Re: Brute-forcing cached Windows login password hashes

So, like I said, mathematically infeasible. Can we have a show of hands
for all those who've got a rainbow table set for the administrator
account? (Government agencies and those with silent black helicopters
need not apply)

Mathieu CHATEAU wrote:
> this works if you have the mscache rainbow table that match the login
> you want to break...
>
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> ----- Original Message ----- From: "Carl Livitt" <carllivitt@yahoo.com>
> To: "Ben Greenberg" <Ben.Greenberg@senet-int.com>;
> <pen-test@securityfocus.com>
> Sent: Thursday, July 26, 2007 4:39 PM
> Subject: Re: Brute-forcing cached Windows login password hashes
>
>
> > The hash algorithm is a salted MD4. It's impossible (ok, to be pedantic
> > it's mathematically infeasible) to use rainbow tables because of the
> > salting, so that leaves you with dictionary and brute-force.
> >
> > The latest version of John and the MS Cache Hash patches are all
> > available from http://openwall.com/john/. I believe v1.7.2 is the latest
> > version.
> >
> > Regards,
> > Carl
> >
> >
> > Ben Greenberg wrote:
> > > Greetings all,
> > >
> > > My question is regarding the encrypted password hashes that Windows
> > > stores in
> > > the registry of the last 10 logins to a workstation.
> > >
> > > I read the original white paper written by Arnaud Pilon and I've
> > > used his
> > > cachedump tool to extract the password hashes from the registry.
> > > What I'm
> > > wondering is what type of hash those passwords use. Is it straight
> > > MD4? I
> > > know that each hash is salted with a machine-specific unique string.
> > > What I
> > > am unclear on is what exactly the password hash is and how it can be
> > > brute-forced. I know that there is a patch for John the Ripper, but
> > > every
> > > mention I can find refers to a two year old version of John. Does
> > > anyone know
> > > if the most recent version has this patch in it already? Also, is
> > > anyone
> > > familiar with any rainbow tables for cracking these passwords? Are
> > > rainbow
> > > tables possible for these hashes because of the salting?
> > >
> > > Thanks all.
> > >
> > > ------------------------------------------------------------------------
> > >
> > > This list is sponsored by: Cenzic
> > >
> > > Need to secure your web apps NOW?
> > > Cenzic finds more, "real" vulnerabilities fast.
> > > Click to try it, buy it or download a solution FREE today!
> > >
> > > http://www.cenzic.com/downloads
> > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------