SV: Brute-forcing cached Windows login password hashes

["Per Thorsheim" <putilutt () online no>]

Sorry, my bad. Anyway; doing a dictionary/hybrid attack will probably give
you access a lot faster. I've done quite a bit of password audits on Windows
systems over the last 9 years or so, and based on my experience you should
get 3-10% of all passwords in a domain within a few minutes of running a
simple dictionary logon attack.

Then again; why break the passwords, as pass-the-hash is fully possible in
most Windows environments?

Regards,
Per Thorsheim


-----Opprinnelig melding-----
Fra: listbounce () securityfocus com [mailto:listbounce () securityfocus com] På
vegne av Carl Livitt
Sendt: 26. juli 2007 16:39
Til: Ben Greenberg; pen-test () securityfocus com
Emne: Re: Brute-forcing cached Windows login password hashes


The hash algorithm is a salted MD4. It's impossible (ok, to be pedantic it's
mathematically infeasible) to use rainbow tables because of the salting, so
that leaves you with dictionary and brute-force.

The latest version of John and the MS Cache Hash patches are all available
from http://openwall.com/john/. I believe v1.7.2 is the latest version.

Regards,
Carl


Ben Greenberg wrote:
> Greetings all,
>  
> My question is regarding the encrypted password hashes that Windows 
> stores in the registry of the last 10 logins to a workstation.
>
> I read the original white paper written by Arnaud Pilon and I've used 
> his cachedump tool to extract the password hashes from the registry. 
> What I'm wondering is what type of hash those passwords use. Is it 
> straight MD4? I know that each hash is salted with a machine-specific 
> unique string. What I am unclear on is what exactly the password hash 
> is and how it can be brute-forced. I know that there is a patch for 
> John the Ripper, but every mention I can find refers to a two year old 
> version of John. Does anyone know if the most recent version has this 
> patch in it already? Also, is anyone familiar with any rainbow tables 
> for cracking these passwords? Are rainbow tables possible for these hashes
because of the salting?
> Thanks all.
>
> ----------------------------------------------------------------------
> --
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ----------------------------------------------------------------------
> --
>
>
>   

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------





------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------