Download Windows XP Login Vulnerabilities

Windows XP Login Vulnerabilities
A Case Study Using Ophcrack
Yoan Hermida
12/1/2008
Hermida 2
Abstract
This paper aims to demonstrate that the login process for Windows XP is inherently
unsecure. It will demonstrate through a case study how a password cracking utility known as
Ophcrack can easily crack simple alphanumeric passwords. The weakest point of the login
process is that Windows XP utilizes the LM or LAN Manager hash to store user passwords.
Through the use of rainbow tables, cracking utilities such as Ophcrack can easily cycle through
partially pre-computed hash values until a match is established.
Hermida 3
Outline
This paper will begin with an introduction stating the nature of the problem, and why I
believe it is interesting. It will then move on to explain out-of-the-box vulnerabilities present in
the BIOS of almost all PCs, which allow cracking programs and other malicious code to be
executed. This will be followed by an explanation of the Windows XP boot process, paying
particular attention to the use of the LM hash in storing user passwords. We will then move on
to the method of attack I chose to study, paying particular attention to rainbow tables and how
they are utilized to defeat Windows XP passwords of 14 characters or less. Results from my
experiment with Ophcrack as well as screenshots will be presented. Lastly, I will go into how to
secure a Windows XP system from this particular method of attack.
Introduction
The problem I am describing involves the use of Live CDs/DVDs that contain pre-stored
data known as rainbow tables, which can be used to defeat most simple alphanumeric passwords
created by users in a Windows XP system. The nature of the vulnerability lies in Microsoft’s
decision to retain a legacy method of storing user passwords that is now deprecated in the
industry: the LM or LAN Manager hash. The reason the LM hash has been retained as a
password storage method is because backward compatibility must be maintained with systems
that are still running DOS or other Microsoft legacy operating systems.
I believe this is an interesting problem because most computers in the world run
Microsoft Windows and of those most run Windows XP. This is true despite the fact that the
Hermida 4
latest Microsoft operating system, Windows Vista, is widely perceived in the industry as a total
disaster. Moreover, many IT departments are bypassing Vista altogether and retaining their
Windows XP systems until the next version of Windows, Windows 7, is released. This means
that a majority of the World’s computers have two disastrous login vulnerabilities: 1. Live CDs
can be run before the bootstrap; 2. Simple alphanumeric passwords are stored using LM hashes
and can be cracked using programs that run off of live CDs.
Even if the optical drive is disabled by default in the BIOS, a potential attacker who has
physical access to the system can simply enter an unprotected BIOS enable the optical drive as a
bootable device. The attacker can then insert a live CD containing a cracking program such as
Ophcrack and obtain all user passwords (including the Administrator) in a matter of minutes.
The attacker then simply makes a note of the password, kills the program, removes the optical
media, reboots the machine and allows the operating system to load. Once the login screen is
visible, he or she can then log into the account of any user of that system.
Some essential steps that need to be taken by users of the Windows XP operating system
are to password-protect their BIOS and choose strong passwords that are either longer than 8
characters and/or contain non-alphanumeric characters. These two steps are the secret to
defeating an Ophcrack attack, and yet a lot of people have no knowledge of either these
vulnerabilities or the ease with which they can be exploited.
BIOS Vulnerabilities
Before delving into the details of the login vulnerabilities in Windows XP, we shall
explore a security gap in the BIOS of most PCs which allows the method of attack discussed in
Hermida 5
this paper to be executed. That is, the lack of BIOS passwords on most PC systems. The
simplicity of the solution is as stunning as the major hole that not having a password set on the
BIOS constitutes. One merely needs to enter the BIOS by pressing F2 another simple keyboard
key, enter the correct property setting, and set an administrator password for your BIOS. The fix
seems simple enough and yet millions of systems lie unsecure and waiting for an attacker to
insert a live CD and exploit the LM hash vulnerability.
While the simple measure described above goes a long way to preventing the type of
attack described in this paper, it is useless without modifying another BIOS setting: the boot
order and whether anything but the hard drive should even be scanned for bootable media.
Again, plugging the hole simply involves going into the BIOS and specifying that only the C
drive (or whatever hard drive contains the operating system) should be active during boot.
Coupled with the BIOS password, this denies a would-be attacker the opportunity to insert a
program such as Ophcrack.
While the BIOS concept is called something else in the Mac world, Apple machines are
no less vulnerable to a very simple firmware (the term used Mac land) attack. Armed with a
Mac OS X install disc, the attacker needs to hold down the Command and C keys and, upon
entering the installation environment, would then be able to change Root’s password to whatever
he desires. This is because by default, Mac client systems do not password protect firmware.
Password-protecting the firmware would prevent this type of attack. Apple servers do have
firmware password protection enabled by default, but the password is typically several characters
of the serial number.
Hermida 6
Overview of the Windows XP Boot Process
As with most modern computer systems, once the power button is pressed the computer
undergoes a POST, or Power On Self-Test, which is run from by the BIOS or Basic Input Output
System. Once the BIOS determines that memory and other subsystems are in working order it
will then attempt to read the Master Boot Record, which is the first sector of the first hard drive.
