[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5202
  • Last Modified:

ettercap, ethereal and cain...oh my

In an attempt to heighten my network security awareness I attended some security seminars and have been taking some Security+ courses (hey it's a start, right?).

Some of the tools out there are really amazing, and I plan on learning more in the future. For instance, in one of the seminars I learned how to use cain and/or ettercap to actually use ARP spoofing to sniff a switched network...amazing! (to me anyway...lol) I'm having fun with it on our local LAN (I'm one of the admins, so it's no big deal).

I have been able to pull all kinds of interesting data using some of these programs...especially passwords. I would like some clarification on *some* things however...

All the passwords I have captured have been in plaintext...like logins to websites and ftp sites...which is all fine and good, but someone really trying to hack the network would try to steal domain passwords....how is that acomplished? either linux or win32 tools are fine....

I've heard works like LM (lanmanger) and MD5 tossed around when talking about passwords....on a windows 2000 domain, are passwords LM packets? I don't know...this is where I'd like some clarification...

So my question is, how are these tools used to get admin privelages (like sniffing admin domain passwords)?
0
DVation191
Asked:
DVation191
  • 8
  • 6
1 Solution
 
Chris DentPowerShell DeveloperCommented:
Windows 2000+ Domains use Kerberos Authentication.

It's a complex one, but basically it doesn't send passwords (encrypted or otherwise) over the network and instead issues tickets for access to services, including a Ticket to Get Tickets (TGT).

You won't be sniffing any network passwords against Kerberos. But it's better that you read up on it to understand why than any attempt at an explaination I could give (which would probably include many errors and ommisions).

Here's some information on it:

http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/microsoft_kerberos.asp
http://web.mit.edu/kerberos/www/
http://www.mcmcse.com/win2k/guides/kerberos.shtml

NTLM on the other hand (Windows NT Authentication, NT Lan Manager) was much much easier to break. The password hash (encrypted version of the password) was always transmitted across the network, and it had several security problems, and for that one you can find more information here:

<removed by modulo>

In addition to the increased overall security of Kerberos Authentication the now common use of Switched networks makes breaking passwords much more difficult since for the most part no single computer will see all network traffic and consequently the password hashes or tickets or even the encrypted traffic.
0
 
tmorrison3Commented:
One way to find Admin passwords - once your into the network - is Admin accounts have a RID value of 500. So changing the
name of the administrator account really does nothing security wise because the RID is the same = 500. That is why it is best to give a user account Admin privleges because the RID value is above 1000(i think) like all other users. So its harder for hackers to find accounts simply off the RID value. Then take Admin priveleges from default account or just delete in W2K3

LM Hash for passwords is stored in "chunks" of 7. so a password with 8 characters might actually be easier to crack than one with 7 characters - reason being in you can crack the single character in the second LM Hash of the 8 character password you can then crack the other seven - where as a seven character password you have to hack all 7
0
 
Chris DentPowerShell DeveloperCommented:
Many apologies - is it possible to remove my second post and perhaps the <removed by modulo> link in the first post?

It doesn't specifically describe the process of hacking - but does include a few of the flaws in NTLM as part of the description of how NTLM works.

The Kerberos links don't contain anything that could help break it.
0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 
DVation191Author Commented:
modulo, for what it's worth...I'm not hacking anything...Like I said before, I am the admin on this network and am doing nothing more than trying to learn about how it's done...without understanding it, I can't take steps to stop it.

getting the passwords is not my goal here...what do i care? i have admin privelages and can get into anything i want to anyway...

like i said, i don't know if its worth even mentioning the above, but i want everyone to understand there is no malicious intent here....

Chris-Dent, perhaps you could private message me links or information that maybe is borderline, just to avoid any trouble with EE rules?
0
 
DVation191Author Commented:
Chris-Dent, on another note...before I started working here there were pre-2000 clients on the network and so the server wasn't running in native mode, but mixed mode. Doesn't this effect wether or not Kerberos Authentication is used? If it isn't used, what is? I'm pretty sure from a security standpoint that it is better to be in native mode...but i dont know why.
0
 
Chris DentPowerShell DeveloperCommented:

Unfortunately there's a very fine line between using detailed information on authentication for enforcing security and defeating security. And since this site pops up very quickly on google searches it's something we want to avoid having details on (and I like my membership and don't want to lose it).

So if it's okay with you and everyone else, I'll approach this from more of a high-level perspective, and (hopefully) ignore details that might be used against us. I've tried not to include anything dubious.

The main difference between Kerberos and NTLM is how they approach authentication.

NTLM always assumed the network you were passing authentication tokens over was secure - and because of that it wasn't as strong as it might have been.

Kerberos on the other hand starts out with the belief that the network you're authenticating across isn't secure at all and it goes to great lengths to avoid any of it's encrypted traffic being of any use to a potential attacker. Even catching a ticket (which provides access to a service) won't achieve much if the attacker managed to decrypt it, they're valid for 5 minutes only and the KDC (I think) holds a history of tickets to prevent duplication etc.

You mention Windows 2000 mixed mode above - that does use Kerberos as it's default protocol, but also has NTLM as a backup. When you switch to Native Mode NTLM is disabled completely for inter-domain authentication but still used for standalone machines authenticating onto the domain. I never managed to establish whether pre-2000 clients on the network use NTLM or Kerberos to authenticate in mixed mode.
 
