Penetration Testing mailing list archives
Re: [PEN-TEST] NT 4.0 and MD4 Hash
From: "crazytrain.com" <subscribe () crazytrain com>
Date: Sat, 9 Dec 2000 22:53:57 -0500
Hope this helps... with the LAN Manager password, if the password is 7 characters or less, you can find this out quickly: the second 8 bytes is AAD3B4435B51404EE (encrypted password). This is always true for 7 or less, as these 7 characters are null. thomas
This was described in InfoWorld (print and online) Security Watch
(Authors:
Stuart McClure and CTO and Joel Scambray are co-authors of Hacking
Exposed),
which likely describes this issue. Archive of two issues to address
November
22, 1999 (http://www.infoworld.com/articles/op/xml/99/11/22/991122opsecwatch.xml) which clarifies the October 25, 1999 issue. These describe the NT problem being as the LanMan auth method (used for win9x compatibility). If using
LM,
passwords are only sufficiently strong when 7 and 14 characters because of the hashing methodology (this is decribed in detail). Brett Osborne CLCS IT Security/Networks "Whenever you eliminate the impossible, whatever remains, however improbable, must be the truth." Sherlock Holmes -----Original Message----- From: Rory [mailto:nazgul () CSN UL IE] Sent: Wednesday, December 06, 2000 2:59 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] NT 4.0 and MD4 Hash I know alot of people have replied to this but none of them have mentioned this. I was under the impression that if the password was under 7 characters (which 'magic' is) a known constant is appended to the the password (before or after the hash I am not sure). To fill out to a length that NT likes and maybe thats why you are not seeing the same hash both times. Could be way off 'cos I am writing this from memory but i' m sure people will set me straight :) Hope this helps, Rory p.s. Can't remeber exazctly what this constant is but i'm sure you can find it somewhere in l0pht documentation. On Wed, 6 Dec 2000, Chad Gough wrote:Please fix the error in my ways.. ;-) I was under the impression that the NT hash (not the LM hash) was a straight MD4 hash with no salt value. A SANS article confirms this at: http://www.sans.org/infosecFAQ/logon.htm Using L0phtCrack and a test account with username Administrator, password "magic" (no quotes). L0pht Crack reads the values as: Administrator:"MAGIC":"magic":5B4334DA1FB3A5FBAAD3B435B51404EE:827B5320B 42E9FD95CBB0E63451B701E LanMan Hash: 5B4334DA1FB3A5FBAAD3B435B51404EE NT hash: 827B5320B42E9FD95CBB0E63451B701E However, when I MD4 encrypt the string magic I get the following as a result: 5982FE41BF9A10BB937BD0AB095192B3 I have tried this several times with various utilities including: http://www.persits.net/encrypt/demo_hash.asp The SANS article mentions a unicode convert prior to hashing. I get the string "6D61676963" from a unicode conversion of magic. Neither of these values will equate to the L0pht value. Can someone please tell me where I am going wrong?? Thanks in advance. Chad Security Consultant chad131 () yahoo com __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
Current thread:
- Re: [PEN-TEST] NT 4.0 and MD4 Hash, (continued)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash Etaoin Shrdlu (Dec 07)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash Olle Segerdahl (Dec 07)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash Denis Ducamp (Dec 10)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash Paul Cardon (Dec 07)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash Frank Heyne (Dec 07)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash Rory (Dec 07)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash Ryan Russell (Dec 07)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash Chad Gough (Dec 07)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash Renshaw, Rick (R.) (Dec 07)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash Osborne-1, Brett (Dec 10)
- Re: [PEN-TEST] NT 4.0 and MD4 Hash crazytrain.com (Dec 10)