Once this has taken place, the operating system begins to take control of the system and begins to
be loaded into memory. The MBR analyzes the boot sector and passes on the job of loading the
operating system to NTLDR, which is Windows XP’s boot loader. The boot loader allows for
memory addressing, initiates the file system, reads boot.ini and loads the boot menu. Once XP is
selected from the boot menu if it is not the default (in multi-OS systems) NTDETECT.COM,
BOOT.INI, and BOOTSECT.DOS take over and finish loading the operating system. Initially
the system starts in 16-bit real mode and then changes to 32-bit protected mode. NTLDR then
loads NTOSKRNL.EXE and HAL.DLL which effectively make up Windows XP. NTLDR
reads the registry and loads the proper drivers. NTOSKRNL.EXE takes over and starts
WINLOGON.EXE which then starts LSASS.EXE. [1]
WINLOGON.EXE is actually independent of authentication and handles mostly interface
functions. Such functions include Windows station and access protection, ensuring that the local
system will have access to these objects. The process also handles SAS recognition, which is an
event such as Ctrl + Alt + Del that tells the operating system that user is ready to login or wants
to lock the workstation. User profiles are loaded by WINLOGON.EXE. The process also
assigns security to the user shell and monitors keyboard and mouse events in order to determine
when to activate the screen saver. Lastly, Winlogon provides multiple network support. [2]
Hermida 7
LSASS.EXE or Local Security Authority Subsystem Service is a process that is
responsible for executing the security policy on the system. The process verifies users that are
logging on, handles changes in passwords, writes to the security log, and creates access tokens.
Access tokens contain the relevant security information for a login session, identifies the user,
group, and privileges. The infamous Sasser worm exploited a buffer overflow in the LSASS
process that would show a timer on the screen and prompt the user to log off and shut down. [3]
Overview of How Windows XP Saves User Authentication Information
When a user creates a password in Windows XP that is less than 15 characters long,
rather than storing the password in clear text, the system stores the password in the Security
Accounts Manager in two forms of hashes. A hash is produced when a hash function is applied
to clear text.
One form of the hashes produced by Windows XP is the LM or LAN Manager hash
which is a legacy hash that has its origins in the Windows LAN Manager operating system.
Windows Me was the last commercial version of Windows that exclusively saved user
passwords using the LM hash function. With the introduction of Windows XP, the LM hash was
kept for the purpose of backward compatibility with legacy systems and is enabled by default,
with the possibility of manually disabling the creation of LM hash passwords.
LM hashes are created when the user’s password as an OEM string is converted to
uppercase. The password is then changed to 14 bytes by truncating it or padding it with null
values. The password is then split into two 7-byte halves. These two values are used to create
two DES keys by converting the seven bytes into a bit stream and inputting a 0 after every seven
Hermida 8
bits. The purpose of this is to generate the 64 bits necessary for a DES key. The two keys are
then used to DES-encrypt the constant string “KGS!@#$%” which creates two 8 byte cipher
texts. These two values are then concatenated into a 16-byte value, the LM hash.
(http://wapedia.mobi/en/LM_hash)
The other hash that Windows XP utilizes is the NTLM hash. The NT LAN Manager
hash is part of NTLM, which is an authentication protocol used in conjunction with the SMB
protocol. There are two versions of NTLM, NTLMv1 and NTLMv2. Version 1 attempted to be
a replacement for the less secure LM protocol discussed before. The NT hash utilizes the MD4
algorithm in order to compute a hash value of the user’s password. While the NT hash is harder
to crack than the LM hash, it is also vulnerable to brute force attack. [4]
Both the LM and NTLM hashes are stored in the SAM or Security Accounts Manager
database. Beginning with Windows NT, the SAM has been stored as a file in the Registry. The
database can be partially encrypted using a 128 bit key when the SYSKEY function is enabled.
Furthermore, the SAM cannot be accessed while Windows XP is running since the kernel keeps
an exclusive lock on the file, which is not released until the operating system shuts down or the
Blue Screen of Death occurs. There various techniques, however, to dump the contents of the
SAM and perform a brute force attack. One such technique is by running Ophcrack from a live
CD before the operating system loads and using rainbow tables on the LM hashes. This case
study will utilize this technique to crack a Windows XP password. [5]
Hermida 9
Rainbow Tables and Ophcrack
A rainbow table is a collection of pre-computed values used in recovering the plaintext
from a password hash created by a hash function. Rainbow tables offer what is known as a timememory tradeoff when performing brute force attacks. Time-memory tradeoff is when memory
requirements decrease at the expense of longer program execution, or when memory
requirements increase but program execution happens rapidly. Because rainbow tables are a set
of pre-computed values, it can be said that entire tables require more storage space (an entire
DVD, for example) but program execution will happen rapidly because the values have been
computed already.
Rainbow tables are created by taking plaintext and putting it through a hash function such
as the LM hash function explained before. The hash function is then put through a reduction
function. The reduction function comes up with a string of random plaintext which is then
hashed. The hashed is reduced, obtaining another random string of plaintext, which is then
hashed. This general pattern produces rainbow chains and continues for as many strings as is
feasible to store. The chains that this process creates are stored in tables, creating rainbow
tables.
