Criptoanàlisi de contrasenyes de Windows

De SergiTurWiki

Share/Save/Bookmark
(S'ha redirigit des de: Ophcrack)
Dreceres ràpides: navegació, cerca
Aquesta wiki forma part dels materials d'un curs
Curs: SambasobreLDAP, SeguretatXarxesInformàtiques
Fitxers: SeminariSeguretatXarxes.pdf
Repositori SVN: https://anonymous@svn.projectes.lafarga.cat/svn/iceupc/SeguretatXarxesInform%C3%A0tiques/
Usuari: anonymous
Paraula de pas: sense paraula de pas
Autors: Sergi Tur Badenas

Contingut

SAM database

SAM són les inicials de Security_Accounts_Manager

La base de dades d'usuaris es troba normalment a la carpeta: 

C:\WINDOWS\system32\config\

Consulteu també l'article sobre Samba per tal d'obtenir més informació sobre SAM.

Recursos:

syskey

Syskey és una característica que afegeix un nivell addicional de xifratge als passwords hashes emmagatzemats a la base de dades SAM. L'objectiu principal es fer més difícils els atacs offline, és a dir aquells atacs que tenen accés físic a la base de dades quan el sistema operatiu XP està apagat (per exemple accedint des un LIVE-CD o des de un altre sistema operatiu en una màquina d'arrancada dual).

La clau utilitzada per Syskey per tal de xifrar les paraules de pas és anomenada bootkey o system key. Aquesta clau pot ser generada de 3 formes diferents. El mètode utilitzat s'escolleix al executar syskey.exe.

Syskey es va introduir al Service Pack 3 (SP3) de NT 4 i des d'aleshores ho porten totes les versions de Windows posteriors.

Un atacant pot obtenir la bootkey utilitzant eines com bkhive.

Syskey xifra les paraules de pas de Windows amb l'algorisme RC4 utilitzant quelcom derivat de la syskey (s'utilitza MD5).

NOTA: Tingueu en compte que les paraules de pas estan xifrades 2 cops! Una és el xifratge de la bases de dades i un altre és la paraula de pas en si (que també s'emmagatzema xifrada)

Recursos:

Windows 2k/NT/XP's syskey encryption

TODO: 

 $ cat README | more

Windows 2k/NT/XP's syskey encryption

Syskey is a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM database. The main purpose of this feature is to deter 'offline' attack. In fact one of the most common ways to gather passwords is to copy the system SAM database and then use one of the many good password crackers[1] to "recover" the passwords; of course physical access is almost always required.

So with syskey the attacker needs to remove the additional encryption layer to get the password hashes (this is not entirely true as some tools can crack even syskeyed hashes while losing some performance).

The key used by Syskey to encrypt the password hashes (called bootkey or system key) can be generated and stored in three ways. The method to use is selected when running syskey.exe on the host.

1) Using a user supplied passphrase(actually the MD5 hash of it). The system will prompt for the passphrase during startup.

2) Using a system generated key stored on a floppy. The system will ask for the boot floppy during startup.

3) Using a system generated key stored on the "the local system using a complex obfuscation algorithm" (citing Microsoft site[2]). This is the default method used.

In the first two cases generally nothing can be done. If you cannot get the passphrase or the boot floppy you are compelled to crack the syskeyed hashes.

The last case is different.

This document describe the "complex obfuscation algorithm" and the steps required to restore the password hashes from their syskeyed equivalent. Some tools are also presented to automate the process.

From now on we will talk about the case when the bootkey is stored on the system.

During Windows boot phase before user are allowed to logon to the system, the main thread of Smss (Session Manager) starts the Winlogon process. Winlogon is the process required to load the Local Security Subsystem (Lsass) which in turn loads the Security Accounts Manager (SAM) service (the interface to the SAM database).

The registry is accessed by the above-mentioned processes. In particular the following keys are accessed:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG

The same keys are also accessed during the bootkey generation phase by the Syskey.exe tool.

A more in depth analysis of the code accessing these keys uncover that the "complex obfuscation algorithm" is no more than a permutation of the class name of the above-mentioned keys.

Is almost trivial to develop a tool to recover the syskey obfuscated bootkey from the registry.

To make things simpler on pre SP4 system the ACL on the above keys allows 'Users' read access so a "normal" user can retrieve the registry stored bootkey.

The tool developed to make this operation is called Bkreg.

On SP4+ system it is still possible to recover the syskey bootkey. The ACLs on the keys only allow Administrator access, so Bkreg can recover the bootkey on SP4 system only if executed by the Administrator.

But there is another way to access the registry keys.

