Software
Analysis
LC4
Password Auditing and Recovery Software
@stake
Software, Cambridge, MA
LC4 is a password auditing and recovery package distributed by @stake software. It is the descendant of the famous Windows password cracker LOphtCrack. LOphtCrack was developed in the mid-1990s by a team of hackers determined to reveal to the IT community the security flaws inherent in the Windows password authentication system. The hackers formed a company called LOpht Heavy Industries and produced several versions of the software. Rights to the software were transferred to @stake and re-released as LC3 and now LC4. LC4 is available on a 15-day trial period with the brute-force capability disabled. Cost of a single licensed version of LC4 is $350.00. Upgrade to LC4 from a licensed version of LC3 or LOphtCrack 2x is $95.00. Twenty percent discounts are available to educational institutions and Site Licenses can be negotiated.
Early Windows operating systems based on the LAN Manager networking protocols used an authentication system which consisted of transmitting a hashed 24 byte password across the network from client to server in a challenge/response format. The hashed password from the client was compared with the hash of the same password in the server's database. If both hashes matched, the client was authenticated. There were two major problems with this paradigm. The first problem was an innately weak password hash scheme. The LM hash is based upon a relatively weak algorithm which divides a password into seven-character segments. Each segment is hashed individually, so, no matter how long a password the user chooses, a cracker never has to worry about breaking any more than a seven-character string. The second problem is that the server converts all LM hashes to uppercase before comparing them, so case-sensitivity cannot be used to strengthen the password. The weakness of the password hash, coupled with the transmission of the hash across the network in the challenge/response format, made LM-based systems highly susceptible to password interception and brute-force attack. The designers of LC4 estimate that even the best, non-dictionary-based, LM passwords can be broken by their software in less than a month. Such a time frame is well within a cracker's range of patience. Screenshot 1 provides an example of a successful network capture and password crack by the LOphtCrack 2.5 product.
Screenshot 1
When Microsoft introduced their NT product, they strengthened the password hash algorithm to provide a case-sensitive hash which included the whole password as one unit. These NTLM password hashes were also transmitted across the network in a challenge/response format, but they were far less susceptible to brute-force attacks. A brute-force crack on a strong NTLM password by LC4 might take years to complete, and therefore would be of little interest to a potential intruder. Unfortunately, in their commitment to maintain backward compatibility with LAN Manager-based systems, Microsoft chose to use both the LM and NTLM password hashes in their new NT product. Both hashes were sent through the network for authentication and both were stored in the password databases. Although allowing DOS, WFW, 95 and 98 clients to use NT servers, this decision also rendered the stronger security inherent in the NTLM passwords null and void. Since both hashes are transmitted over the network, cracker software like LC4 need only to capture and crack the much simpler LM password and then apply the results of that broken hash to the NTLM hash to determine any differences in case. Therefore, as with earlier Microsoft OSs, even the best NTLM passwords could be captured and cracked in a month or less.
In an attempt to address this problem, MS offered the first effective enhancement to the password authentication scheme in NT SP4. This enhancement allowed system administrators to modify or remove the LM hash from the challenge/response transmission by editing the LMCompatibilityLevel parameter in the system registry. The LMCompatibility level involves setting a level from 0 to 5. The lower levels allow for the existence of both NT and downlevel systems. The higher levels completely remove backward compatibility for LM-based machines. In addition, either 56-bit or 128-bit encryption was offered as an option for applying to both LM and NTLM challenge/response pairs. These LMv2 and NTLMv2 encrypted pairs are quite strong and, although they can be captured from the network by LC4, they are essentially immune to either its dictionary or brute-force attacks. However, NTLMv2 is not configured by default, so simply installing SP4 does not enable it. Also, Windows system administrators have reported numerous authentication problems between SP4 and downlevel systems, even when the LMC is configured at a level supposedly supporting backward compatibility.
With the advent of Windows 2000/XP, Microsoft abandoned its traditional challenge/response scheme and introduced Kerberos as its primary authentication method. Used by many current Unix and Linux systems, Kerberos sends 56 or 128-bit encrypted session keys across the network, rather than the password hashes themselves. In simple terms, the keys are hashes applied to the password hashes themselves. Session keys from a client requesting authentication are sent to the authenticating server whereupon they are unencrypted and compared to the original password hash using a sophisticated hashing algorithm. If the application of the algorithm to the original password hash matches the session key, the client is authenticated. No challenge/response pairs are sent across the network in W2k, so LC4's network SMB sniffer will capture nothing. However, in a heterogeneous network with NT and/or LM-based machines, the sniffer will capture traffic. To overcome LC4 in such a network, the aforementioned LMC levels must be configured in the registry to implement the LMv2 and NTLMv2 encrypted pairs, which, although amenable to capture by the sniffer, are immune to the auditor. This author was unable to capture any packets with the LC4 sniffer on his employer's 2000/XP network. However, when a Windows 98 workstation was configured to join the domain and the domain controller was queried from that workstation, SMB challenge response packets were captured by the sniffer. This was possible because the LMCompatibility parameter was set to 0, which would allow full backward compatibility for LM-based workstations without strengthening the LM passwords with version 2 encryption.
