'Utility tool' can crack user passwords
'Hack' punches hole in NT nets' security
Larry Lange
EE Times
March 31, 1997
San Francisco - A major security flaw has been uncovered in the Microsoft Corp. NT network operating system that could enable a remote user to unscramble encrypted information-including the entire registry of user passwords-and display it as plain text.
A pair of professional security technologists wrote the code for the "hack" that found the flaw. The code has been verified by several experts and is making the rounds on the Internet via an electronic mailing list frequented by skilled hackers with an interest in NT-security issues.
The potentially password-cracking code is the third major hack of NT in as many months and follows recent revelations of security holes in Microsoft's Internet Explorer Web browser. Certainly, the software giant's security technology has come under closer scrutiny by the hacking community as NT and Internet Explorer have found broader market acceptance.
Mike Nash, Microsoft's director of marketing for NT Server, acknowledged the security flaw without elaborating on a possible fix. "It's good that people are testing our products, and the best thing we can do is increase the awareness about security to our customers," he said.
Though presented in the mailing list as a "utility tool" for NT systems administrators, the latest hack is capable of much more.
"It's a double-edged sword," Jeremy Allison, principal author of the hack's code, told EE Times."This is a useful utility for migrating users to Unix systems from Windows NT, but it can also enable people to see all the actual passwords, which until now wasn't possible.
"If you are inside an NT system, this could be used for hacker purposes."
"All that's missing is intent," noted Yobie Benjamin, senior consulting architect for emerging technologies at Cambridge Technology Partners (Cambridge, Mass.) and co-author of the code. "If somebody wanted to crack an NT server today, for malicious purposes or financial gain, the pieces of the puzzle are now all there."
Microsoft's Nash admitted to some of that. "In this case, it is possible to break into the system and decrypt passwords," he said. "But it requires that you have administrative privilege."
Not so, said Yobie Benjamin, who noted that bypassing administrative privilege to glean these passwords is possible in other ways. In fact, Benjamin said, even a "reasonably skilled kid" with an inexpensive 386 PC and a 28.8-kbit/second modem could access an NT network, though not through a direct dial-in and log-on attack. Rather, access could be obtained via a "Trojan horse"-a series of small programs embedded in a file that are sent to a user via e-mail over a network.
"All one of these NT users has to do is double-click on one of these programs to execute it, and the program does what it's supposed to do"-that is, retrieve plain-text files of passwords-"and at some point e-mails back the results. You wouldn't even know what hit you," he said.
Chris Goggans, senior networking security engineer at Wheelgroup Inc. (San Antonio, Texas), concurred that the hack code "makes NT or anything using Microsoft networking vulnerable to attacks. Now that NT "is being accepted into all kinds of environments, you're going to see all kinds of bugs come out," he said.
But that shouldn't be surprising; after all, Goggans noted, "we're still seeing bugs coming out of 20-year-old Unix, and NT is a baby in comparison."
Wake-up call
Allison, a programmer at Cygnus Solutions (Sunnyvale, Calif.), which provides Unix and NT desktop and cross-platform development tools, said he put in only three months of part-time work on the hack. "Microsoft's marketing has positioned NT as being much more secure than Unix; they're playing on people's fears," he told EE Times. But "their password-encryption mechanism obviously has some flaws in it; it's not as good as Unix's.
"They know that-but I guess they'll really know it now."
The hack is particularly perturbing for Microsoft since it goes directly for the heart of the NT security system: the Security Accounts Manager (SAM), where the passwords reside. The now-public code effectively exploits that area by "breaking" the hashing algorithm via a reverse-engineering technique.
"If someone can break into NT security," said Allison, "this allows them to dump out the password database and run a 'dictionary attack.' It's very easy because NT doesn't use 'salt' [data that avoids duplicate passwords]. Salt adds another level of complexity to the password-hashing algorithm. Instead, NT uses a very simple password-hashing algorithm."
Higher purpose
Yet the hack is not without its nobler functions for NT. Benjamin explained that NT systems administrators, unlike their Unix counterparts, have no way to view the passwords of their users; once an NT user establishes a password, only that person alone can see it. That has been a point of contention among NT sysads.
Many Unix sysads use a program called Crack that attacks in-house passwords to reveal vulnerabilities-such as commonly used (and easily guessed) passwords. Benjamin's and Allison's code, with a bit more development, will allow such a program to be constructed for NT.
"This is a springboard to that," said Goggans. "I expect, within the next week, someone out there's going to write such a program for NT."
