Windows XP Login Vulnerabilities

Windows XP Login Vulnerabilities A Case Study Using Ophcrack Yoan Hermida 12/1/2008

Hermida 2 Abstract This paper aims to demonstrate that the login process for Windows XP is inherently unsecure. It will demonstrate through a case study how a password cracking utility known as Ophcrack can easily crack simple alphanumeric passwords. The weakest point of the login process is that Windows XP utilizes the LM or LAN Manager hash to store user passwords. Through the use of rainbow tables, cracking utilities such as Ophcrack can easily cycle through partially pre-computed hash values until a match is established.

Hermida 3 Outline This paper will begin with an introduction stating the nature of the problem, and why I believe it is interesting. It will then move on to explain out-of-the-box vulnerabilities present in the BIOS of almost all PCs, which allow cracking programs and other malicious code to be executed. This will be followed by an explanation of the Windows XP boot process, paying particular attention to the use of the LM hash in storing user passwords. We will then move on to the method of attack I chose to study, paying particular attention to rainbow tables and how they are utilized to defeat Windows XP passwords of 14 characters or less. Results from my experiment with Ophcrack as well as screenshots will be presented. Lastly, I will go into how to secure a Windows XP system from this particular method of attack. Introduction The problem I am describing involves the use of Live CDs/DVDs that contain pre-stored data known as rainbow tables, which can be used to defeat most simple alphanumeric passwords created by users in a Windows XP system. The nature of the vulnerability lies in Microsoft s decision to retain a legacy method of storing user passwords that is now deprecated in the industry: the LM or LAN Manager hash. The reason the LM hash has been retained as a password storage method is because backward compatibility must be maintained with systems that are still running DOS or other Microsoft legacy operating systems. I believe this is an interesting problem because most computers in the world run Microsoft Windows and of those most run Windows XP. This is true despite the fact that the

Hermida 4 latest Microsoft operating system, Windows Vista, is widely perceived in the industry as a total disaster. Moreover, many IT departments are bypassing Vista altogether and retaining their Windows XP systems until the next version of Windows, Windows 7, is released. This means that a majority of the World s computers have two disastrous login vulnerabilities: 1. Live CDs can be run before the bootstrap; 2. Simple alphanumeric passwords are stored using LM hashes and can be cracked using programs that run off of live CDs. Even if the optical drive is disabled by default in the BIOS, a potential attacker who has physical access to the system can simply enter an unprotected BIOS enable the optical drive as a bootable device. The attacker can then insert a live CD containing a cracking program such as Ophcrack and obtain all user passwords (including the Administrator) in a matter of minutes. The attacker then simply makes a note of the password, kills the program, removes the optical media, reboots the machine and allows the operating system to load. Once the login screen is visible, he or she can then log into the account of any user of that system. Some essential steps that need to be taken by users of the Windows XP operating system are to password-protect their BIOS and choose strong passwords that are either longer than 8 characters and/or contain non-alphanumeric characters. These two steps are the secret to defeating an Ophcrack attack, and yet a lot of people have no knowledge of either these vulnerabilities or the ease with which they can be exploited. BIOS Vulnerabilities Before delving into the details of the login vulnerabilities in Windows XP, we shall explore a security gap in the BIOS of most PCs which allows the method of attack discussed in

Hermida 5 this paper to be executed. That is, the lack of BIOS passwords on most PC systems. The simplicity of the solution is as stunning as the major hole that not having a password set on the BIOS constitutes. One merely needs to enter the BIOS by pressing F2 another simple keyboard key, enter the correct property setting, and set an administrator password for your BIOS. The fix seems simple enough and yet millions of systems lie unsecure and waiting for an attacker to insert a live CD and exploit the LM hash vulnerability. While the simple measure described above goes a long way to preventing the type of attack described in this paper, it is useless without modifying another BIOS setting: the boot order and whether anything but the hard drive should even be scanned for bootable media. Again, plugging the hole simply involves going into the BIOS and specifying that only the C drive (or whatever hard drive contains the operating system) should be active during boot. Coupled with the BIOS password, this denies a would-be attacker the opportunity to insert a program such as Ophcrack. While the BIOS concept is called something else in the Mac world, Apple machines are no less vulnerable to a very simple firmware (the term used Mac land) attack. Armed with a Mac OS X install disc, the attacker needs to hold down the Command and C keys and, upon entering the installation environment, would then be able to change Root s password to whatever he desires. This is because by default, Mac client systems do not password protect firmware. Password-protecting the firmware would prevent this type of attack. Apple servers do have firmware password protection enabled by default, but the password is typically several characters of the serial number.