It can be stated with some confidence that enhancements to the NT and W2k authentication scheme can be applied to render the LC4 password sniffer ineffective. As a result, much of the danger posed by LC4 as a system intrusion tool can be alleviated. However, as a password auditing tool, SP4 can be invaluable to the system administrator as a tool for recovering lost passwords or for identifying weak passwords. LC4 is empowered as an auditor by the ongoing presence of LM hashes in Windows password databases. Although both NTLMv2 and W2k Kerberos remove the LM hash from the network authentication exchange, it is still retained as part of the local password database located in the SAM file on NT/W2K machines and/or in the Active Directory on W2k domain controllers. LC4 can extract these hashes from the local registry of the machine it is installed on and subject them to both a dictionary, hybrid dictionary/brute force and/or full brute force attack. The dictionary attack is the fastest and can be augmented by the addition of additional word lists, in addition to the dictionaries supplied with LC4. Numerous word lists can be downloaded from the Internet or created from electronic documents by dictionary-maker applications. The larger the word and word fragment selection, the more effective the dictionary attack is. LC4 goes through each entry in all the selected dictionary word/number/character lists, hashes the dictionary entry using the LM algorithm and then compares that hash to the password hash. If it finds a match, it breaks the uppercase LM password and then applies it to the NTLM password hash to delineate case sensitive characters. The hybrid attack first applies a dictionary attack to the LM password and then randomly inserts from 1 to 3 characters in front of or behind the dictionary word in an attempt to break such passwords as 43Molly, Barnabas09, or 123Bob. An added feature of the hybrid attack is the capability of replacing alpha characters with common number/special character alternates. This attack attempts to glean such passwords as b&dd0g, int3rn3t, and !loves@lly and although faster than a straight brute force, is still painfully slow. The final attack mounted by LC4 is a straight brute force, which simply throws random strings of hashed characters at the LM password until it finds a match. The brute force is always effective against an unencrypted LM hash, but as mentioned earlier can take up to a month to break. Screenshot 2, below, shows the configuration screen for the LC4 crack parameters. Notice that the user can select categories of characters to be used in the brute force attack, including custom specified extended ASCII characters. Of course, the more characters you include, the longer the crack will take.
Screenshot 2
Screenshot 3 illustrates the choices available for dumping password hashes to LC4. In addition to the aforementioned sniffer, methods of retrieving password hashes from NT/W2k databases include a direct dump from the local registry database and importing directly from a SAM file stored on an NT Repair Disk or from a SAM file backed up to tape. However, beginning with NT SP3, Microsoft offered system administrators the option of encrypting the password hashes stored within the registry and the SAM file. This encryption scheme, known as SYSKEY is uncrackable by LC4. Fortunately for LC4, an accomplished hacker, Todd Sabin, developed a utility called pwdump which could extract the unencrypted password hashes from the local registry and SAM of NT/W2k machines through use of a sophisticated programming scheme known as dll injection. In this scheme, pwdump attaches itself to the Local Security Authority Service (LSASS) of an NT/W2k machine and instructs the authentication manager to withdraw the password hashes in the same unencrypted format as LSASS itself uses. These extracted hashes could be saved in a password file and submitted to older version of LOphtCrack. Unfortunately, Pwdump could only extract hashes from the local registry or SAM and could not access hashes stored in the Active Directory of a W2k domain controller. Pwdump2 added Active Directory functionality as well. LC4 now incorporates much of the functionality of Pwdump2 into its own application suite, enabling it to dump plaintext hashes from local NT/W2k registry and AD databases. LC4 can still not natively extract unencrypted hashes from a local SYSKEY encrypted SAM file, a SYSKEY SAM file stored on a backup tape or from a SYSKEY encrypted registry or SAM file on a remote machine. System administrators desiring this functionality must use the new Pwdump3 software which is available as a free download from the Internet. Pwdump3 can extract hashes from the aforementioned containers to a password file which can be easily imported into LC4. It should be emphasized that, in order to use LC4 or PwdumpX to dump password hashes, you must have Administrator status on the system. Neither of these tools is designed to be a quick and easy blackhat utility. Microsoft file and service protection would be a formidable obstacle against any casual modification of the software to overcome this restriction.
Screenshot 3
Screenshot 5 shows an example of an LC4 auditing session. This session is applying a dictionary and dictionary hybrid attack against a series of passwords entered by the author and several of his students. The dictionary lists applied in this attack include an 884k word general dictionary and about 6 specialized word lists, all downloaded from various sites on the Internet (see Screenshot 4).
Screenshot 4
The results shown here took about 5 minutes to achieve. The pure brute force crack was disabled in this trial version, but the brute hybrid was not. Whereas the brute hybrid append feature seemed to be useful, the prepend and common letter substitution features appeared to provide no additional facility, even after running for many hours. The positioning of multiple dictionary words within a password in relation to the 7-character LM segmentation scheme seems to determine how well LC4 can crack the hash. For example, LC4 did not even partially crack the password "ticklemeelmo," even though the words "tickle," "me," and "elmo" were all constituents of the word lists. The author surmises that, because of the 7-character scheme, LC4 was looking for "ticklem," and "eelmo" to match up, instead of the three shorter component words.
Screenshot 5
In conclusion, although LC4 is no longer effective as a sniffer device in the W2k environment, it remains a formidable tool in the system administrator's kit for protecting the system against weak, easily crackable passwords. In this way, it can act as a deterrent to the casual script kiddy who has neither the skill nor patience to subvert complex passwords. Furthermore, it can add an additional line of defense in a multi-layered security initiative designed to protect the system against the talented blackhat cracker.