Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Brute-forcing cached Windows login password hashes

from [Jerome Athias] Network Security [Permanent Link]
Subject: Re: Brute-forcing cached Windows login password hashes
Date: Thu, 26 Jul 2007 07:34:36 +0200 
Hi Ben,

Ben Greenberg a écrit :
Greetings all,
My question is regarding the encrypted password hashes that Windows stores in
the registry of the last 10 logins to a workstation.

I read the original white paper written by Arnaud Pilon and I've used his
cachedump tool to extract the password hashes from the registry. What I'm
wondering is what type of hash those passwords use. Is it straight MD4?

Some references:
http://support.microsoft.com/kb/913485 (global view)

http://www.microsoft.com/technet/community/columns/secmgmt/sm1005.mspx
Quote:
"Windows also stores a password verifier on domain members when a domain user logs on to that domain member. This verifier can be used to authenticate a domain user if the computer is not able to access the domain controller. In Windows XP the password verifier is also used to speed up domain logon when the computer is cold-booted. The password verifier is also commonly called a cached credential. It is computed by taking the NT hash, concatenating the user name to it, and then hashing the result using the MD4 hash function.

Internally, Windows represents passwords in 256-character UNICODE strings. The logon dialog is limited to 127 characters, however. Therefore, the longest password that can be used to log on interactively to a computer running Windows is 127 characters. Theoretically, programs such as services can use longer passwords, but they must be set programmatically because the password change dialog will not allow a password longer than 127 characters."


I know that each hash is salted with a machine-specific unique string. What I
am unclear on is what exactly the password hash is and how it can be
brute-forced.


I know that there is a patch for John the Ripper, but every
mention I can find refers to a two year old version of John. Does anyone know
if the most recent version has this patch in it already?
Probably. Make sure to check Cain & Abel (oxid.it) also...
Also, is anyone familiar with any rainbow tables for cracking these passwords? Are rainbow
tables possible for these hashes because of the salting?
Well, it is possible: http://www.freerainbowtables.com/index-rainbowtables-tables-mscache.html
(link #2 is 404 i know but #1 should work) Note: these tables were precomputed salted with the login "Administrator"
But with one set of tables for each salt, it should not be so useful or usable (unless you have a big cluster to precompute thetables in less than an hour :p anf if so, please let me know! ;))...
Thanks all. 
Good luck
/JA

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Brute-forcing cached Windows login password hashes, Ben Greenberg
Next by Date:  Re: Pentest automated tool, eladexposed
Previous by Thread:  Brute-forcing cached Windows login password hashes, Ben Greenberg
Next by Thread:  RE: Brute-forcing cached Windows login password hashes, Ben Greenberg
Indexes:  [Date] [Thread] [Top] [All Lists]