G1234! - Anatomy of NTLMv1/NTLMv1-SSP - Evil Mog

dustings gonna present for us so welcome to him unless let's watch the Dalton alrighty so hello everybody today we're gonna do a riveting anatomy of ntlm version 1 and ntlm version 1 SSP and how this talk came about first of all through the standard disclaimers um so I'm evil MOG I'm ashy nannygate err I'm at church Wi-Fi bishop I'm a doer of stuff and I pretend to be on team hash cat once in a while so disclaimers big blue sort of has knowledge of this talk they neither endorse nor condone it opinions expressed or mine and mine alone nor warranty express or implied I'm not responsible for burn down your house because of your hash cat cluster

the code is not guaranteed to work and I like to steal from Stack Exchange my walkthroughs are sketchy at best please consult the fall head professional before attempting this on your own this is not Python version 3 compatible do not send me a pull request to make it Python 3 compatible because I don't care my code is terrible I steal from Stack Exchange and all the hard work was done by others I just packaged it somewhat prettily so first of all who here knows what an ntlm version 1 challenge is very few of it ok so a lot of us use responder on the network once in a while and nor to break into a networked

responder tends to go extract hashes ntlm version 1 was a challenge response format that would have been used a lot on Windows 2000 Windows XP and occasionally we see it on networks they'll see it shows up as ntlm version 1 responder because it says ntlm version 1 now how this talk came about was I gave a talk at Derby con two years ago on this exact same subject only it was missing a lot of critical information in fact Fisher Mini asked a couple of questions asking how I made this thing actually work so the gist of this is you can take an ntlm version 1 challenge and you can reverse it to ntlm without actually cracking the password no matter

the password length now I got a little bit lazy and I decided to code a tool so we can automate the heck out of this and then give some real information as to how to actually do this in the real world so in this example we're running responder using Python responded up he why give an interface name we use the tactic LM field you know - FW RP and it comes back with this nice shiny little ntlm challenge now if you don't use the - - LM it manuals the challenge and puts a whole whack load of zeros which can't be used to pass directly in - gets so what we're gonna go through is what we're

actually looking at when we talk about these challenges so yeah okay so the anatomy of ntlm version 1 and version 1 SSP is the actual ntlm pack you get back version 1 it's separate in a number of fields field number 1 is gonna be your username in this case it's hash cat which is right if I had a point I make this easier but our top line there you'll see hash cat you'll see Dustin - whatever you'll see the ntlm or the land man response and you will see the NT response along with a client challenge so I got really really lazy and I decided to make a multi-tool to automate your use of pennant or automate things

with your pen testing so basically what we've got here is an ntlm multi-tool that will take and ntlm version 1 hash and output your challenge files that you need to pass the hash cat for use about 14,000 and return the DES keys that can be convertible into an ntlm hash we also wrote a tool to convert deal of SSP so when you don't use the - - LM + e slowly to reverse things it calculates your server challenges for you correctly and then because I'm really lazy and I did to verify my code actually worked I kind of wrote a ntlm Tedeschi calculator on the plane was drunk cos realized on my code works so give a medic to steak so I

made the tool to go validate my stuff was actually functioning so in this case we're gonna walk through how this tool actually works so we've extracted an ntlm without SSP hash and that's this hash cat Dustin 5/8 it right at the top you feed it into my tool using Python ntlm version 1 use tack - no SSP any paste in the hash what it does is it'll split up the hash into various fields for you it'll tell you the username of the name username the challenge land man responds and tell'em the NP response CT 1 CT CT 3 you can ignore all that stuff the important part is it will spit out or was it here there we go

bear with me I did read on my slides so it goes further into telling you how to calculate the last four characters of an Intel M hash now for those of you who haven't read Moxie Marlinspike some paper with a lot of the stuff is derived from an ntlm version one challenge is effectively three des keys those three does keys are made up of your ntlm hash now because of a bunch of padding the final four characters of ntlm hash can be calculated in real time without brute forcing using tool to add in rope called ct3 to ntl end up in now a lot of people have been saying well how does this work because we see SSP so

