Bugtraq mailing list archives
NT password dictionary attack.
From: ashtonp () GB SWISSBANK COM (Paul Ashton)
Date: Tue, 18 Feb 1997 12:55:00 GMT
I previously sent this to ntbugtraq in response to an article entitled "Windows NT authentication weakness" regarding SMB/CIFS problems with the weak challenge response system used by windows nt, but it went into a black hole. --- Set up Samba on a Unix machine together with libdes for DES encryption Write a 20 line program that takes /usr/dict/words or other similar word list, computes the MD4 hash of each word and then use that to encrypt an eight byte fixed challenge (i.e. all zeroes). Make a one line change to the challenge generation code to always generate this fixed value. Start Samba and give it a suitably interesting name, such as "Public picture archive". Wait for someone to attempt to connect to your server, send the fixed challenge, receive the fixed challenge encrypted by the users hashed password. Instantaneously look up the hash in the precomputed database. If it is not a dictionary word, stuff it into a history file and run a modified crack on it later. A good job that NT's C2 configuration tool disables the network... Cheers, -- Paul
Current thread:
- Security Bulletins Digest, (continued)
- Security Bulletins Digest Aleph One (Feb 13)
- Linux NLSPATH buffer overflow solar () IDEAL RU (Feb 13)
- Re: Linux NLSPATH buffer overflow Alan Cox (Feb 14)
- CIAC Bulletin H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Aleph One (Feb 15)
- screen 3.05.02 Khelbin Sunvold (Feb 15)
- Re: screen 3.05.02 test (Feb 16)
- Bug in apache httpd 1.1.3 Mihai Ibanescu (Feb 16)
- Re: Bug in apache httpd 1.1.3 Dean Gaudet (Feb 16)
- Announce new phf prober release Ray W. Hiltbrand (Feb 17)
- Re: Announce new phf prober release J. Bouvrie (Feb 17)
- NT password dictionary attack. Paul Ashton (Feb 18)
- New CIFS paper up for grabs *Hobbit* (Feb 18)
- Re: screen 3.05.02 Mr. Cyb (Feb 16)
- FreeBSD,rlogin and coredumps. Roelof W Temmingh (Feb 16)
- Re: FreeBSD,rlogin and coredumps. David Greenman (Feb 16)
- Re: FreeBSD,rlogin and coredumps. Adrian Chadd (Feb 17)
- Re: FreeBSD,rlogin and coredumps. Jamshid Abedi (Feb 17)
- Re: FreeBSD,rlogin and coredumps. jamie (Feb 18)
- Re: FreeBSD,rlogin and coredumps. Nathan Torkington (Feb 18)
- Re: FreeBSD,rlogin and coredumps. Daniel O'Callaghan (Feb 18)
- Re: FreeBSD,rlogin and coredumps. Simon Karpen (Feb 18)