Microsoft Opens Dialogue With NT Hackers
LAS VEGAS -- As Microsoft, in a reversal of policy, sent representatives recently to a technical conference called the Black Hat Briefings, in Las Vegas, to open a dialogue with the hacking community, a new version of a password-cracking hack of Microsoft's Windows NT operating system was making the rounds on the Internet. L0phtcrack version 1.5 bypasses a Microsoft fix for an earlier version of the program, which decrypts NT user passwords and delivers them in plain text.
The program is one of several recent NT hacks that has the company hustling to shore up the operating system's network-security safeguards. That goal has pushed it into an uneasy alliance with the hackers taking potshots at NT, who say the intent of their assault is improved security for all network users.
Microsoft made a public overture to its tormentors in sending several high-level NT experts to the Black Hat Briefing, which gathered security experts from government, industry and the hacking community to discuss network-security holes and potential patches. "We came here to look at the hackers' perspective -- to understand what they're thinking and what their concerns are," said NT marketing director Carl Karanan. "It's good to look at things in perspective; this conference does that.
"We've opened up a dialogue. The hackers do a service. We're listening and we're learning," Karanan said.
The hackers themselves would agree. "What we're trying to do as a community is point out some very serious problems with an operating system that is in use in corporate America and in governments worldwide, and we're pointing it out in a legitimate fashion by saying, 'Fix this,' " said Yobie Benjamin, chief knowledge officer at Cambridge Technology Partners (Cambridge, Mass.) and an experienced NT hacker.
The Black Hat Briefings included a number of NT-security presentations, all well-attended by representatives from such diverse entities as Cisco, ESPN, Toyota, Price-Waterhouse, the Defense Department and the National Security Agency. "Mudge," a key member of the sophisticated, Boston-based hacker group that calls itself the L0pht, gave a presentation that described the group's latest revision of its NT-password-cracking program. L0phtcrack version 1.5 bypasses the fix that Microsoft had posted to negate the first L0phtcrack release, which surfaced in April.
The first L0phtcrack combined a number of hacking programs that enabled a user on a local NT machine to gain access to the encrypted user-password registry and accomplish a brute-force attack with a "dictionary" program that would systematically descramble the passwords and reveal them in plain text. The catch was that the users needed to be logged on as a system administrator. Microsoft addressed that hurdle in its Service Pack 3 (SP3) fix, which disabled Pwdump, the program that grabbed the encrypted passwords from the registry.
But SP3, Mudge said, took away legitimate system administrators' ability to ensure that users weren't choosing easily crackable passwords. Meanwhile, he said, the L0phtcrack revision lets anyone log on from a local machine without logging on as an administrator, and the hack does its work faster than its predecessor.
Mudge noted that when he wrote version 1.5, he was able to bypass the SP3 fix by exploiting a fundamental problem that Microsoft faces: the need to maintain backward compatibility to legacy NT systems.
That has meant that Microsoft must support the password structure of the outdated Lanman protocol, which breaks a chosen password into two seven-character pieces.
What's more, L0phtcrack version 1.5 can also crack the newer NT password methodology, which technically enables 128-character passwords but effectively allows only 14 characters because of GUI and other restrictions.
Mudge said L0phtcrack concentrates on cracking the first half of the 14-character password. Once that's done, he said, it's a relatively simple matter to defeat the second half's encryption as well.
He said he time-tested L0phtcrack 1.5 and found that the 7-byte brute-force attack, launched from a Unix or Pentium Pro 200-MHz machine on a corporation of 40,000 users that managed all user names and Lanman/NT passwords from one primary domain controller, would take a mere 40 hours to decrypt all 40,000 passwords and deliver them in plain text.
Dominique Brezinski, an Issaquah, Washington-based NT-security consultant and former Microsoft programmer, highlighted the recent "GetAdmin" hack in a Black Hat Briefing on "Auditing and Risk Analysis of Windows NT." The program, which affects NT Server 4.0, lets the hacker add unauthorized users to the administrators group.
"Anybody can gain administrative access if you run it on a local machine," Brezinski told EE Times. The program can also be run through an Internet Telnet session, indicating remote capabilities.
Microsoft has provided a fix for the hack on its Website, but Brezinski and other hackers questioned the thoroughness of the fix. GetAdmin gains privilege to attach to another process through a "broken kernel" application programming interface or a "broken call" -- programming slang for incorrectly written code.
"It's not an easy thing to fix," said Brezinski. "Microsoft could just go in and fix the one broken call, but how many other system calls might have the same problem? There are up to 300 system calls. Are they going to go through all of them?"
Programs such as GetAdmin and L0phtcrack 1.5 look poised to plague Microsoft for some time. Cambridge Technology Partners' Benjamin acknowledged that Microsoft has a responsibility to its customers to remain backward-compatible but added that "as long as Microsoft is saddled with the issue of backward compatibility, they will continue to have these problems."
Mudge was characteristically more caustic, saying, "Windows NT's backward compatibility always bites 'em on the ass."
And both Mudge and Benjamin said that the GetAdmin source code has been downloaded and enhanced by the hacking community and that the hack may even be featured in the next release of L0phtcrack.
Microsoft's Karanan noted that Microsoft does not stand alone as a target of network-security-busting hacks. "If you look at the Computer Emergency Response Team [CERT] advisories, you can see this has been going on with Unix for years. People are targeting NT now because we have the volume.
"I think that our response is going to get better, and customers will get more protective also," Karanan said. "If it's a top national secret that you want to secure, you may not even use a password [methodology]; you may want to use a secure ID token card or a one-time password" system.
Nonetheless, if Microsoft is serious about constructive interaction with the hacking community, it should expect to take its lumps for the foreseeable future -- just as Unix has done during the course of its long, relentlessly scrutinized existence.