I wrote some tooling that basically just gives you the commands to run in your from your Calley box since that's what this tools output is it's showing to calculate Philosopher's characters you type this command so for example you want to go crack these ntlm keys part of the tools output is make it - cat challenge file so if the first half of your CT won your challenge and then the it outputs the hash cat command you want to go execute now this on a regular rig would take about seven days to return at the most in most case of both three I'm saying a GPU rig but you have things like skip and limit to split up across

multiple nodes so this is all the stuff from my previous talk that actually largely worked without any actual bugs where things came into problems was when you apply SSP because the land man response starts getting overwritten with a whole bunch of zeros and you have to go manually recalculate so for example now we're going to crack our hash so I'm gonna rewind this a little bit to give back some theory what you can do with this hash cat file is there's a DES mode 14000 which is basically generic DES cracker what this cracker is is basically you have the plaintext and you have the cipher text so it's a known ciphertext attack it derives the DES

keys which basically make up the ntlm challenge so you can effectively grab into LM version 1 and cracked with your GPUs or past a cracked-out SH grab the hash out and pass around the network without ever knowing what the password was so that's all this is effectively doing so it automates a number of components so tells us hey like we've managed to crack these hashes now once you've got these two challenges or this hash cracked the DES Keys it outputs in hash cat are not directly usable at all period what you need to do is you need to convert those into an ntlm key thankfully Adam wrote a tool and Perl that I still to this day have no idea

how it works PZ looks like it's you know C like Perl and Jeremy because we crap all the time because I I'm a Python weenie instead of a pearl weenie but you know friendly ribbing so you crack this hash the two des keys out you know looks like 89 23 BD this ugly hex format you run it through the Perl tool gives you a you know 88 46 47 if you first half your second half you'd have your old put from ct3 to ntlm DUP in using the final part you have password fairly straightforward ntlm version will respond or returns that we've been doing for the last two years this stuff is all known the problem is

when you have SSP involved so during my testing like I said I couldn't get any of my code to work and I was on an airplane because things like SSP weren't operating I didn't have access to my cluster at the time so I had to go read up how it converts ntlm keys to DES so I wrote a Python tool for that as well so you can take an arbitrary ntlm hash spit it through the tool it'll put the expected output from hash cat so you can verify your tool chains working when you're reversing ntlm version 110 TLM SSP so makes things little easy now SSP here's the part that we all actually care about SSP l happen in most modern

environments when you haven't used the - - LM in responder and quite often when you're trying to reverse ntlm version one - ntlm and you'll paste your NT hash into crack that sh for example and it comes back with an uncrackable hash the reason for this is the client challenge gets overwritten in SSP or modified rather with the combination of I'll go into the code here in a second action my next slide but basically it gets modified so you can't use this technique anymore so if you use the 1 1 two 2 three 3 four 4 five 5 six 6 seven 7 eight 8 client challenge none of your stuff will reverse on the FPGAs and you're kind of

crap out of luck so let's get into the actual code of this if you look at an SSP hash the first field on this is obviously the host name second field is gonna be our username or gonna be blank third fields our username the fourth is this NT or is this land man response with all these zeros so what we're effectively doing is we are taking the client challenge and the first 16 characters of the land man response combining them together running those through md5 to recalculate your server challenge and spit you out the actual values you need to feed into hash cat and this does it all automatically now for you so you don't need to calculate

the stuff in your head or pull it some other dodgy scripts searching around for tooling to do this and I couldn't find out as even doing tooling we haven't published how this actually worked till I found some random website from 2003 or for those writing about it and I had to go figure out how this code worked so what you do is you take your Python run it through you run run my script ntlm version 1 s SP use tak-tek s SP paste you ntlm version 1 response and it'll spit out your land man response your NT response your client challenge and your modified server challenge it'll tell you how to crack the final 4 characters of the ntlm

hash using CT 3 to ntlm you know in this case so it puts the end 58 6 C it spits out your hash cat challenge files for you so you just make a file called hashes txt crack with hash cat using hash kam 14,000 attack mode three character sets des full character set the - - hex character set hashes dot txt and then your question 1 in attack bath format it tells you what happens use copy and paste this into your terminal wait seven days or three days or a day in my case with how much you were throwing at it gives you back your response in dollar Tex run it through your perl component to

convert your des key to ntlm and voila we have ourselves an ntlm hash because part one is the 88 part two is that 17 ad final apart there is 58 6c and we are good to go so in summary until M version 1 is broken you should never ever use it and if you do you should feel bad number 2 ntlm version 1 can be reversed to ntlm hashes and now we have tooling so used copy and paste and hit a couple of buttons as opposed to manually reading all my white papers and how to do this and not understand my terrible blog posts the other important part though that people should care about is ntlmssp

will stop you from using the cracked up Sh rainbow tables you know you have to pay your twenty bucks if you see SSP in play so whenever possible use - - LM instead of static challenge of one 1 two 2 three 3 four 4 five 5 six 6 seven 7 eight 8 when you're a pen tester the problem with this and is what kills everybody is semantically number the Avs out there start picking up static client challenges so you start getting popped left right and center so the car cloud Sh rainbow tables aren't exactly working effectively so that's why I wrote this tool it's I got tired of dealing with this manual AIDS to make life easy now my code is

