Bugtraq mailing list archives
Re: more l0phtcrack errata
From: davidz () EDUCOM COM AU (David Zverina)
Date: Mon, 14 Apr 1997 15:11:37 +1000
From the l0phtcrack readme .... By changing the default string that is processed through you can drastically change the amount of time it takes to brute through the entire keyspace. Keep in mind that the following characters are not valid in passwords so they don't need to be included: '/', '\', '[', ']', ':', ';', '|,' ,'=', ',', '+', '*', '?', '<', '>' [according to the MS technet information]. For example: if you just want to check all combinations of letters all you have to run through is ABCDEFGHIJKLMNOPQRSTUVWXYZ.
Can you provide source for the technet article? It seems to me that the symbols which you have counted as invalid in the nt passwords are valid indeed. Note the illustration below and note that changing password from "1+1" to "1?1" results in both of the hashes being completely different. (see attached output) If this is the case than there are 69 significant characters. (128 less \0x0-\0x1F less 26 lowercase less \0x3F = 69) This means each of the halves of lanman password contains 42.75 bits of information. =log(69^7)/log(2). This means cracking well chosen password is about 7 times harder than cracking 40 bit encryption which is contained in most US export products. (ie. non-trivial but possible) Cheers, David ----- D:\apps\secure>net user gumby 1+1 The command completed successfully. D:\apps\secure>pwdump | grep gumby gumby:1009:0C0958E450F88785AAD3B435B51404EE:886A3D92DDB35932249EA2C700B0 C8B4::: D:\apps\secure>net user gumby 1?1 The command completed successfully. D:\apps\secure>pwdump | grep gumby gumby:1009:5A4C12BD6CFA44CFAAD3B435B51404EE:5352ACBCFB1D1CB40DFD8FD1C57D C2E1::: ---- --- David Zverina Software Engineer (davidz () educom com au)
Current thread:
- Re: more l0phtcrack errata David Zverina (Apr 13)