An attacker can steal (maybe at the same time of the SAM database) the system hive and access from there the above mentioned keys to recover the syskey bootkey.

The tool developed to make this operation is called Bkhive.

Now we have the bootkey, conveniently stored in a file, and the SAM hive; we need to know how to remove the syskey encryption.

The process that decrypts the password hashes (using the bootkey) is Samss.

The steps required to do so are:

1) The value 'F' of the registry key SAM\SAM\Domains\Account is accessed. The contents of that value is of binary type. 16 byte (starting at offset 0x70) from the F value are hashed (MD5) with the bootkey and some constant. The result is used as the key to decrypt (RC4) the 32 byte of the F value (starting from 0x80). The first 16 byte of the result are used later in the algorithm. I call them hbootkey.

2) For each rid subkey in SAM\SAM\Domains\Account\Users. The value 'V' of the key is accessed. The content of that value is of binary type and contain the syskey encrypted password hashes. The hbootkey (computed in step 1), the user rid and a constant string( different if decoding NT or lanman password) are hashed (MD5). The result is used as the key to decrypt (RC4) the syskeyed password hashes.

So syskey encrypts the password hashes with the RC4 algorithm using as key "something" derived (through MD5) from the syskey bootkey.

I've developed a tool to automate the above steps and include the features of SAMDUMP. The tool is called SAMDUMP2; SAMDUMP2 can, when given a SAM hive and a bootkey file (generated by Bkreg or Bkhive), output the password hashes in SAMDUMP/PWDUMP format.

So an attacker with physical access can:

0) Boot using another OS (maybe Linux or DOS) 1) Steal the SAM and SYSTEM hive (from %WINDIR%\System32\config) 2) Recover the syskey bootkey from the SYSTEM hive using Bkhive (or 

   Bkreg on pre Sp4 system)

3) Dump the password hashes using SAMDUMP2 4) Crack them offline using his favorite cracking tool

References [1] http://www.atstake.com/products/lc/ 

   http://www.oxid.it/cain.html
   http://www.openwall.com/john/
   http://www.openwall.com/passwords/nt.shtml

[2] http://support.microsoft.com/support/kb/articles/q143/4/75.asp 


                            Nicola Cuomo ncuomo(at)studenti.unina.it

Many thanks to Jason R. DePriest for 'patching' my english ^_^

Instal·lació

Repositoris Debian/Ubuntu

Compilar

A una Debian Etch no hi és la eina al repositori. Baixeu el codi font: 

$ wget http://downloads.sourceforge.net/project/ophcrack/ophcrack/3.3.1/ophcrack-3.3.1.tar.bz2?use_mirror=netcologne
$ tar jvxf ophcrack-3.3.1.tar.bz2
$ cd ophcrack-3.3.1
$ sudo apt-get install build-essential libssl-dev libqt4-dev
$ ./configure

No funciona a etch --> Necessita qmake 4.3...

Es pot instal·lar sense GUI: 

$ ./configure --disable-gui
$ make
$ make install

Eines

bkhive

Segons la descripció del paquet: 

$ dpkg -l bkhive 
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Nom                     Versió                 Descripció
+++-=======================-=======================-==============================================================
ii  bkhive                  1.1.1-1                 Dump the syskey bootkey from a Windows NT/2K/XP system hive

$ apt-cache show bkhive 
Package: bkhive
Priority: optional
Section: universe/admin
Installed-Size: 64
Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
Original-Maintainer: Adam Cécile (Le_Vert) <gandalf@le-vert.net>
Architecture: i386
Version: 1.1.1-1
Depends: libc6 (>= 2.6.1-1)
Recommends: samdump2
Suggests: ophcrack
Filename: pool/universe/b/bkhive/bkhive_1.1.1-1_i386.deb
Size: 10398
MD5sum: 4ff13206d1a0c90b01474c793ee0ca97
SHA1: f01ca072c5cadc22bb73c0debcc0048d2269ac44
SHA256: d9ab0d15475eb0f3ed74baa90881d12f55d8c53f8ab8256e491a9bcd3ea8089a
Description: Dump the syskey bootkey from a Windows NT/2K/XP system hive
 This tool is designed to recover the syskey bootkey from a Windows NT/2K/XP
 system hive. Then we can decrypt the SAM file with the syskey and dump
 password hashes.
 .
 Syskey is a Windows feature that adds an additional encryption layer to the
 password hashes stored in the SAM database.
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu

Instal·lació 

$ sudo apt-get install bkhive
...
S'instal·laran els següents paquets extres:
 samdump2
S'instal·laran els paquets NOUS següents:
  bkhive samdump2
...