terrible I do accept pull requests just please don't run an automatic Python 3 eff fires on my code because it messes with the bitwise math I see one more pull request I will track you down and initiate you into the Church of Wi-Fi and that is effectively this rapid whirlwind talk I apologize it was ultra quick and there will be tons of questions because I flew through this so fast so I'm going to open up to the floor

yeah absolutely so the question was can I give a technical description of what the - - LM flag does so in the original ntlm version one without SSP there's a land man response portion and an ntlm response portion with the client - so your um your response is gonna look like where am I here that's nice and good know SSP but let's get back to here so your response is gonna look like this again you have your first field and this is your hash cat so it requests the ntlm response format using - - LM in responder so it gets you a complete hash and it manages to not activate SSP when you omit D - - LM it changes your

response format to look like there's one with SSP I redid my slides I brought the wrong slide deck so I apologize it looks like this so you admit the - LM it basically zeroes out anything past the first 16 characters of your land man responds so you may just have to calculate out that missing data using the calculate a server challenge owed and that's what this basically does this figured out how the server challenge is working effectively unfortunately I see it about once a month and I do not want some of it once a quarter typically it's in environments that haven't turned off like these for the XP environment or Windows 2000 environment and they

haven't turned off the gpo flag so I've seen the Windows Server 2008 or 2012 r2 environment Windows 7 still running ntlm version 1 quite often though when they're running ntlm version 1 you really shouldn't be needing to go reverse to an ntlm because quite often they'll have things like SMB relay enabled or other bigger problems but I've had times when having to reverse an ntlm one back to ntlm actually works in production and the other random questions to go Haeckel cuz I know this is ultra quick and I apologize and there else Bueller Bueller everyone like - shiny little tool yes you know yes so there's a little bit misconception about ntlm and I'm gonna clarify it for this

because it's handy with ntlm you have ntlm the password storage algorithm then you have two versions of a challenge response mechanism to go authenticate along with Kerberos so when people say ntlm version 1 or ntlm version 2 they're really talking about hey I'm a client I'm talking to a server and it's a way of exchanging the ntlm hashed without actually exchanging the hash so until in version 2 for example is just part of the hash response component to it a lot of people places are going to curve row these days for example just to make things harder but the actual storage algorithm is ntlm and all ntlm is is a utf-16 encoded string run through md4

and no matter what were they using Kerberos or anything else windows will always store the ntlm password hash which is broken back in the 90s which is why it's so fast it's actually faster than md5 anybody else questions I'm sure there's got to be something I've got plenty of times anyone else sure with the previous talk blacklisting an ad and he was talking about sha-1 hashes in a day and and then so I'm confused with so ad doesn't actually use sha-1 at all period active directories will store two types of passwords stored in its database the first one it stores is land man which we've all disabled or we should have if you haven't you should

feel bad that's what you that's what the rainbow table attacks work well on then there's ntlm which is the newer one that's implemented in the 90s came wrote within or at nt4 if I remember correctly and that's MD for base that's the utf-16 encoded string so it doesn't use sha-1 in any way shape and/or form you we're all based off md for effectively then you have four challenges you have ntlm version one ntlm version two Kerberos with md5 HCA kmm v5h Mac and then Kerberos with AES keys and that's how Windows does is a fennec ation today oh and certificates so as so one follow-up question so he was talking about how you're checking against bad passwords

and you're downloading these tables and most these tables are hash with sha-1 that's why I'm confused how so the reason why is using sha-1 is a certain individual that's known and famous and I don't have no idea why ya published all those tables in sha-1 and there's a lot of garbage data in that data set I'm not slinging any mud I'm just saying a lot of garbage data in the data set and so a lot of people in their breaches will do it until I earn sha-1 I see sha-1 md5 md4 I mean these most things out there there's a variety of storage mechanisms the most popular one to be honest for years is md5 but I have

a funny feeling that the previous speaker he used his format because you could do a direct API call and do a look up against the have I been poned which uses show on one aspect of ntlm that i've encountered in environments is where the setting for the ntlm restrictions are different on domain controllers and they are on put on servers and clients yes can you I recall there being a reason for that but it's been years can you speak of that ability reasons way it works is you have there's two settings you said to control ntlm in an environment what is your complaint or your client compatibility the other one is your server compatibility so say for

