Notes on my research from topics involving Linux, Network Security, Pentesting, Network/Computer Forensics and more. My intention is to use the knowledge for good and to raise awareness with regards to cyber security threats and other vulnerabilities. Therefore, as I learn, you can learn too.
Monday, August 16, 2010
Cracking challenge and response lm/ntlm hashes
The Challenge and response hashes that i'll be cracking occur over protocols such as SMB/CIFS on Windows systems. When a user tries to access a remote share, he must first try to authenticate with that remote system. The client says "hello, i would like to communicate with you"; the server responds with a challenge which composes of random data; the client then takes this challenge and uses it to encode its user's lm/ntlm hash then sends the results back to the server; The server then uses the same random challenge and the response sent back by the client to derive the lm/ntlm hash of the user then compares this to its SAM database to see if this user is a valid user on the server.
The server portion of such a system can be modified to respond with a static challenge instead of issuing a random challenge for every client request. By doing so, cracking via rainbow tables becomes favorable and wordlist/bruteforce attacks become viable as well. Because of the use of random challenges per client request to the server, cracking became very difficult as the challenge had to be known and then be incorperated into the cracking program. Having a static challenge thus solves this difficulty.