?????? 3GB/119GB
  • ???? 20???(????????2??)/ 13???(????????1???)

26
?????????????
  • ????????????????????????
  • ?????????????????

???????
27
??????????????
  • ????????
  • ScoopLM/BeatLM
  • Cain
  • LC (L0pht Crack)

28
LM ??????????????
  • 2???????????
  • ???????
  • ????????????7?5???
  • LM???????!

LM???????????
29
Rainbow???????????
  • LM/NTLM????????????????
  • BugTraq???(2004/9/14Urity)
  • ???????????????
  • NTLMv1??Rainbow??????
  • ??????????????????
  • NTLMv2 ??
  • NTLM2 session response

30
? NTLM2 session response
  • ?????????????
  • Windows 2000???
  • Windows 2000 SRP1?????????
  • SRP1?SP3?????????
  • Windows XP/2003?????????
  • ???????????????????
  • ????NTLMv1???

31
NTLM2 session response
  • Eric Glass??2003?7????
  • ???????????????
  • Eric Glass???????????????????????
  • ?????????
  • ???????(Eric Glass??????)NTLM2 session response

32
? NTLMv1 ????
??????
????
?????????(A)8byte
NTLM????
33
? NTLM2 S.R. ????
??????
????
?????????(B)8byte
?????????(A)8byte
(A)
(B)
(B)
MD5
(D)
(D)
(C)
NTLM????
34
??????
  • NTLM2 session security??????
  • LMCompatibilityLevel??????????
  • ?????????????
  • ?2000???? Gold???
  • ???????????????????????????????
  • ?NT???????????
  • ??????????????

35
????????
  • ??????????????
  • Rainbow Table???????
  • ???????????????
  • Cain???????????????
  • ??????????????????
  • ????????!

36
? NTLM2 S.R.???????
37
???2???
(A)
(B)
?????
(B)
8byte
8byte
8byte
MD5
(D)
(C)
DES
7byte 7byte 2byte
NTLM????(16byte)
MD4
?????
38
???2???(2)
(A)
(B)
?????
(B)
8byte
8byte
8byte
MD5
(D)
(C)
DES
65536??
7byte 7byte 2byte
NTLM????(16byte)
MD4
?????65536??????????????DB???????????65536??????
???????????
?????
39
???????????
????? AAAAAAABBBBBBBCCCCCCCDDDDDDDEEEEEEEEFFF
FFFFF
NTLM???????
65536??
40
2????DES????????????
?0.1?
41
?????DB???
?????????(NTLM????)
xxxxxxxxxxxxxxxxxxxxxxxxxxxxABCD
0000
0001
????????????
0002
ABCD

FFFE

FFFF
65536??
42
?????DB???
????(Pentium 4 2.5GHz) ????(Pentium 4 2.5GHz) ?????? DB???
Cain ??? ?????? DB???
24?? 2? 735? 180GB
7? 8? 5141? 1.3TB
14? 14? 1?282? 2.5TB
30? 30? 2?2032? 5.6TB
3?? 1?? 6?6096? 17TB
6?? 3? 13?2192? 34TB
1? 6? 26?8056? 68TB
43
???????????????
  • ????8???? 2171?
  • ?(??)???6???? 7430?
  • ?(??)?7???? 3?6??
  • ?(??)8???? 54?
  • ?(??)???7???? 71?
  • ?(??)?8???? 222?

44
??????????????
  • ?????????????
  • ???????????????????
  • 3?????????????????
  • ??????????????
  • ????????????????

45
?????????????
  • ?????????????????
  • ???????????
  • ??????????????
  • ?????????
  • ???????
  • ??????????????

46
???????????
  • ???????????????
  • ???????????????
  • ???????????????
  • ????????????????
  • ?????????????
  • ???????????????

47
???????
  • ??????/?????????
  • ??????????????
  • ????????????????????
  • ???????????????????
  • ??????????????
  • Me, XP, 2003????????
  • Microsoft KB256248,276322,320138

48
?????????2
  • Windows XP SP2????
  • Windows ????????????
  • ?????????????????
  • ?????????????????

49
??????????????
  • 7?????????????
  • ????????????
  • SMB??????????????
  • ltimg srcfile//\\www.xxx.yyy\zzzgt
  • ????????????
  • NT?????????LM?????

50
?????
  • ??????????????????????
  • WebClient service in Windows XP
  • ????????????????????
  • IIS.doc
  • 2004.9.3 ??
  • 2004.9.6 ??????????
  • ??????????????????????
  • 2004.9.27 NTBugTraq???

51
? ? ?
  • ??????????!
  • ??????????????????
  • LM ???????
  • ?????????????
  • ????6???????
  • 13???????????(?)

52
???
  • ?????????????
  • LM?????LM?????!
  • NTLM?????NTLM??????!
  • ???
  • ??????????????????
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Optimized Attack for NTLM2 Session Response" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!