Penetration Testing mailing list archives

Re: Symantec A/V - netscan password in registry

From: miguel.dilaj () pharma novartis com
Date: Thu, 6 Feb 2003 16:40:08 +0100

Hi nobody

It's not standard MD2, MD4 or MD5, because this hash is longer than those 
standards.
It's not NT, because NTLM is just MD4/Unicode, so still this hash is too 
long, and If I remember correctly, old LM hashes are the same lenght as 
NTLM.
It's not SHA-1 or RIPEMD-160, again those are shorter than your example.
It's definitely not Blowfish MD5, used today by Linux, and doesn't look 
like the good old crypt(3).
(It's not even the Lotus Domino R4 hash, but I'll never expect that!)

In my humble opinion, it's some kind of hash, but the algorithm used 
simply beats me, sorry.

I can confirm that it's not an algorithm supported by our tool "Lepton's 
Crack", and I've never seen something similar in John The Ripper, but it 
have been some time since I used it...

So far I think that's the same or less level of exposure of other 
encrypted passwords in the system. I'm not personally aware of any 
exploitable situation with the antivirus in the server.

Silly question: Have you tried THAT as the password???

Kind regards,

Miguel Dilaj
aka Nekromancer






nobody <pentester () yahoo com>
05/02/2003 23:00

 
        To:     pentest_list <pen-test () securityfocus com>
        cc: 
        Subject:        Symantec A/V - netscan password in registry


All,

recently installed Symantec A/V and looked at the
registry in my PC.   XP sp1

clear text entries for an NT server and the share name
that it uses.

An entry for a "netscanpassword" that looks encrypted
?

20AA9E1606F91E64ABF97162783AE5E059E48797D7F

Questions ?
1. is this password encrypted via Windows ( lmhash
ntlm)
2. some crypt function (ala the UNIX world)
3. some other algorithms ?  MD4 MD5 etc?

Can I cut and paste the above into John-the-ripper or
the crypt function ?

What I have in clear text is the NT machine, it's
share name and the NT account (user) that it uses. 
All in the registry or event log.

It does "phone home" every week - but I have yet to
catch the packet traffic with Ethereal to see what
type of authentication it is doing.

Anyone else besides me think that this may present a
security exposure ( inside our network - of course) ?

It seems to me that placing this on every user's
desktop is exposing the A/V server to more risk than
is required ? if ? the account and password (if it can
be cracked) can access the server in any manner not
expected by the installer.

Or - is this old news and already been spotted ?



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Symantec A/V - netscan password in registry nobody (Feb 05)
- Re: Symantec A/V - netscan password in registry User C0d3r (Feb 06)
- <Possible follow-ups>
- Re: Symantec A/V - netscan password in registry miguel . dilaj (Feb 06)