Re: NEW windows password encryption flaw..

[Darren Bennett <DARREN.L.BENNETT () saic com>]

Here is a yahoo story on the same problem... Others seem to think that
it is indeed a problem (and one that ONLY affects Windows).


http://story.news.yahoo.com/news?tmpl=story&cid=620&ncid=620&e=1&u=/nf/20030723/bs_nf/21952On 
                -Darren

Wed, 2003-07-23 at 13:24, 3APA3A wrote:
> Dear Darren Bennett,
>
> Windows  uses  password  hash  in  a  same  way  as  Unix uses cleartext
> password.  Having  password  hash  you  can  connect  to Windows network
> without  knowledge  of  cleartext  password (I spent 2 minutes to modify
> smbclient to use hash instead of password and 5 minutes to test, you can
> try  to  do  it  as  a  challenge...  Hint:  all you need is to skip MD4
> encoding  if  password  is already looks like MD4 hash). So, cracking of
> Windows hashes gives you nothing in fact.
>
>
> --Wednesday, July 23, 2003, 9:48:51 PM, you wrote to full-disclosure () lists netsys com:
>
> DB> Is this new? I read about it on slashdot...
>
> DB> http://lasecpc13.epfl.ch/ntcrack/
>
> DB> Basically, it seems that Microsoft has (yet again) screwed up the
> DB> implementation of their encryption scheme. This makes cracking any hash
> DB> a matter of seconds. Oops... 
-- 
-----------------------------------------------
Darren Bennett 
CISSP, Certified Unix Admin., MCSE, MCSA, MCP +I
Sr. Systems Administrator/Manager
Science Applications International Corporation
Advanced Systems Development and Integration
-----------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html