Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

NT password dictionary attack.

From: ashtonp () GB SWISSBANK COM (Paul Ashton)
Date: Tue, 18 Feb 1997 12:55:00 GMT

I previously sent this to ntbugtraq in response to an article entitled
"Windows NT authentication weakness" regarding SMB/CIFS problems with
the weak challenge response system used by windows nt, but it went
into a black hole.
---


Set up Samba on a Unix machine together with libdes for DES encryption

Write a 20 line program that takes /usr/dict/words or other similar
word list, computes the MD4 hash of each word and then use that to
encrypt an eight byte fixed challenge (i.e. all zeroes).

Make a one line change to the challenge generation code to always
generate this fixed value.

Start Samba and give it a suitably interesting name, such as "Public
picture archive".

Wait for someone to attempt to connect to your server, send the fixed
challenge, receive the fixed challenge encrypted by the users hashed
password.

Instantaneously look up the hash in the precomputed database.

If it is not a dictionary word, stuff it into a history file and run a
modified crack on it later.

A good job that NT's C2 configuration tool disables the network...

Cheers,
--
Paul
Previous By Date Next
Previous By Thread Next

Current thread: