December 29, 2008, 3:19 PM — Password guessing is hard work. Why not just sniff credentials off the wire as users log in to a server and then replay them to gain access? If an attacker is able to eavesdrop on Windows login exchanges, this approach can spare a lot of random guesswork. There are three flavors of eavesdropping attacks against Windows: LM, NTLM, and Kerberos.
Attacks against the legacy LanManager (LM) authentication protocol exploit a weakness in the Windows challenge/response implementation that makes it easy to exhaustively guess the original LM hash credential (which is the equivalent of a password that can either be replayed raw or cracked to reveal the plain text password). Microsoft addressed this weakness in Windows 2000, and tools that automate this attack will only work if at least one side of the authentication exchange is NT 4 or previous. Tools for attacking LM authentication include Cain by Massimiliano Montoro (http://www.oxid.it), LCP (available from http://www.lcpsoft.com), and L0pthcrack with SMB Packet Capture (which is no longer maintained). Although password sniffing is built into L0phtcrack and Cain via the WinPcap packet driver, you have to manually import sniffer files into LCP in order to exploit the LM response weakness.
The most capable of these programs is Cain, which seamlessly integrates password sniffing and cracking of all available Windows dialects (including LM, NTLM, and Kerberos) via brute force, dictionary, and Rainbow cracking techniques (you will need a valid paid account to use Rainbow cracking). Figure 4-2 shows Cain’s packet sniffer at work sniffing NTLM session logons. These are easily imported into the integrated cracker by right-clicking the list of sniffed passwords and selecting Send All to Cracker.
Oh, and in case you think a switched network architecture will eliminate the ability to sniff passwords, don’t be too sure. Attackers can perform a variety of ARP spoofing techniques to redirect all your traffic through the attackers, thereby sniffing all your traffic. (Cain also has a built-in ARP poisoning feature; see Chapter 7 for more details on ARP spoofing.) Alternatively, an attacker could “attract†Windows authentication attempts by sending out an e-mail with a URL in the form of file://attackerscomputer/sharename/message.html. By default, clicking on the URL attempts Windows authentication to the rogue server (“attackerscomputer†in this example).
The more robust Kerberos authentication protocol has been available since Windows 2000 but also fell prey to sniffing attacks. The basis for this attack is explained in a 2002 paper by Frank O’Dwyer. Essentially, the Windows Kerberos implementation sends a preauthentication packet that contains a known plaintext (a timestamp) encrypted with a key derived from the user’s password. Thus, a brute force or dictionary attack that decrypts the preauthentication packet and reveals a structure similar to a standard timestamp unveils the user’s password. This has been a known issue with Kerberos 5 for some time. As we’ve seen, Cain has a built-in MSKerb5-PreAuth packet sniffer. Other Windows Kerberos authentication sniffing and cracking tools include KerbSniff and KerbCrack by Arne Vidstrom (www.ntsecurity.nu/toolbox/kerbcrack/).
This is an excerpt from Hacking Exposed, 6th Ed. -- The tenth anniversary edition of the world's bestselling computer security book! -- by Stuart McClure, Joel Scambray, George Kurtz, published by McGraw-Hill/Osborne.
For more Windows hacks and countermeasures, download chapter 4 Hacking Windows.
