RE: WinNT and previously used passwords

["Seymour, Keith" <KESeymour () magellanhealth com>]

I agree this might be something valuable to add to a password cracking
routine, two reasons that I can't verify now but I would be interested in
looking into.

One the rights to read from the Reg Key might be easier to gain for the old
passwords.
 
Two if you are like 'most' people you start with 1st password Tiger then at
the next change you change to tiger01 etc. Which is easier to break?
Obviously Tiger - Lophtcrack will get that in a few seconds and then be much
easier to get the others. If you are set to change password every 45 days
and hold 10 passwords that means a great chance to get the first password
ever used for all employees less than 1 year at company.

Keith

-----Original Message-----
From: Brett Moore [mailto:brett () softwarecreations co nz]
Sent: Sunday, May 26, 2002 6:54 PM
To: Jesper M. Johansson; 'KF'; vuln-dev () security-focus com
Subject: RE: WinNT and previously used passwords


The concept is a good one. A lot of people will use common combinations.
If for example the last few passwords were
tiger10
tiger11
tiger12
etc..

Lophtcrack will already crack them as it can do 'add numbers to end and
begin'

but if last passwords were like
t10iger
ti11ger
tig12er

the LC will fail. whereas if we could see them in 'real text' we could
easily guess the next. The problem is that we can't see them in real text,
and lophtcrack can't give them to us.

If though, which KF has already pointed out.
The last few passwords were like
apple
bannana
grape
tomato

Then LC would show us, and we would have a good starting point for guessing
future passwords.


-------------------------------------
How to find the unknown passwords (if we are real lucky)
: this is an example of 1 method :
-------------------------------------
Where are they stored? Anyone, Microsoft, Numega?

1) Make sure that the last password checking is enabled. Upping the number
of stored passwords will increase our chances of easily identifying them.
2) They are stored in 'registry','disk file','other?'
3) Using softice debugger, or possible regmon or filemon, or even all.
4) Set relevant breakpoints for logging of filereads,reg reads
5) Change our password to a known NON used one, and await the reponse.
6) Look at our logs of calls.
7) If we are extrememly lucky we might see '10' calls to "regreadkey
/location/location1-10"
8) Change our password to a KNOWN used one, and await the reponse.
7) If we are extrememly lucky we might see '3' calls to "regreadkey
/location/location1-3" with our used password been number 3.

Otherwise it would be a 'semi-complicated' reverse engineering job for
someone with spare time. Weigh up the usefullness of the information?

Brett

> -----Original Message-----
> From: Jesper M. Johansson [mailto:jesper_m_johansson () hotmail com]
> Sent: Saturday, 25 May 2002 16:14
> To: 'KF'; vuln-dev () security-focus com
> Subject: RE: WinNT and previously used passwords
>
>
> > Today I got a message when I logged in to my domain about my pass being
>
> > expired... so as expected I went ahead and typed in a new password.
> Next
> > thing I know NT (win2k really) is barking at me saying I can not use
> any
> > of my previous 10 passwords.
>
> You, or whoever the administrator is, must have told it to remember the
> last 10 passwords. This is a security feature, actually.
>
> > So my question is
> > are there any tools similar to l0pht crack in which the last 10
> > passwords can be extracted from either the registry or the SAM file or
> > where ever they are hiding?
>
> First of all, it is not storing the password. It is storing a hash (two
> hashes actually, unless you use the NoLMHash switch). Second, I don't
> think there are any such utilities. Generally speaking, I would be more
> interested in cracking your current password than 10 of your old ones,
> considering that the current one has a better chance of still being
> valid by the time I crack it. Presumably, if your new password is based
> on your old one, I would probably be able to crack the new one just as
> easily as the old one, and it allows me to do so using 1/11th the amount
> of work, assuming you are storing 10 passwords.
>
> Now, this might be interesting to do if your objective, as a white-hat
> administrator, is to catch people who reuse passwords. However, my
> experience is that most people would get more mileage out of teaching
> people to use good current passwords instead of cracking old ones.
> Better yet, implement smart card logon and get rid of passwords
> altogether.