Eric,
Can you describe the Kerberos hash injection you are doing,
step-by-step, or share the tool? I'm not aware of it.
-----Original Message-----
From: Baechle, Eric [mailto:Eric.Baechle@dhs.gov]
Sent: Tuesday, July 18, 2006 1:50 PM
To: security-basics@securityfocus.com
Cc: dave kleiman
Subject: RE: Re: RE: ADS Password Storage Protection
Dave,
You misrepresented my statement by taking it out of the context that it
was applied. If you read the entire thread we were talking
character-for-character. So, mathematically a random password that used
all 96 keys on a US keyboard would be stronger entropically than a
passphrase of the same length. When you went and changed the parameters
of our test case to say, "my 1-million character passphrase beats your 8
character keyboard-pounding", well all I can say is, "Of course."
Compound dictionary words have known spaces between. In a dictionary
attack, substitute compounding words with spaces in between. "dogcat"
and "dog cat" are one test away.
I believe you didn't read the entire thread, which is why you're so
lost. You'll notice in the title for this topic that these messages
were all in-reply.
My opinions are based upon observational use of modified SMB clients
that exist in the wild. By using hash dumps retrieved from PWDUMP,
etc... I can inject the authentication data directly into the Kerberos
exchange. The recieving system can't tell the difference between the
injected hash and me properly entering the username and password pair.
My opinion formed from these results is that the threat is not password
complexity and cracking but actually exfiltrating the password hash to
begin with.
Sincerely,
Eric B.
-----Original Message-----
From: dave kleiman [mailto:dave@davekleiman.com]
Sent: Tuesday, July 18, 2006 1:35 PM
To: security-basics@securityfocus.com
Subject: RE: Re: RE: ADS Password Storage Protection
""Actually, a passphrase is not as secure as a random password. ""
How did I misrepresent that?
""Using compound dictionary words could come back to bite you very
quickly, even when used in long phrases.""
I do not think so... Please demonstrate or give us some detailed
research results.
""What I am saying is that if I had the hash extraction from
your system, I'd be able to enter your system in a matter
of seconds regardless of your 60, 90,
200-and-whatever-character passphrase.""
You said that in your previous post?? I did not see it please point that
out. And how would you accomplish this? Please enlighten us with actual
facts rather than mere opinion.
""Mathematically your passphrase is stronger. In applied
security, my opinion is that a passphrase really isn't necessary."
And your opinion is based on what?
Dave
------------------------------------------------------------------------
---
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
