A Case Study in How Hackers Use Windows Password Vulnerabilities - dummies

A Case Study in How Hackers Use Windows Password Vulnerabilities

By Kevin Beaver

In this case study, Dr. Philippe Oechslin, an independent information security consultant, shared his recent research findings on how hackers can use Windows password vulnerabilities. This is good information to take into account to avoid being hacked when creating your own passwords.

The Situation

In 2003, Dr. Oechslin discovered a new method for cracking Windows passwords — now commonly referred to as rainbow cracking. While testing a brute-force password-cracking tool, Dr. Oechslin thought that everyone using the same tool to generate the same hashes (cryptographic representations of passwords) repeatedly was a waste of time.

He believed that generating a huge dictionary of all possible hashes would make it easier to crack Windows passwords but then quickly realized that a dictionary of the LAN Manager (LM) hashes of all possible alphanumerical passwords would require over a terabyte of storage.

During his research, Dr. Oechslin discovered a technique called time-memory trade-offs, where hashes are computed in advance, but only a small fraction are stored (approximately one in a thousand). Dr. Oechslin discovered that how the LM hashes are organized allows you to find any password if you spend some time recalculating some of the hashes. This technique saves memory but takes a lot of time.

Studying this method, Dr. Oechslin found a way to make the process more efficient, making it possible to find any of the 80 billion unique hashes by using a table of 250 million entries (1GB worth of data) and performing only 4 million hash calculations. This process is much faster than a brute-force attack, which must generate 50 percent of the hashes (40 billion) on average.

This research is based on the absence of a random element when Windows passwords are hashed. This is true for both the LM hash and the NTLM hash built in to Windows. The same password produces the same hash on any Windows machine. Although it is known that Windows hashes have no random element, no one has used a technique like the one Dr. Oechslin discovered to crack Windows passwords.

Dr. Oechslin and his team originally placed an interactive tool on their website that enabled visitors to submit hashes and have them cracked. Over a six-day period, the tool cracked 1,845 passwords in an average of 7.7 seconds! You can try out the demo for yourself.

The Outcome

So what’s the big deal, you say? This password-cracking method can crack practically any alphanumeric password in a few seconds, whereas current brute-force tools can take several hours. Dr. Oechslin and his research team have generated a table with which they can crack any password made of letters, numbers, and 16 other characters in less than a minute, demonstrating that passwords made up of letters and numbers aren’t good enough.

Dr. Oechslin also stated that this method is useful for ethical hackers who have only limited time to perform their testing. Unfortunately, malicious hackers have the same benefit and can perform their attacks before anyone detects them!

Philippe Oechslin, PhD, CISSP, is a lecturer and senior research assistant at the Swiss Federal Institute of Technology in Lausanne and is founder and CEO of Objectif Sécurité.