Network Authentication

Local authentication to Windows via the CTRL-ALT-DEL attention signal is straightforward,
as we have described. However, logging on to Windows via the network, the primary
goal of the malicious hacker, involves exploiting network authentication. We will discuss
this briefly here to inform discussions in later chapters on several weaknesses associated
with some components of Windows network authentication protocols.
The NT family primarily utilizes challenge/response authentication, wherein the server
issues a random value (the challenge) to the client, which then performs a cryptographic
hashing function on it using the hash of the users password and sends this newly hashed
value (the response) back to the server. The server then takes its copy of the users hash
from the local Security Accounts Manager (SAM) or Active Directory (AD), hashes the
challenge it just sent, and compares it to the clients response. Thus, no passwords ever
traverse the wire during NT family authentication, even in encrypted form. The challenge/
response mechanism is illustrated in Figure 2-3 and is described more fully in Knowledge
Base (KB) article Q102716.
Step 3 of this diagram is the most critical. The NT family can use one of three different
hashing algorithms to scramble the 8-byte challenge: LANMan (LM) hash NTLM hash NTLM version 2 (NTLMv2)
In Chapter 5, we discuss a weakness with the LM hash that allows an attacker with
the ability to eavesdrop on the network to guess the password hash itself relatively
easily; the hacker can then use it to attempt to guess the actual password offlineeven
though the password hash never traverses the network!
To combat this, Microsoft released an improved NT-only algorithm, NTLM, with NT
4 Service Pack 3 and a further secured version in NT 4 SP4 called NTLM v2. Windows
95/98 clients do not natively implement NTLM, so the security offered by NTLM and
NTLMv2 was not typically deployed on mixed networks in the past. (The DSClient
ut
ility that comes on the Windows 2000 CD-ROM upgrades Windows 9x clients so that
they can perform NTLM and NTLMv2 authentication.)
Homogeneous Windows 2000 and later environments can use the built-in Kerberos
v5 protocol that was introduced in Windows 2000. However, Windows Server 2003 is
completely backward-compatible with LM, NTLM, and NTLMv2 and will downgrade
to the appropriate authentication protocol if Kerberos cannot be negotiated. Kerberos
will be used only if both client and server support it, both machines are referenced by
their DNS or machine name (not IP address), and both the client and server belong to the
same forest (unless a third-party Kerberos implementation is used).
As we discuss in Chapter 5, Kerberos is susceptible to eavesdropping attacks.
Table 2-6 presents a quick summary of Windows NT family network authentication
mechanisms.
For simplicitys sake, we have purposely left out of this discussion consideration of
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), which is used for
remote access; web-based authentication protocols like HTTP Basic and Digest; Remote
Authentication Dial-In User Service (RADIUS); and a few others. Although these protocols
are slightly different from what we have described so far, they still depend on the four core
protocols described in Table 2-6, which are used in some form or another to authenticate all
network access.