Re: [PEN-TEST] NT 4.0 and MD4 Hash

["crazytrain.com" <subscribe () crazytrain com>]

Hope this helps...


with the LAN Manager password, if the password is 7 characters or less, you
can find this out quickly:
  the second 8 bytes is AAD3B4435B51404EE (encrypted password).  This is
always true for 7 or less, as these 7 characters are null.

thomas

> This was described in InfoWorld (print and online) Security Watch
(Authors:
> Stuart McClure and CTO and Joel Scambray are co-authors of Hacking
Exposed),
> which likely describes this issue. Archive of two issues to address
November
> 22, 1999
> (http://www.infoworld.com/articles/op/xml/99/11/22/991122opsecwatch.xml)
> which clarifies the October 25, 1999 issue. These describe the NT problem
> being as the LanMan auth method (used for win9x compatibility). If using
LM,
> passwords are only sufficiently strong when 7 and 14 characters because of
> the hashing methodology (this is decribed in detail).
>
> Brett Osborne
> CLCS IT Security/Networks
> "Whenever you eliminate the impossible, whatever remains, however
> improbable, must be the truth." Sherlock Holmes
>
> -----Original Message-----
> From: Rory [mailto:nazgul () CSN UL IE]
> Sent: Wednesday, December 06, 2000 2:59 PM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] NT 4.0 and MD4 Hash
>
>
> I know alot of people have replied to this but none of them have mentioned
> this. I was under the impression that if the password was under 7
> characters (which 'magic' is) a known constant is appended to the the
> password (before or after the hash I am not sure). To fill out to a length
> that NT likes and maybe thats why you are not seeing the same hash both
> times. Could be way off 'cos I am writing this from memory but i'
> m sure people will set me straight :)
> Hope this helps,
> Rory
>
> p.s. Can't remeber exazctly what this constant is but i'm sure you can
> find it somewhere in l0pht documentation.
>
> On Wed, 6 Dec 2000, Chad Gough wrote:
>
> > Please fix the error in my ways..  ;-)
> >
> > I was under the impression that the NT hash (not the LM hash) was a
> > straight MD4 hash with no salt value.
> >
> > A SANS article confirms this at:
> > http://www.sans.org/infosecFAQ/logon.htm
> >
> > Using L0phtCrack and a test account with username Administrator,
> > password "magic" (no quotes).
> >
> > L0pht Crack reads the values as:
> > Administrator:"MAGIC":"magic":5B4334DA1FB3A5FBAAD3B435B51404EE:827B5320B
> > 42E9FD95CBB0E63451B701E
> >
> > LanMan Hash: 5B4334DA1FB3A5FBAAD3B435B51404EE
> > NT hash:    827B5320B42E9FD95CBB0E63451B701E
> >
> > However, when I MD4 encrypt the string magic I get the following as a
> > result:
> > 5982FE41BF9A10BB937BD0AB095192B3
> >
> > I have tried this several times with various utilities including:
> > http://www.persits.net/encrypt/demo_hash.asp
> >
> > The SANS article mentions a unicode convert prior to hashing.  I get
> > the string "6D61676963" from a unicode conversion of magic.
> >
> >
> > Neither of these values will equate to the L0pht value.
> >
> >
> > Can someone please tell me where I am going wrong??
> >
> > Thanks in advance.
> >
> > Chad
> > Security Consultant
> > chad131 () yahoo com
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Shopping - Thousands of Stores. Millions of Products.
> > http://shopping.yahoo.com/