Els fitxers instal·lats són: 

$ dpkg -L bkhive
/.
/usr
/usr/bin
/usr/bin/bkhive
/usr/share
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/bkhive.1.gz
/usr/share/doc
/usr/share/doc/bkhive
/usr/share/doc/bkhive/changelog.gz
/usr/share/doc/bkhive/README.gz
/usr/share/doc/bkhive/copyright
/usr/share/doc/bkhive/changelog.Debian.

Ppodeu obtenir informació sobre l'ordre amb 

$ man bkhive

La sintaxi és: 

$ bkhive
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it 

Usage:
bkhive systemhive keyfile

Per exemple, suposant que teniu una partició de Windows a /dev/sda1: 

$ sudo mkdir -p /mnt/ntfs 
$ sudo mount /dev/sda1 /mnt/ntfs

Ara només cal: 

$ bkhive /mnt/ntfs/WINDOWS/system32/config/system out

samdump2 

$ sudo apt-get install samdump2
NOTA: També podeu obtenir el codi font des de: 
$ wget http://sourceforge.net/projects/ophcrack/files/samdump2/2.0.1/samdump2-2.0.1.tar.bz2/download
$ tar xvjf samdump2-2.0.1.tar.bz2
$ cd samdump2-2.0.1
$ make

Segons la descripció del paquet: 

$ dpkg -l samdump2
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Nom                     Versió                 Descripció
+++-=======================-=======================-==============================================================
ii  samdump2                1.1.1-1                 Dump Windows 2k/NT/XP password hashes

$ apt-cache show samdump2
Package: samdump2
Priority: optional
Section: universe/admin
Installed-Size: 72
Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
Original-Maintainer: Adam Cécile (Le_Vert) <gandalf@le-vert.net>
Architecture: i386
Version: 1.1.1-1
Depends: libc6 (>= 2.6.1-1), libssl0.9.8 (>= 0.9.8e-1)
Recommends: bkhive
Suggests: ophcrack
Filename: pool/universe/s/samdump2/samdump2_1.1.1-1_i386.deb
Size: 14424
MD5sum: 9aa3ae8fdd01b233772de03d9344fae1
SHA1: 70ae98ac1d27f73164865747bb5b8b3da8bbff9d
SHA256: 1d980fa99a6262ad4274e72c19aa7bf537bc13dab6f9d6c1dac830203132acde
Description: Dump Windows 2k/NT/XP password hashes
 This tool is designed to dump Windows 2k/NT/XP password hashes from a SAM
 file. It requires the syskey key which can be found with tools like bkhive.
 .
 Syskey is a Windows feature that adds an additional encryption layer to the
 password hashes stored in the SAM database.
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu

Per tant és una eina que permet aconseguir el password xifrats (hashes) de sistemes Windows. La base de dades que conté els passwords (SAM) sol estar xifrada amb una clau anomenada syskey. Podeu utilitzar bkhive per obtenir aquesta clau.

Segons el manual: 

$ man sam2dump

La sintaxi és: 

$ samdump2 <sam hive> <key file>

Per exemple, suposant que teniu una partició Windows a /dev/sda1: 

$ sudo mkdir -p /mnt/ntfs
$ sudo mount /dev/sda1 /mnt/ntfs
$ sudo samdump2 /mnt/ntfs/WINDOWS/system32/config/sam ou

chntpw

Consulteu chntpw.

ophcrack

Consulteu la presentació:

Si us pregunta, l'usuari és anonymous i la paraula de pas qualsevol. Es tracta d'un repositori svn: 

https://svn.projectes.lafarga.cat/svn/iceupc/Altres/SeminariSeguretatXarxes/SeminariSeguretatXarxes.pdf

I veieu el curs de seguretat en xarxes: 

http://www.iescopernic.com/moodle/course/view.php?id=154

Per a instal·lar-lo: 

$ sudo apt-get install ophcrack

I el podeu executar amb: 

$ ophcrack

La base de dades de paraules de pas de Windows la podeu trobar a: 

c:/Windows/System32/config

I tindreu accés directe si munteu (consulteu l'ordre mount) la partició on està Windows instal·lat. Sistemes operatius com Ubuntu us munten de forma automàtica les unitats de Windows.

Instal·lar ophcrack compilant 

$ cd
$ mkdir ophcrack
$ cd ophcrack
$ wget http://downloads.sourceforge.net/ophcrack/ophcrack-3.3.1.tar.bz2
$ tar xvjf ophcrack-3.3.1.tar.bz2
$ cd ophcrack-3.3.1
$ sudo apt-get install build-essential
$ sudo apt-get install libssl-dev
$ ./configure --disable-gui
$ make 
$ sudo make install

ophcrack-cli

El paquet ophcrack-cli us proporciona la funcionalitat d'ophcrack sense necessitat de disposar d'un entorn gràfic (cli són les inicials de command line interface, en català interfície de línia d'ordres).

