NT / LANMAN Password Security Discussion

by Brian - 1/1/01

First, let me start by offering thanks and giving credit where credit is due. The guys at the L0pht were the original individuals to identify MicroSoft password security problems and the developers of the tool L0phtCrack. This paper will attempt to highlight and enforce the need for security awareness in user password selection.

Second, let me state that it is imperative that passwords users select are not easily guessable. You do not want to give an attacker easy access to your system so they can attempt to escalate their privileges. With a non-guessable password, attackers should make some noise in the security audit logs of the system. This noise will provide information to system administrators and enable them to implement/verify alternative defenses are in place to prevent a system compromise.

Now let's get into the details of the topic.

LANMAN authentication must be active on NT and Win2K Domains in order to have backward compatibility for Win 95 and 98 systems. I have been informed that there are some 3rd party software products on the market that require LANMAN authentication, but I do not have personal experience with any. So, unless you have a pure NT or 2K network, LANMAN authentication must be enabled. MicroSoft will tell you NT LANMAN passwords can be up to 14 characters in length. In reality, as the L0pht has identified, the 14 characters are really two 7 character passwords, encrypted and concatenated to make the so called 14 character password. Passwords less than 14 characters are filled with spaces to complete the 14 character requirement. All of this can be verified by examining the password hash for multiple passwords that are less than 8 characters in length.

Example:
NT Password	LANMAN Equivalent
tiger	C6E4266FEBEBD6A8AAD3B435B51404EE
12345	AEBD4DE384C7EC43AAD3B435B51404EE
SECTION	5F34F69EB965B8E3AAD3B435B51404EE
SYNERGY	CE910CFA90B123F9AAD3B435B51404EE

As you can see, the password hashes have identical endings. This is the encrypted padded spaces to complete the 14 password characters. It also made it easy to identify where the break is in actual password length. As soon as a user selects a password greater than 7 characters, the back half of the LANMAN HASH changes.

Example:
NT Password	LANMAN Equivalent
Player24	DD4B68A4219ED226FF17365FAF1FFE89

Another problem with LANMAN encryption is all lower case alpha characters are transposed to upper case. The examples below show how 3 different forms of the same word translate into identical LANMAN passwords.

Example:
NT Password	LANMAN Equivalent
password	PASSWORD
PASSWORD	PASSWORD

To counter this problem, MicroSoft developed NT Passfilt. A password DLL designed to force users to create strong passwords. Not a bad idea in theory, but I believe they missed their objective by not enforcing character content within the 14 positions of the password. NT accepts 4 types of characters for use in password selection: upper case alpha, lower case alpha, numeric, and special characters. Passfilt requires users to use at least 3 of these 4 types when generating passwords. (Remember: Administrators can bypass passfilt requirements from the console and passfilt is not enforced on local workstations.) The examples below show passwords that meet passfilt content requirements, but are easily cracked passwords.

Example:
Password1	PASSWORD1
A123123a	A123123A

The NT password has 3 character types (upper and lower case alpha and numeric), but when converted for LANMAN authentication the password content is reduced to an alpha and numeric password. Ignoring a dictionary attack, these password can be cracked in a few hours.

Obviously, you need special characters in the password content to make it more difficult to crack. Correct? Yes and no! Yes, you need special characters in the password, but no, that is not the complete answer. Typically, numerous people in an organization (at least every SAM file I have obtained) just add numeric and special characters to the end of a dictionary word. Although this will satisfy passfilt and make it hard to randomly guess the password, it is not safe from a quick L0phtCrack attack. The example below is apparently from a Redskin fan that emphatically likes the player with number 30.

Example:
NT Password	LANMAN Equivalent
Redskins30!	REDSKINS30!	REDSKIN S30!
 	Character positions 1 - 7 8 - 14

So what's wrong with the password? The person used all 4 character types, so the LANMAN password contains alpha, numeric and special characters. However, if we break the password at the 7th position, the first half of the password is a dictionary word. The second half of the password is a 4 character, 1 - 10 minute brute force effort to get the complete password.

Below is an example of someone that tried to use a misspelling of a dictionary word to create a strong password. Although none of this password was cracked with a dictionary attack, the password was brute forced quickly.

Example:
NT Password	LANMAN Equivalent
Advizors@1	ADVIZORS@1	ADVIZOR S@1
 	Character positions 1 - 7 8 - 14

Yes, all passwords can be cracked with a brute force attack. But we (the attackers) want to be more efficient and don't like to wait very long for access. So, how did I crack the password above over night?

1. Start by using the hybrid dictionary attack option in L0phtCrack. This will crack all dictionary words and all dictionary words with 1 or 2 numeric or special characters added to the front or back of the dictionary word.

2. If the step fails to get the password you want, start a brute force attack with all of the special characters and let it run for 5 - 8 hours. At that point, you will probably have the second half of the passwords that are 1 - 5 characters (8 - 12 total password characters) in length.

3. Check to see if the second half of the password you want, or any, has been cracked. They should be easily identifiable. Remember L0phtCrack will put 7 "?" in the part of the password that has not cracked (ex: ???????*1 or ???????&B19 )

NOTE: From the examples in step 3, we can see the users placed numeric and special characters at the end of their passwords. So, what are the odds that the front half is straight alpha? Probably 50-50.

4. Stop L0phtCrack.

5. Save the file and make a backup copy.

6. Change the brute force options to use only alpha characters for the brute force attack. This will speed things up. If you are going to let L0phtCrack run over night, you may want to select the alphanumeric brute force option.

7. To really speed up the cracking process, save the file again and exit L0phtCrack. Now, edit the ".lc" file. Change the first line of the file to "LastBruteIteration=??AAAAA" for alpha, or "LastBruteIteration=??11111" for alphanumeric. When you start cracking again, you will start at 7 character alpha or alphanumeric instead of 1 character.

8. If you are really impatient, you can copy the ".lc" file to another machine with a licensed version of L0phtCrack (after all the guys at the L0pht need beer money). Change the first line of the ".lc" file to "LastBruteIteration=??MMMMM" and if you selected the alpha only option, you just cut your time in half. Wonder how long it would take if you had 10 or more systems going at the same time starting at different parts of the brute force cycle? Hint...hint

So what is the correct answer for password content?

1. As soon as operationally possible, disable LANMAN authentication.

2. Implement passfilt. It may have flaws, but it is better than nothing and will cause numerous failed login entries in audit logs.

3. Don't let anyone get your SAM file, repair directory SAM file, or password hash.

4. Administrators, don't set up new accounts with generic, easily guessable passwords.

5. Don't use plain dictionary words in your password content.

6. Use alpha, numeric, and special characters in the first seven characters of your password.

7. Educate users to use the above recommendations.

8. Use a password cracking utility monthly to check password strength. Only use a straight dictionary attack. If you have to use the hybrid or brute force crack options, then the user probably has a non-guessable password. Once the passwords are non-guessable, it is up to the administrators to identify the failed login attempts and take corrective actions.

9. Administrator (both domain and local) passwords should meet stronger standards. Think about it. How often are the local administrator passwords changed on user workstations? Probably never. So how long does this give me to crack the password?

10. Users should be required to change their passwords at least once every 90 days. Administrator passwords, including local administrator passwords, at least once every 30 days.