Penetration Testing mailing list archives
Windows XP salted hashed verification of domain passwords
From: Matthew Webster <awakenings () mindspring com>
Date: Fri, 2 Mar 2007 15:12:17 -0500 (EST)
Folks,
For domain accounts, the passwords are not kept on a system. The verification is salted and hashed with md4 twice.
I am trying to assess the following risks. 1) What is the danger that that verification could be misused on another
system? 2) From that salted, hashed verification, can the password be derived? How likely is this?
Also, how would one perform a pen test against those salted, hashed verifications? Lets assume in the registry no
one was ignorant enough to put the registry key which provides the password.
Thanks,
Matt
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Current thread:
- Windows XP salted hashed verification of domain passwords Matthew Webster (Mar 04)
- RE: Windows XP salted hashed verification of domain passwords Michael Hendrickx (Mar 05)
- Re: Windows XP salted hashed verification of domain passwords Security Guy (Mar 05)
- RE: Windows XP salted hashed verification of domain passwords Javier Jarava (Mar 09)
- Re: Windows XP salted hashed verification of domain passwords Tim (Mar 05)
- <Possible follow-ups>
- RE: Windows XP salted hashed verification of domain passwords Matthew Webster (Mar 05)
- RE: Windows XP salted hashed verification of domain passwords Michael Hendrickx (Mar 05)