El primer que necessitareu és disposar de les rainbow tables, les podeu obtenir a: 

http://ophcrack.sourceforge.net/tables.php

Hi ha taules gratis, de pagament i més grans o més petites (normalment les més grans realitzen atacs de força bruta més ràpids però consumeixen més recursos). Les podeu obtenir amb: 

$ cd
$ mkdir 5000
$ cd 5000
$ sudo wget http://downloads.sourceforge.net/ophcrack/tables_xp_free_fast.zip
$ md5sum tables_xp_free_fast.zip

Us hauria de tornar el valor que hi ha la web: 

md5sum: f6f5536975b57c891ed5f2de702a02bd

$ unzip tables_xp_free_fast.zip

# unzip tables_xp_free_fast.zip
Archive:  tables_xp_free_fast.zip
 inflating: README-5k.TXT
 inflating: table0.bin
 inflating: table0.index
 inflating: table0.start
 inflating: table1.bin
 inflating: table1.index
 inflating: table1.start
 inflating: table2.bin
 inflating: table2.index
 inflating: table2.start
 inflating: table3.bin
 inflating: table3.index
 inflating: table3.start
 inflating: xp_free_fast.md5
 inflating: xp_free_fast.sfv
NOTA: Si no teniu un sistema Windows a mà podeu utilitzar el següent fitxer que conté unes hashes d'exemple: 
$ wget http://acacha.org/~sergi/test-hashes.txt

Ara cal obtenir la base de dades SAM d'un sistema Windows. Suposeu que esteu en una màquina amb arrancada Dual i des del sistema operatiu Linux podeu accedir a la partició de Windows que teniu a /dev/sda1 amb: 

$ sudo mkdir -p /mnt/ntfs
$ sudo mount /dev/sda1 /mnt/ntfs

Ara per obtenir les paraules de pas (window$ hashes): 

$ bkhive /mnt/ntfs/WINDOWS/system32/config/system saved-syskey.txt
$ samdump2 /mnt/btfs/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes.txt 

ophcrack -g -d . -t xp_free_fast,0,3 -w sda1/WINDOWS/system32/config/ -t

Exemple: 

$ ophcrack -d 5000/ -t 5000 -o 10000 -n 4 -f test-hashes.txt

$ ophcrack -g -d 5000/ -t 5000,0,3 -f test-hashes.txt

Del README de les rainbow tables: 

$ cat README-5k.TXT  | more

Table set SSTIC04-5000
----------------------

INFO:

This table set is made of 4 perfect rainbow tables with an initial
number of 350'000'000 chains. At length 5000 there are about
29'500'000 perfect chains left. Each table has a success rate of
83.9%, resulting in 99.93% of success rate for the table set.

The average number of hash operations needed to recover a password is
4.8 million. The maximum number of operations is 55 million. 

The total size of the tables is 719MB. If you have only 512MB of RAM
and many passwords to crack you may want to try the -n 3 option to use
only 3 tables in parallel at a time. 

USAGE: 

Unzip the files into a directory (e.g. 5000/). Run ophcrack with
following parameters:

./ophcrack -d 5000/ -t 5000 -o 10000 -n 4 -s <hash_file>


Recursos:

Test Hashes

A: 

http://elliottback.com/wp/wp-content/uploads/2006/04/test-hashes.txt
NOTA: Alternativament els podeu trobar a http://acacha.org/~sergi/test-hashes.txt

Podeu trobar un fitxer amb hashes de Windows per a fer proves. Per obtenir-lo: 

$ sudo wget http://elliottback.com/wp/wp-content/uploads/2006/04/test-hashes.txt

Web demo

Podeu passar un hash i us el desxifraran a la web: 

http://www.objectif-securite.ch/en/products.php#Demo

Vídeos i altres tutorials

Chntpw

Chntpw

pwdump2

Aquesta eina és per a DOS, la podeu obtenir a: 

$ wget http://www.packetstormsecurity.org/Crackers/NT/pwdump2.zip

Extreu els hashes del SAM a un fitxer de text que podem utilitzar directament amb ophcrack: 

pwdump2 >> pass.txt

Recursos

Obtingut de «http://acacha.org/mediawiki/index.php/Criptoan%C3%A0lisi_de_contrasenyes_de_Windows»
IES Nicolau Copèrnic