8

I have a question regarding NTLMv2 resistance to password bruteforcing.

I know that some modern graphic processors (like Radeon 6990) are able to calculate billions hashes per second and crack NTLM hashes within minutes and hours.

I would like to evaluate how NTLMv2 hashes are more resistant to password bruteforcing comparing to NTLM.

Given that roughly:

NTLM hash = MD4(password)

and

NTLMv2 hash = MD5(MD5(MD4(password) + X) + Y)

Is it correct to say that attacking NTLMv2 hashes via password bruteforcing is just 3 times longer than attacking NTLM hashes?

w2323
  • 81
  • 1
  • 3

3 Answers3

4

Actually it is closer to 4 or 5 times, because MD5 is somewhat more expensive than MD4. It won't make it strong, though; the "benefit" of switching from NTLM to NTLMv2 is canceled by waiting one year and then buying a bigger GPU.

Windows systems stick to NTLM variants because of backward compatibility, but they are rather poor password hashing methods. See this answer on how passwords ought to be hashed.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
2

Yes, that's a pretty good approximation. The difference between the two is modest; in both cases, if users' password hashes are compromised, it is likely that an attacker will be able to recover many of their passwords.

Today, the accepted way to hash passwords is to use a slow hash (e.g., thousands of iterations of a cryptographic hash function), to slow down bruteforcing. Neither NTLM nor NTLMv2 incorporate this defense, hence they are both vulnerable to password bruteforcing (NTLM slightly more so, but the difference is modest).

D.W.
  • 98,420
  • 30
  • 267
  • 572
2

Note that you are assuming that the attacker has RAW hashes (MD4 of Unicode password). This does not consider the challenge used in an actual authentication and raw hashes cannot be obtained from sniffing network traffic of authentications. Those "hashes" are computed using the raw hash, the challenge and "target info" about the client and server involved. Cracking someone's password based on NTLMv2 hashes of network communication is considerably more difficult that what you are describing here. The compromise you describe would require first breaking into a domain controller and recovering the keystore. And note that that says very little about the security of using NTLMv2 since even a DC that doesn't use NTLMv2 would still have NTLMv2 hashes in it's keystore.

squarewav
  • 179
  • 1
  • 5