example I'm upgrading to mandate and TLM or Kerberos across the board more specifically domain controller Z is there any legitimate reason you would have that setting differently on domain controller it depends if you have old legacy clients that you can't quite get away from so if say for example you're an old terrible bank running Windows XP on your ATMs or Windows CE and they may or may not be able to control how things are operating then your domain controllers you'd set for a better compatibility setting but if across the board you're migrating everything off then you the change now obviously you have to watch out for things like printers etc because once you change it

to require say and/or ntlm version 2 only and above you have to make sure everything is compatible so people will set their domain controllers to be the most compatible setting and now do you see any risks in that in the real world I mean I'll be honest you should be using ntlm version 2 in the environment anymore just with the amount of GPU power when you throw at things but in putting a pure Kerberos implementation with only AES key is rather difficult and breaks a lot of clients so the best compatible setting I've seen in enterprise is still ntlm version 2 and above version 1 should not be enabled and if you still have stuff that runs that you should be

yelling at your suppliers thank you anybody else yeah mingi here comes the roast a serious question and I have a heckle ok serious question first the DES Keys have you ever done a like large-scale analysis of the randomness to see if there's any I mean are they pure do they appear to be random do they is there any sort of obviously not a pattern to the DES but have you ever done anything like that that does keys we've noticed are purely correlated to the ntlm key all it is is that you take the ntlm key and it basically the ntlm mode is effectively a 56 bit key they have to pad out to 64 bit tech do your parity calculations so

that's what it does until them - des parity calculator is so finally the patterns on the ntlm then you can find the pattern that does good answer so now from my heckle were you implying that the old the big giant old ghetto bank that you used to work at uses into lmp1 on their domain controllers we may have at one point we changed it before I left you know you're on camera right yeah I know okay just making sure yeah we changed that about three or four years ago before I left and that Bank wasn't that get it wasn't a real Bank it was a financial institution anybody else I haven't seen directly from your cohort to your right there or

see your left to see what I had called too I've heard that when pen testers encounter like s crypt or bcrypt they just give up they say attack a different way can you force Windows to use those methods I don't really know man but fortunately not um the reason for this is because the way kerberos operates they need some kind of static key to initialize everything and if you have assaulted password you're not gonna be have your Kerberos actually function especially like their Microsoft version of MIT Kerberos the best I could see them doing and this is my humble opinion so I could be completely ass wrong is they could do something like a sha-512

unsalted for the backend but there's so much the windows core that's built around ntlm that they'd be changing this stuff for years and you know that time they did their changes would be 20 years from now and still dealings compatibility issues it took us 10 years to get it up at land man not even remotely not even remotely that's why they used challenge-response like that's why land man or ntlm version one came out in version two came out so you do an exchange with modified client challenges so when you monitor the client challenge on the server challenges its what kind of masks that gives like a one-time component to the exchange did not directly communicating the ntlm key

because once you get that key it's game over that's why pass the hash is so effective because you can go generate if you have an ntlm hash you can go generate an aes Kerberos ticket and just walk around the network using the existing cooler you just create the key that's everything is based on the Intel M hash you have that you own it there's oddly enough why we recommend people change their Kerberos ticket hash twice a year because if you don't you can forge tickets all day long after every time your system ends leave so those des keys that you discover those ever are the number one are they domain specific server specific and there is the

that hash would work across every environment so basically the des keys that are in there for if you want to go more detail into the research the guidance of the original research was Moxie Marlinspike it's all based off his paper the DES keys are effectively generated off the ntlm hash they take your ntlm hash you split it into three different chunks you run des across it and that's it so it's purely based it same cross a freedom and so their user specifically these are specific right down to the password now if you have two users with the same ntlm hash then their keys we say somehow that the same ntlm challenge those will be the same but if

the client challenge changes or SSP is involved and they won't look the same that's why you can't do address lookup but if the client challenge is the same you're using - - LM will show up the exact same every time anybody else dealer sure I know this is absolutely nothing to do with it what is your recommended blurring path for for Kerberos I all the reference materials I've seen stopped off in like 2004 you know and that's all the reference materials I've seen as well thing is Kerberos was built 20 years ago ish and they might have modified their their variant of it because it's a standard that you can't really mess with too much because everything speaks it

now you don't really have much optioned harden it I mean this Kerberos arming armor now that came out in Server 2016 there are the use of AES key instead of a md5 H Mac Keys now that I make things a lot better so it's really there's a good heavy hardening guide that's the best I can tell you it's it's it's an arms race no matter what you try we're always gonna get in it's just how long you keep us out I know it sounds like I paid on Microsoft a lot because I actually do like Microsoft it's just some things are more annoying than others anybody else Bueller Bueller cool god help me when this camera feed comes out

and a certain person comes to go yell at me but that's all right it should be fun thank you everybody