Thorough understanding of windows authentication 1


Thorough understanding of windows authentication

1、 Windows local authentication

1. Where is my password?

Path: C:: (windows, system32, config, SAM)

When we log in to the system, the system will automatically read the “password” in the SAM file and compare it with the “password” we entered. If it is the same, it proves that the authentication is successful.

2. NTML(NT LAN Manager) Hash

Ntml hash is an important participant in the process of supporting net NTLM authentication protocol and local authentication. Its length is 32 bits, and it is composed of numbers and letters.

Windows does not store the user’s plaintext password, it will store the user’s plaintext password in sam database after encryption algorithm.

When the user logs in, the plaintext password entered by the user is also encrypted into NTLM hash, which is compared with NTLM hash in sam database. The predecessor of NTLM hash is LM hash, which is basically eliminated at present, but still exists in Windows XP / 2003.

3. Generation of ntml hash


The above image uses Python library encryption.

Admin à hex (hexadecimal code) = 61646d696e

61646d696e àUnicode = 610064006d0069006e00

610064006d0069006e00àMD4 = 209c6174da490caeb422f3fa5a7ae634

adminà= 209c6174da490caeb422f3fa5a7ae634

4. Local certification process


Windows logon process (i.e winlogon.exe ), is a Windows NT user login program, used to manage user login and logout.

LSASS is used for the security mechanism of Microsoft Windows system. It is used for local security and login policies.

5. LM Hash

Encryption process:

The first step is to convert the plaintext password to its uppercase form;

The second step is to convert the character string into hexadecimal character string after capitalization;

The third step is that if the password is less than 14 bytes, 0 should be used to complete it;

The fourth step is to divide the above coding into two groups of 7-byte data (56bits = 14 * 4);

The fifth step is to convert each group of 7-byte hexadecimal to binary, add 0 at the end of each group of 7-bit, and then convert to hexadecimal to get two groups of 8-byte codes;

In the sixth step, the two groups of 8-byte codes obtained in the above steps are encrypted as DES encryption key and magic string “kgs! @ # $%”;

The seventh step is to splice the two des encrypted codes.

2、 WindowsNetwork authentication

        In the process of Intranet penetration, we often encounter the working group environment. The working group environment is a logical network environment (workspace). The machines belonging to the working group can not establish a perfect trust mechanism with each other, and can only be peer-to-peer. It is a relatively backward authentication method, and there is no trust organization.

Suppose host a and host B belong to the same working group environment. If host a wants to access the data on host B, it needs to send an account certificate that exists on host B to host B. only after authentication can it access the resources on host B.

The most common service: SMB service port: 445

1. NTLM protocol

Early SMB (file sharing) protocol transmitted plaintext password on the network. Later, LAN manger challenge / response verification mechanism, LM for short, appeared. It is so simple that it can be easily cracked.

Microsoft puts forward the challenge / response verification mechanism of Windows NT, which is called NTLM. Now we have updated NTLMv2 and Kerberos authentication system.

2. Challenge / response

technological process:





The first step is negotiation

The client mainly confirms the protocol version, V1 or V2 and other information to the server in this step.

The second question:

Send user name information to client

  • ·The server receives the request and generates a 16 bit random number, which is called “challenge”. It encrypts the challenge (16 bit random character) with NTLM hash corresponding to the login user name to generate challenge 1. Colleague, after generating challenge 1, send the challenge (16 bit random character) to the client. //Net NTLM Hash=NTLM Hash(challenge)。
  • ·After receiving the challenge, the client generates a response by encrypting the challenge with NTLM hash corresponding to the account to be logged in, and then sends the response to the server.

The third step is verification

After receiving the response from the client, the server compares challenge1 with the response. If so, the authentication is passed.

————————————————There’s a follow-up—————————————————————————————————————————————————————————————————————————————————————————————————