Soulskill

NTLM 100% Broken Using Hashes Derived From Captures

This was reposted from http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-x3fWaDw3LA/story01.htm written by Soulskill. They get all the credit for this, not me.

New submitter uCallHimDrJ0NES writes “Security researcher Mark Gamache has used Moxie Marlinspike’s Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It’s been going on for a long time, probably, but this is the first time a ‘white hat’ has researched and exposed the how-to details for us all to enjoy. ‘You might think that with all the papers and presentations, no one would be using NTLM…or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!’ Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!”

Additional reading can be found at the original author’s post.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.