Hermida 6 Overview of the Windows XP Boot Process As with most modern computer systems, once the power button is pressed the computer undergoes a POST, or Power On Self-Test, which is run from by the BIOS or Basic Input Output System. Once the BIOS determines that memory and other subsystems are in working order it will then attempt to read the Master Boot Record, which is the first sector of the first hard drive. Once this has taken place, the operating system begins to take control of the system and begins to be loaded into memory. The MBR analyzes the boot sector and passes on the job of loading the operating system to NTLDR, which is Windows XP s boot loader. The boot loader allows for memory addressing, initiates the file system, reads boot.ini and loads the boot menu. Once XP is selected from the boot menu if it is not the default (in multi-os systems) NTDETECT.COM, BOOT.INI, and BOOTSECT.DOS take over and finish loading the operating system. Initially the system starts in 16-bit real mode and then changes to 32-bit protected mode. NTLDR then loads NTOSKRNL.EXE and HAL.DLL which effectively make up Windows XP. NTLDR reads the registry and loads the proper drivers. NTOSKRNL.EXE takes over and starts WINLOGON.EXE which then starts LSASS.EXE. [1] WINLOGON.EXE is actually independent of authentication and handles mostly interface functions. Such functions include Windows station and access protection, ensuring that the local system will have access to these objects. The process also handles SAS recognition, which is an event such as Ctrl + Alt + Del that tells the operating system that user is ready to login or wants to lock the workstation. User profiles are loaded by WINLOGON.EXE. The process also assigns security to the user shell and monitors keyboard and mouse events in order to determine when to activate the screen saver. Lastly, Winlogon provides multiple network support. [2]

Hermida 7 LSASS.EXE or Local Security Authority Subsystem Service is a process that is responsible for executing the security policy on the system. The process verifies users that are logging on, handles changes in passwords, writes to the security log, and creates access tokens. Access tokens contain the relevant security information for a login session, identifies the user, group, and privileges. The infamous Sasser worm exploited a buffer overflow in the LSASS process that would show a timer on the screen and prompt the user to log off and shut down. [3] Overview of How Windows XP Saves User Authentication Information When a user creates a password in Windows XP that is less than 15 characters long, rather than storing the password in clear text, the system stores the password in the Security Accounts Manager in two forms of hashes. A hash is produced when a hash function is applied to clear text. One form of the hashes produced by Windows XP is the LM or LAN Manager hash which is a legacy hash that has its origins in the Windows LAN Manager operating system. Windows Me was the last commercial version of Windows that exclusively saved user passwords using the LM hash function. With the introduction of Windows XP, the LM hash was kept for the purpose of backward compatibility with legacy systems and is enabled by default, with the possibility of manually disabling the creation of LM hash passwords. LM hashes are created when the user s password as an OEM string is converted to uppercase. The password is then changed to 14 bytes by truncating it or padding it with null values. The password is then split into two 7-byte halves. These two values are used to create two DES keys by converting the seven bytes into a bit stream and inputting a 0 after every seven

Hermida 8 bits. The purpose of this is to generate the 64 bits necessary for a DES key. The two keys are then used to DES-encrypt the constant string KGS!@#$% which creates two 8 byte cipher texts. These two values are then concatenated into a 16-byte value, the LM hash. (http://wapedia.mobi/en/lm_hash) The other hash that Windows XP utilizes is the NTLM hash. The NT LAN Manager hash is part of NTLM, which is an authentication protocol used in conjunction with the SMB protocol. There are two versions of NTLM, NTLMv1 and NTLMv2. Version 1 attempted to be a replacement for the less secure LM protocol discussed before. The NT hash utilizes the MD4 algorithm in order to compute a hash value of the user s password. While the NT hash is harder to crack than the LM hash, it is also vulnerable to brute force attack. [4] Both the LM and NTLM hashes are stored in the SAM or Security Accounts Manager database. Beginning with Windows NT, the SAM has been stored as a file in the Registry. The database can be partially encrypted using a 128 bit key when the SYSKEY function is enabled. Furthermore, the SAM cannot be accessed while Windows XP is running since the kernel keeps an exclusive lock on the file, which is not released until the operating system shuts down or the Blue Screen of Death occurs. There various techniques, however, to dump the contents of the SAM and perform a brute force attack. One such technique is by running Ophcrack from a live CD before the operating system loads and using rainbow tables on the LM hashes. This case study will utilize this technique to crack a Windows XP password. [5]

Hermida 9 Rainbow Tables and Ophcrack A rainbow table is a collection of pre-computed values used in recovering the plaintext from a password hash created by a hash function. Rainbow tables offer what is known as a timememory tradeoff when performing brute force attacks. Time-memory tradeoff is when memory requirements decrease at the expense of longer program execution, or when memory requirements increase but program execution happens rapidly. Because rainbow tables are a set of pre-computed values, it can be said that entire tables require more storage space (an entire DVD, for example) but program execution will happen rapidly because the values have been computed already. Rainbow tables are created by taking plaintext and putting it through a hash function such as the LM hash function explained before. The hash function is then put through a reduction function. The reduction function comes up with a string of random plaintext which is then hashed. The hashed is reduced, obtaining another random string of plaintext, which is then hashed. This general pattern produces rainbow chains and continues for as many strings as is feasible to store. The chains that this process creates are stored in tables, creating rainbow tables. In order to obtain a plaintext value from a hash value, the attacker needs to cycle through the rainbow tables. This is where Ophcrack and programs like it come in. Ophcrack is open source and can be downloaded as a Live CD ISO for free. The Live CD version loads a minimal Linux kernel with a graphical user interface that then allows the attacker to retrieve, decrypt, and crack Windows passwords in a fairly automatic manner. Rainbow tables for LM hashes of