Still, network security doesn't stop with the authentication protocols in use - they are only a small part of it.

The underlying structure of the network should be considered. Switches reduce any potential attackers ability to snoop on traffic because they perform layer 2 routing (via MAC Address), this is a vast improvement over hubs which just throw traffic back out of every single port.

Physical access to your network hardware is important - you don't want someone wandering up and plugging a laptop in because a wiring cabinet was unlocked, or a server room open.

Wireless networking devices should be deployed only with very great care - there are already far too many of these devices in use without adequate consideration given to security.

In addition to this you have password policies including complexity requirements which can be used to vastly increase the character set used for a password (from 26 / 52 to somewhere near 100).

But for all the controlled web access, locked down machines, firewalls, complex passwords, antivirus... the list goes on, we still face one problem:

Social Engineering

Type "passwords for chocolate" into google and the very first link is a prime example of this technique.

For this method of intrusion to be ineffective every user on the network (including the administrators) must agree that access to the network is privileged and not something to just give away. And for that one I can provide no answers.
0
 
DVation191Author Commented:
>> I never managed to establish whether pre-2000 clients on the network use NTLM or Kerberos to authenticate in mixed mode.
++ I suppose at this point it really wouldn't matter since there are no pre-2000 clients on our network anymore.

>>The underlying structure of the network should be considered. Switches reduce any potential attackers ability to snoop on traffic because they perform layer 2 routing (via MAC Address), this is a vast improvement over hubs which just throw traffic back out of every single port.
++ And yet, while being slightly more difficult, it is actually quite easy to use ARP spoofs to redirect traffic to your own machine, setting yourself up for a potential "man in the middle" attack. Short of using the switch port security features, this doesn't seem to help the vulerability much.

>> Physical access to your network hardware is important - you don't want someone wandering up and plugging a laptop in because a wiring cabinet was unlocked, or a server room open.
++ Agreed, and that's not a problem as only the two admins and the owners of the company have keys to the LAN room.

>> In addition to this you have password policies including complexity requirements which can be used to vastly increase the character set used for a password (from 26 / 52 to somewhere near 100).
++ In group policy we have password complexity enforced and an 8 character minimum...I believe that to be sufficient for all but the most powerful brute-force password cracking tools (Though from what I understand about everything you've said so far, it doesn't appear that sniffing kerberos traffic is even possible...)

>> Wireless networking devices should be deployed only with very great care - there are already far too many of these devices in use without adequate consideration given to security.
++ We do have a WLAN set up with 128-bit WEP (not that 128-bit WEP is all that secure anyway...), but it is not part of the domain and is set up only for internet access, not domain or LAN access.

>> Social Engineering
++ The most powerful hacking tool available!

Good info Chris-Dent...thanks. This explains why I couldn't sniff any LM packets on the network...
I have am left with another question...I'll try to ask them in a way that doesn't require a detailed answer.

1. Are their tools that can sniff a password from kerberos packets? (Even if it's just the hash)
2. A Kerberos passwords vulnerable to pre-computed hash tables (rainbow tables)?
0
 
DVation191Author Commented:
3. What *if* somebody was able to walk into the LAN room and had access to the KDC...passwords are stored in the db I'd assume...is this any less a vulnerability than sniffing the traffic remotely?
4. What algorithms does Kerberos use? I've seen MD5 mentioned...
0
 
Chris DentPowerShell DeveloperCommented:

Kerberos authentication is more than just password handling, and the passwords are only a minor part of the process really.

In short, passwords are not transmitted, service tickets are used and those don't contain the password. So you could sniff the traffic, but it's designed so the traffic itself is as little use as possible.

But in the end I only have a basic understanding of Kerberos, reading the documentation on it would help you understand how it attempts to avoid the kind of attacks rather than any flawed explaination I could provide.

This (rather odd) article might help explain the origins and concepts of Kerberos a little more:

http://web.mit.edu/kerberos/www/dialogue.html
0
 
Chris DentPowerShell DeveloperCommented:

The KDC doesn't store passwords at all, only the password hash generated when the password was created by non-reversible encryption.
0
 
DVation191Author Commented:
Chris-Dent, before your reply I did some looking around on the net. I found this security site... {link removed}
The has some nice tools that could be used for a variety of purposes. Look at the one involving Kerberos...any idea how that might work if all that is ever transmitted over the network are service tickets?
0
 
Chris DentPowerShell DeveloperCommented:

No idea I'm afraid, I can't view the site from here - internet restrictions.

Kerberos makes it as hard as possible to gain unauthorised access though, but I doubt it is completely foolproof.

You shouldn't really post links like that on here though.
0
 
DVation191Author Commented:
Eh, sorry. Can an admin refer me to the specifics of whats allow and whats not? I thought I was safe with my post...sorry =/
0
 
DVation191Author Commented:
I looked over both and could only find information about illegal activities (like hacking) are a memeber agreement violation. As far as I can tell, I am not doing anything illegal as the owner of the network (my boss) is aware of my activities.

That being said, I'd rather end the subject now before I push my luck...I value my EE membership too much =)

Thanks for all the info Chris-Dent
0
 
DVation191Author Commented:
Understood. Thanks for the clarification, ee_ai_construct. Have a good one guys.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now