Full Disclosure mailing list archives
UNICODE For Windows XP Password Strings (Keyboard or other Character Entry Method)
From: ISM <infosecmonitor () gmail com>
Date: Mon, 8 Aug 2005 15:10:53 -0500
MS Windows XP supports High Order ASCII from the keyboard with an ALT + Numpad XXXX key combination (from 0128 - 0255) and in other MS Apps (Word, etc) you can also use the same to produce UNICODE characters (supported characters between 0-65535 for the character set under consideration). Programatically (in testing) we have generated 0-65535 1 character passwords (net user xyz pass-string-here /ADD) and they generate 65535 unique NTLM hashes. So the backend Windows components seem to understand and accept UNICODE input for password credentials. Limitations on the input from the keyboard in this fashion seem to be limited to that of either the language set selected or the keyboard/kybd driver itself. We produce repeating character patterns of 256 characters (ie, the same character is at ALT + 0640, ALT + 0896, ALT + 01152, ALT + 01408,...). The XP command shell will reproduce the same repeating characters, however if you cut and paste UNICODE characters (from Word or whatever) Windows XP seems to accept the UNICODE character just fine as a pasword string. Does anyone know if there a way to open up potential to enter full UNICODE character sets from the keyboard or from some other device (smartcard reader, biometric, etc) that could generate those characters for credentials at login? Can you create a custom character set (ie, Control Panel - Regional and Language Options - English (US) HighlyCustomized)? Is there ANY way to generate the characters from the keyboard? Using a number of sequential High Order ASCII is great as password entropy can be increased remarkably (128 possible additional characters x pw length) and they are not always displayable characters using tools to view LSA Secrets (lsadump2, cain and abel, pmdump, etc). Using UNICODE would be extremely cool as entropy could possibly be extended to 65 thousand plus characters - or many many more than simply High Order ASCII anyhow. Any Ideas Appreciated, /ism _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- UNICODE For Windows XP Password Strings (Keyboard or other Character Entry Method) ISM (Aug 08)