Hermida 10 alphanumeric passwords up to 14 characters are provided free of charge by the developers of the program. First, the program obtains a hash value by importing them directly from various sources such as the SAM files discussed previously. That hash value is reduced and checked against the last value that appears in the rainbow table. If the reduction fails to find a match, the program then moves on to the second, third, etc. tables until a match is found. If a match is found, the password that generated that hash is obtained and a chain generated using that password. The hash values generated as the chain iterates are compared against the original hash value. If a match is found, we know the password does indeed correspond to that hash value and the attack has been successful. [6] Experiment In order to demonstrate the practical applications of Ophcrack I conducted a small experiment on my own Windows XP system. I created a new user account with username of computer and password security.

Hermida 11 I then went over to the Ophcrack website at http://ophcrack.sourceforge.net and downloaded the Opcrack Live CD for Windows XP, and burnt the ISO onto a CD. I restarted my system and booted off the LiveCD. The program indicated it had found an active Windows partition. It then proceeded to crack the password for user computer with password security.

Hermida 12 [7] Results The entire operation, from the time I booted off the Ophcrack Live CD until the password was found took a total of 2 minutes 24 seconds. The first minute and 54 seconds consisted of Ophcrack booting up and loading the rainbow tables. Once all tables were loaded, the password security was cracked in 30.6 seconds with the first 7 characters being revealed in half that time. In other words, an attacker would only need access to a Windows XP system for about 2.5 minutes in order to crack a password with similar characteristics to the one used for this test. This illustrates the absolute necessity to harden systems running Windows XP. Guarding Against an Ophcrack Attack No system is ever 100% secure and no password is ever crack-proof. There are, however, bad and good practices. Users should be aware that the simple act of disabling

Hermida 13 bootable optical drives and setting an administrator password in the BIOS virtually eliminates the possibility for an Ophcrack-type attack or any attack that is run from a Live CD. A second effective measure to guard against an attack using LM hash rainbow tables is to disable the use of the LM hash by default. While the LM hash is enabled by default in Windows XP, a user can disable it by editing the Registry. A simple Google search will produce dozens of tutorials on how to accomplish this. Unfortunately, while doing research for this project I discovered that there are now several utilities (including Ophcrack) that include rainbow tables for the more secure NTLM hash. Had this not been the case another suggestion might have been to select passwords longer than 14 characters. These types of passwords are automatically stored using the NTLM hash. Nonetheless, users should try to include in their passwords as many non-alphanumeric passwords as possible. As of this writing, rainbow tables with stored values for passwords containing nonalphanumeric are either not freely available (Ophcrack) or too complex for your average Joe H4x0r to configure. Conclusion This paper explored the theoretical foundations of an attack using the Ophcrack utility and conducted an experiment which demonstrated that a simple alphanumeric password could be cracked in 30 seconds using said utility. I discussed why lack of security at the BIOS level is the catalyst for this type of attack. I went on to talk about the Windows XP boot process and the subsystems that handle user authentication. Afterward, I described how Windows XP saves authentication information in the Security Accounts Manager or SAM database. This was

Hermida 14 followed by an explanation of rainbow tables and how Ophcrack utilizes these to perform a brute force attack on the LM hash obtained from the SAM. A demonstration of the utility and the results of this experiment on my Windows XP system were also detailed. Lastly, I offered some tips on how to guard against on Ophcrack-type attack.

Hermida 15 Works Cited [1] Simpson, Michael. "Windows XP Boot Sequence." Suite 101. 07 Oct 2006. 15 Nov 2008 <http://pcs.suite101.com/article.cfm/windows_xp_boot_sequence>. [2] "Winlogon". Wikipedia. 15 Oct 2008 <http://en.wikipedia.org/wiki/winlogon>. [3] "Local Security Authority Subsystem Service". Wikipedia. 15 Oct 2008 <http://en.wikipedia.org/wiki/local_security_authority_subsystem_service>. [4] "NTLM". Wikipedia. 15 Oct 2008 <http://en.wikipedia.org/wiki/ntlm>. [5] "Security Accounts Manager". Wikipedia. 15 Oct 2008 <http://en.wikipedia.org/wiki/security_accounts_manager>. [6] "Rainbow table". Wikipedia. 15 Oct 2008 <http://en.wikipedia.org/wiki/rainbow_table>. [7] "Ophcrack Password Recovery". About.com. 15 Oct 2008 <http://pcsupport.about.com/od/toolsofthetrade/ss/ophcracksbs.htm>.