1
00:00:03,050 --> 00:00:08,870
The alarm authentication protocols include LAN manager version one into an anti alarm version one and

2
00:00:08,870 --> 00:00:09,260
two.

3
00:00:10,100 --> 00:00:15,200
These protocols are used to authenticate users and computers based on a challenge response mechanism

4
00:00:15,200 --> 00:00:20,210
that proves to a server or domain controller that the user knows the password associated with an account.

5
00:00:21,110 --> 00:00:24,650
Let's look at the different protocols and we will begin with Elm Hash.

6
00:00:25,520 --> 00:00:29,150
Elm Hash is the oldest password storage that is used by windows.

7
00:00:30,080 --> 00:00:36,770
This dates back to OS two in the 1980s, but due to the limited character set, it ultimately was fairly

8
00:00:36,770 --> 00:00:37,640
easy to crack.

9
00:00:38,510 --> 00:00:43,940
If l m hashes are still used in an environment, you can easily obtain the hashes from the SAM database

10
00:00:43,940 --> 00:00:47,660
on Windows Systems or the in TDS database on a domain controller.

11
00:00:48,530 --> 00:00:55,430
When Windows Vista and Server 28 was introduced, l m hashes were disabled, but of course they still

12
00:00:55,430 --> 00:00:56,540
linger in the network.

13
00:00:57,410 --> 00:00:59,840
If they are older systems, they still use it.

14
00:01:00,710 --> 00:01:02,810
The next one we have is into Elm.

15
00:01:03,680 --> 00:01:07,400
Into Elm is the way passwords are stored in modern Windows systems.

16
00:01:08,300 --> 00:01:13,340
They can also be obtained by dumping the SAM database or using a hacking tool such as mini cats.

17
00:01:14,210 --> 00:01:18,230
These hashes are also stored on domain controllers in the in Ted's file.

18
00:01:19,070 --> 00:01:25,490
There is a well-known attack which is called Pass the hash into Elm is usually used with pass the hash

19
00:01:25,490 --> 00:01:25,970
attacks.

20
00:01:26,870 --> 00:01:28,850
Then we have no Elm version one.

21
00:01:29,690 --> 00:01:34,670
This protocol uses the anti hash in a challenge response between the server and the client.

22
00:01:35,570 --> 00:01:41,060
The version one of this protocol uses both the NT and Elm hash, depending on configuration and what

23
00:01:41,060 --> 00:01:47,090
is available, but not Elm version two, which is the supposed new and improved version of Anti Elm,

24
00:01:47,180 --> 00:01:48,980
makes it a little bit harder to crack.

25
00:01:49,010 --> 00:01:50,900
Although it is still possible to crack it.

26
00:01:51,770 --> 00:01:55,250
The concept of No Elm version two is the same as version one.

27
00:01:56,090 --> 00:01:59,870
The only difference is the algorithm and the response is sent to the server.

28
00:02:00,740 --> 00:02:03,860
Elm and not hashes are ways Windows stores passwords.

29
00:02:04,730 --> 00:02:09,440
Both of these can be cracked to obtain the password, or they can be used for past the hash attacks.

30
00:02:10,340 --> 00:02:15,590
Since then, TLM version one and two are challenge response protocols used for authentication in Windows

31
00:02:15,590 --> 00:02:16,280
environments.

32
00:02:16,460 --> 00:02:22,220
They can be used to recover the password by using a good brute force or dictionary attack and they can

33
00:02:22,220 --> 00:02:23,750
be used in relay attacks.

34
00:02:24,680 --> 00:02:26,120
So what is the way forward?

35
00:02:26,990 --> 00:02:32,300
Most of the network authentication and modern operating systems make use of Kerberos as opposed to in

36
00:02:32,300 --> 00:02:33,470
TLM version two.

37
00:02:34,310 --> 00:02:36,440
Kerberos offers many advantages.

38
00:02:37,310 --> 00:02:39,230
Keep in mind that it is not perfect.

39
00:02:40,160 --> 00:02:45,260
However, it is still very difficult to disable Intel and version two entirely on the network.

40
00:02:46,130 --> 00:02:50,270
And the reason for this is because Kerberos relies on service principal names.

41
00:02:51,200 --> 00:02:56,720
For example, if you had to reference a server using its IP address instead of the DNC name, Kerberos

42
00:02:56,720 --> 00:03:00,260
won't work and authentication will fall back to entirely version two.

43
00:03:01,070 --> 00:03:06,410
And of course in network environments you would have all the devices such as printers, and these generally

44
00:03:06,410 --> 00:03:11,120
do not support Kerberos and rely on Intel in version two or older variants of no Elm.