In order to obtain a plaintext value from a hash value, the attacker needs to cycle through
the rainbow tables. This is where Ophcrack and programs like it come in. Ophcrack is open
source and can be downloaded as a Live CD ISO for free. The Live CD version loads a minimal
Linux kernel with a graphical user interface that then allows the attacker to retrieve, decrypt, and
crack Windows passwords in a fairly automatic manner. Rainbow tables for LM hashes of
Hermida 10
alphanumeric passwords up to 14 characters are provided free of charge by the developers of the
program.
First, the program obtains a hash value by importing them directly from various sources
such as the SAM files discussed previously. That hash value is reduced and checked against the
last value that appears in the rainbow table. If the reduction fails to find a match, the program
then moves on to the second, third, etc. tables until a match is found. If a match is found, the
password that generated that hash is obtained and a chain generated using that password. The
hash values generated as the chain iterates are compared against the original hash value. If a
match is found, we know the password does indeed correspond to that hash value and the attack
has been successful. [6]
Experiment
In order to demonstrate the practical applications of Ophcrack I conducted a small
experiment on my own Windows XP system. I created a new user account with username of
‘computer’ and password ‘security.’
Hermida 11
I then went over to the Ophcrack website at http://ophcrack.sourceforge.net and downloaded the
Opcrack Live CD for Windows XP, and burnt the ISO onto a CD.
I restarted my system and booted off the LiveCD.
The program indicated it had found an active Windows partition.
It then proceeded to crack the password for user ‘computer’ with password ‘security.’
Hermida 12
[7]
Results
The entire operation, from the time I booted off the Ophcrack Live CD until the password
was found took a total of 2 minutes 24 seconds. The first minute and 54 seconds consisted of
Ophcrack booting up and loading the rainbow tables. Once all tables were loaded, the password
‘security’ was cracked in 30.6 seconds with the first 7 characters being revealed in half that time.
In other words, an attacker would only need access to a Windows XP system for about 2.5
minutes in order to crack a password with similar characteristics to the one used for this test.
This illustrates the absolute necessity to harden systems running Windows XP.
Guarding Against an Ophcrack Attack
No system is ever 100% secure and no password is ever crack-proof. There are,
however, bad and good practices. Users should be aware that the simple act of disabling
Hermida 13
bootable optical drives and setting an administrator password in the BIOS virtually eliminates
the possibility for an Ophcrack-type attack or any attack that is run from a Live CD.
A second effective measure to guard against an attack using LM hash rainbow tables is to
disable the use of the LM hash by default. While the LM hash is enabled by default in Windows
XP, a user can disable it by editing the Registry. A simple Google search will produce dozens of
tutorials on how to accomplish this.
Unfortunately, while doing research for this project I discovered that there are now
several utilities (including Ophcrack) that include rainbow tables for the more secure NTLM
hash. Had this not been the case another suggestion might have been to select passwords longer
than 14 characters. These types of passwords are automatically stored using the NTLM hash.
Nonetheless, users should try to include in their passwords as many non-alphanumeric passwords
as possible. As of this writing, rainbow tables with stored values for passwords containing nonalphanumeric are either not freely available (Ophcrack) or too complex for your average Joe
H4x0r to configure.
Conclusion
This paper explored the theoretical foundations of an attack using the Ophcrack utility
and conducted an experiment which demonstrated that a simple alphanumeric password could be
cracked in 30 seconds using said utility. I discussed why lack of security at the BIOS level is the
catalyst for this type of attack. I went on to talk about the Windows XP boot process and the
subsystems that handle user authentication. Afterward, I described how Windows XP saves
authentication information in the Security Accounts Manager or SAM database. This was
Hermida 14
followed by an explanation of rainbow tables and how Ophcrack utilizes these to perform a brute
force attack on the LM hash obtained from the SAM. A demonstration of the utility and the
results of this experiment on my Windows XP system were also detailed. Lastly, I offered some
tips on how to guard against on Ophcrack-type attack.
Hermida 15
Works Cited
[1] Simpson, Michael. "Windows XP Boot Sequence." Suite 101. 07 Oct 2006. 15 Nov 2008
<http://pcs.suite101.com/article.cfm/windows_xp_boot_sequence>.
[2] "Winlogon". Wikipedia. 15 Oct 2008 <http://en.wikipedia.org/wiki/Winlogon>.
[3] "Local Security Authority Subsystem Service". Wikipedia. 15 Oct 2008
<http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service>.
[4] "NTLM". Wikipedia. 15 Oct 2008 <http://en.wikipedia.org/wiki/NTLM>.
[5] "Security Accounts Manager". Wikipedia. 15 Oct 2008
<http://en.wikipedia.org/wiki/Security_Accounts_Manager>.
[6] "Rainbow table". Wikipedia. 15 Oct 2008 <http://en.wikipedia.org/wiki/Rainbow_table>.
[7] "Ophcrack Password Recovery". About.com. 15 Oct 2008
<http://pcsupport.about.com/od/toolsofthetrade/ss/ophcracksbs.htm>.