Are these that much of a security risk that I should go to the trouble of disabling them?
Printable View
Are these that much of a security risk that I should go to the trouble of disabling them?
The effect of LM hashes is to make cracking your SAM (or Active Directory? Does AD even have them?) much easier.
Fortunately, the SAM can only be attacked if a user can get physical access to the machine or gain administrator or localsystem privileges remotely somehow. This you should hope doesn't happen, as your security would then be compromised anyway.
Another possible effect is to make password brute-forcing over the network easier. But not much easier, because with sensible (perhaps default) timing settings, it should still take a long time to guess a decent password.
I don't think it could hurt, as the LM hashes are only there to support exceptionally elderly clients - check though if you're using something like Microsoft Client for DOS that it supports NT hashes otherwise you might end up locking out your DOS clients (I have seen some companies who use DOS boot discs to image machines over the network, for example)
You should definitely test what effect it would have before disabling them network-wide, as it has a (small) chance of locking some people out. I don't know whether you can re-enable them once they're disabled. Certainly if these LM hashes were disabled, and then re-enabled, users who want to use then would have to be issued with new passwords.
Slarty
The LMHash is a hash of the users password stored in LM (crap) form. It would be quite easy to place a LMsniffer to collect the hashes then run a dictionary through a lmhash program (I believe Samba comes with one, if not I've seen perl scripts to do it) Then compare your hashed dictionary to the sniffed hashes. LM makes this a much more dangerous attack by sucking so bad. (Each password is really two separate 7 byte hashes which are first turned into uppercase and then padded with 0's, oh yeah and no salt) . If you do not need the backwards compatability feature of LM (ie no Win 3.1,95,98) then I would disable it as LM hashes present one of the larger holes in MS security. Be advised however that disabling LM auth in your SecPolicy will not prevent a LM hash from being stored in the SAM (not on 2000 anyway) so as slarty mentioned anyone able to retrieve the SAM will have a much easier time of cracking the password by working on the LM hashes.
-Maestr0
Thank you for the input. So setting nolmhash in the registry to a value of 1 should fix the problem and i should not have to worry about this type of intrusion attempt on my computer?
(I am not worried about any compatibility issues as this is just my home desktop computer)
Bear in mind that disabling the LM hashes only makes it harder to crack the hashes, not impossible.
In fact dictionary attacks are still quite easy if the users use an easy to guess password.
You should use a fairly complex password and have failed logon auditing enabled, and limit the speed that guesses can be made (I think that NT may do this by default)
Slarty
I agree with slarty. And really no matter how tough the password, running on a P4 w/ LC4 will crack any password in a matter of days. The main goal for any administrator should be to prevent an attacker from getting SAM, period. (which is hard I know) Because once they get it, there is no stopping them, atleast with todays encryption standards.
For instance a relatively hard password: "toc1uruk" took only about 2 hours to crack.
I dont think cracking passwords is quite as fast as you imagine. LC4 can crack any LM hash in a short time (because LM sucks, blame IBM thats what MS did) but if you want a NTLMv2 password back- well, I saw a 16 node beowulf cluster in Japan that said they could have it in 21 months or so for an 8 character alpha/numeric password (NO special characters), wonder how much that'd cost?
-Maestr0
How might I go about doing this?Quote:
and have failed logon auditing enabled, and limit the speed that guesses can be made
This can be done in (2k/XP) from the Control Panel>Administrative Tools>Local Security Settings>Local Policies>Audit Policy
-Maestr0
And to limit the amount of tries someone can do you can adjust the password policy to lockout the account after 3-5 tries and leave it locked out for 15-60 minutes.
Thank you for the quick reply. Appreciate it.
hi, kind of new around here
a while ago I ran into
smbproxy
link was down right now but I'm sure you can find it somewhere
it allows you to mount smb shares with the hash from the sam file, without spending time cracking it
and nobody mentions that the only way to access your SAM file is through another OS (or by using something like LC4 which was mentioned) like knoppix std, or perhaps you could use minuteOS, but from what I read you cant access the SAM file of the OS you are running at the time, I tried and kept getting told that it was inaccessible, on a win2000pro box. I havent tried on my XPpro machine at my house.
oh yeah the password Moemoemoe1 (upper and lowercase letters, and number, and something that wouldnt \get found in a dictionary attack) took almost 5 hours to crack with LC4, with an Athlon XP 2600+ w/256MB PC2700 DDR RAM, while not running anything else (other that Trillian, and the regular OS stuff)
btw that was just a random (well not totally random) password that I threw in my admin acount for the test.
If you really want to make the password cracker's job difficult throw in the old <ALT>NNN keypad character somewhere in the password. I have yet to come across password crackers that go that far. Lopht etc. go as far as all printable characters and doing that the time to brute force a password > 8 characters is in the "months" timeframe. Adding the additional 127(?) non-printable characters would make the job nearly impossible for someone without practically unlimited resources.
Put 2 or 3 of them in a 10+ length password including all printable characters and you could almost email your favorite hacker the SAM and sit back and giggle..... ;)
A copy of the SAM can be created easily in Windows NT using rdisk, and in Windows 2000/XP access to the hashes can be gained by accounts with debug rights using lsadump or pwdump3.Quote:
and nobody mentions that the only way to access your SAM file is through another OS (or by using something like LC4 which was mentioned) like knoppix std, or perhaps you could use minuteOS, but from what I read you cant access the SAM file of the OS you are running at the time
-Maestr0
Another very simple thing to do is use "?" or "*" characters. A lot of password crackers use these to show the characters of the password that are not yet found. The programme will still find the password but it might confuse a script kiddie a bit.
If you have to go with a lmhash because of backward compatabilty I would suggest that the first and eight charater, at least should be either special charaters of the type "@" "&" or nonprintable as was suggested above.
For the best passwords go with the unprintable characters.
ROFLMAO..... I just had this picture of the skeleton of this skiddie sat in front of his computer staring at a screen that says "Password so far: mary?"Quote:
it might confuse a script kiddie a bit.