Bugtraq mailing list archives
Re: BoS: NT Password Cracker
From: k-hamer () ntx1 cso uiuc edu (Kenneth L. Hamer)
Date: Sat, 16 Nov 1996 13:08:19 -0600
Yes, and no. The following is my understanding of how NT passwords are stored - this information was imparted to me verbally by a friend who has contact with Microsoft's programmers ("I know this guy...") so you are welcome to treat it is highly suspect if you like.
From what I understand, the actual NT passwords (and I use that term
advisedly, since the published specs (KB Article Q102716) show that the passwords themselves are _not_ stored, rather hashes are.) are stored on disk in a file which is hidden by the NT operating system. This file (or set of files) cannot be seen by any program which uses NT's API, although the system itself can obviously access the file. You can of course use NT's API to test passwords against the data contained in this file, but cannot read the file itself. The keys in the secutiry registry point the system to specific entries in this file, but to not themselves contain the "passwords". Thus, you can't get at them with the registry editor. If the hard drive is examined from outside of Windows NT, you can presmably find this data. An obvious method would be to use NT to get a complete listing of all files on the system, and then compare that with a listing generated with a non-NT custom NTFS reader. It might also be possible to get NTFS to spit up the raw data by installing custom filesystem drivers. Once you have the raw hash data used to authenticate users, cracking a password becomes a simple matter of a dictionary attack. By avoiding NT's authentication subsystem entirely and using custom code you can probably speed up the process. Having 4 P6-200s chewing on _one_ account, the administrator account, should not take that long. Also, you can perform a dictionary attack against the administrator account using NT's own APIs, since the adminsitrator account cannot be configured with a multiple-failure lockout. This is a choice made by Microsoft - the ability to make the administrator password lock out after N failures would make it vulnerable to a denial-of-service attack. A dictionary attack is often fruitful, since people insist on using crappy passwords. *Any* reusable password system will be vulnerable to a dictionary attack. This does not mean that NT's password system is weaker than that found in UNIX. DES encryption rounds are quite inexpensive these days, and that is the basis for the UNIX encryption scheme. The process Microsoft describes in the aforementioned KB document is certainly more expensive, and thus more difficult to attack. Add in the fact that the actual authentication data used by NT is much harder to obtain that that used in UNIX, and it seems reasonable to say that NT is a harder nut to crack. I regularly crack passwords on my UNIX systems (as a preventative measure). A typical round takes about four hours, to investigate 400 passwords (and picks up bad ones often). With the NT attack you are only investigating one - the Administrator password. - Ken
---------- From: Bernd Lehle[SMTP:Bernd.Lehle () RUS Uni-Stuttgart DE] Sent: Thursday, November 14, 1996 7:50 AM To: Multiple recipients of list BUGTRAQ Subject: BoS: NT Password Cracker Hi there, http://www.omna.com/Yes/MWC/PRS-index.htm MWC offers a commercial service to "recover" a lost Windows NT (all Versions) administrator password at "Any level of the Password Complexity". The whole thing takes four hours on four Pentium-200s and costs about $US 4,500. Comparing this against my experiences with Crack and crypt on UNIX- platforms, I have to conclude that NT password encryption must be ridiculous if this offer is true. Does anybody have details ?
Current thread:
- Re: BoS: NT Password Cracker Kenneth L. Hamer (Nov 16)
- <Possible follow-ups>
- Re: BoS: NT Password Cracker Kenneth L. Hamer (Nov 17)
- Re: BoS: NT Password Cracker nihil () onyx infonexus com (Nov 18)