Another benefit for both Unix and NT administrators is built into the hack's source code: The hack could prove a useful utility for migrating users to Unix systems from Windows NT. "A lot of users have both a Windows NT box and a Unix machine, and they don't want to have separate passwords for both, and it's a massive pain for administrators to [maintain] two separate password databases," Allison noted. "What this allows an administrator to do is to take an NT machine and replicate the password database onto the Unix machine."
Yet Wheelgroup's Goggans maintained that immediate harm could result from the code's being let loose over the Net. If someone has broken into any of the NT machines, or an employee is angry, Goggans said, "he or she can simply run a 'sniffer' program to pull the encrypted passwords and then run that program with a common 'dictionary' program to get the plain-text passwords."
That, in effect, would turn a mere user into a full-blown system administrator-or system saboteur.
"NT is not as safe as it had been, because of this hack," Goggans said.
Frank Ramos, president of Somarsoft Inc. (San Francisco), a security-auditing-program developer for NT, said the hack appears to have nullified Microsoft's marketing claims that NT administrators are denied user-password access in the interest of secure networking.
"With this, a user still has to have access to the network and the SAM" to pull off the hack, but it's questionable just how difficult it is to get that [access]," Ramos said.
Indeed, he said, test code resides on his company's posted Web site that shows just how easy it may be.
"Below is an example of the sort of source code that could be used over the Internet to attempt logging in as an administrator [by] using a database of passwords or a password-generator algorithm until a password is found that works," the Somarsoft page reads. "Once the administrator password is found, the hacker has complete access to the machine."
Predicted Benjamin: "I bet that once this SAM-hash crack gets out there, the next iteration will be an attack through the Net."
Not surprisingly; NT is coming under scrutiny just as it is making significant inroads into both the workstation and server markets. Hackers are notorious for targeting high-profile products; consider the assault on Netscape's encryption technology last year and on Microsoft's IE browser more recently.
According to market figures published by International Data Corp. (Framingham, Mass.), new unit sales of the Windows NT Server grew by 85 percent in 1996, more than double the new-unit performance of NetWare 4.x. Also, for the first time, NT-based "personal workstations" became a viable alternative last year to traditional workstations for users in commercial environments, in organizations upgrading from PCs, and in entry-level CAD and animation arenas. Sales of Windows NT workstations totaled $2.9 million; unit volumes reached 716,000, according to the research firm.
Benjamin appears to be no stranger to Microsoft's security staff. He was actively involved in uncovering at least two other security flaws, in collaboration with a respected TCP/IP hacker known as Hobbit. The two hackers exposed holes in NT security that resulted from vulnerabilities in the Microsoft' Common Internet File System (CIFS), an Internet version of the Server Message Block (SMB) protocol used in Microsoft networking to provide access to files, printers and other shared resources.
Microsoft has addressed those issues, primarily by posting advice for administrators on its Web site and by adding fixes to upgrades in "service packs."
"In the face of NT's growing popularity, more people such as myself and many others will push both its capabilities and weaknesses to its breaking point-and, in my opinion, rightfully so," Benjamin said. "It is part of the 'operating-system imperative'-constant evolution, through real-world testing, to meet higher security demands."
Microsoft's Nash said that NT customers can do two things to help themselves in NT security matters. "First, don't give the security privilege out to people you don't trust," he said, adding, "don't use words like 'dog' and 'cat' as passwords; rather, use 'strong' passwords, words with a combination of upper- and lowercase characters, numbers and punctuation marks."
Microsoft can be expected to pursue a short-term solution to the potential password breach by offering a fix or a patch, but Benjamin noted that "it is not a trivial task to change the NT SAM." He suggests that the company release NT version 5.0-with an improved security architecture-as quickly as possible. Microsoft's current schedule for NT 5.0 targets a first-quarter '98 release date, and beta by the end of this year.
Short- and long-term fixes notwithstanding, Benjamin notes a fundamental issue with NT: It is rooted in "old-school LAN-manager technology. It was never meant to be for a large enterprise."
Given that fact, he said, nothing but "continual vigilance" will suffice. System administrators and users, Benjamin said, should be "careful about what they are downloading; stay up to date with all the patches; and get on the relevant mailing lists, such as ntbugtraq."
Goggans of Wheelgroup had this caustic warning for the software monolith: "Microsoft should spend less money on getting the Rolling Stones' Start Me Up on their operating systems and more on [recruiting] experts in security and networking.
"Until that happens, the consumer will continue to be the final beta tester."
-Additional reporting by Margaret Ryan.
Copyright ® 1997 CMP Media Inc.