Penetration Testing mailing list archives
Re: Windows XP salted hashed verification of domain passwords
From: Tim <tim-pentest () sentinelchicken org>
Date: Mon, 5 Mar 2007 08:45:08 -0500
Hello Matt, I've done some reading on these cached hashes recently as well, and I'm still fuzzy on a few things. I'll provide answers as best I can.
For domain accounts, the passwords are not kept on a system. The verification is salted and hashed with md4 twice. I am trying to assess the following risks. 1) What is the danger that that verification could be misused on another system? 2) From that salted, hashed verification, can the password be derived? How likely is this?
First off, have you found a good reference which details exactly how the hashes are generated? You say hashed twice with md4... does that mean the same data hashed twice, or hashed in two chunks (like LM hashes)? I have yet to find a good reference (besides uncommented source code that I have yet to pick through). Well, MD4 is a very weak hash, and dictionary attacks will certainly work if users pick any kind of predictable password. These would likely be harder to crack than LM hashes, since they are salted and building a rainbow table would be harder, but bad passwords are always pretty easy to crack. I'd be very interested to know exactly how these are salted...
Also, how would one perform a pen test against those salted, hashed verifications? Lets assume in the registry no one was ignorant enough to put the registry key which provides the password.
Have you seen these references? General description: http://www.irongeek.com/i.php?page=security/cachecrack Look down the page for a cached password crack patch: http://www.openwall.com/john/ Another description and tool for grabbing cached passwords: http://www.gotroot.com/downloads/ftp/security/cain_and_abel/topics/mscache_hashes_dumper.htm So there are obviously plenty of real-world tools out there. I have yet to try them, so YMMV. HTH, tim ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Windows XP salted hashed verification of domain passwords Matthew Webster (Mar 04)
- RE: Windows XP salted hashed verification of domain passwords Michael Hendrickx (Mar 05)
- Re: Windows XP salted hashed verification of domain passwords Security Guy (Mar 05)
- RE: Windows XP salted hashed verification of domain passwords Javier Jarava (Mar 09)
- Re: Windows XP salted hashed verification of domain passwords Tim (Mar 05)
- <Possible follow-ups>
- RE: Windows XP salted hashed verification of domain passwords Matthew Webster (Mar 05)
- RE: Windows XP salted hashed verification of domain passwords Michael Hendrickx (Mar 05)