Vulnerability Development mailing list archives
RE: WinNT and previously used passwords
From: "Seymour, Keith" <KESeymour () magellanhealth com>
Date: Tue, 28 May 2002 12:40:13 -0500
I agree this might be something valuable to add to a password cracking routine, two reasons that I can't verify now but I would be interested in looking into. One the rights to read from the Reg Key might be easier to gain for the old passwords. Two if you are like 'most' people you start with 1st password Tiger then at the next change you change to tiger01 etc. Which is easier to break? Obviously Tiger - Lophtcrack will get that in a few seconds and then be much easier to get the others. If you are set to change password every 45 days and hold 10 passwords that means a great chance to get the first password ever used for all employees less than 1 year at company. Keith -----Original Message----- From: Brett Moore [mailto:brett () softwarecreations co nz] Sent: Sunday, May 26, 2002 6:54 PM To: Jesper M. Johansson; 'KF'; vuln-dev () security-focus com Subject: RE: WinNT and previously used passwords The concept is a good one. A lot of people will use common combinations. If for example the last few passwords were tiger10 tiger11 tiger12 etc.. Lophtcrack will already crack them as it can do 'add numbers to end and begin' but if last passwords were like t10iger ti11ger tig12er the LC will fail. whereas if we could see them in 'real text' we could easily guess the next. The problem is that we can't see them in real text, and lophtcrack can't give them to us. If though, which KF has already pointed out. The last few passwords were like apple bannana grape tomato Then LC would show us, and we would have a good starting point for guessing future passwords. ------------------------------------- How to find the unknown passwords (if we are real lucky) : this is an example of 1 method : ------------------------------------- Where are they stored? Anyone, Microsoft, Numega? 1) Make sure that the last password checking is enabled. Upping the number of stored passwords will increase our chances of easily identifying them. 2) They are stored in 'registry','disk file','other?' 3) Using softice debugger, or possible regmon or filemon, or even all. 4) Set relevant breakpoints for logging of filereads,reg reads 5) Change our password to a known NON used one, and await the reponse. 6) Look at our logs of calls. 7) If we are extrememly lucky we might see '10' calls to "regreadkey /location/location1-10" 8) Change our password to a KNOWN used one, and await the reponse. 7) If we are extrememly lucky we might see '3' calls to "regreadkey /location/location1-3" with our used password been number 3. Otherwise it would be a 'semi-complicated' reverse engineering job for someone with spare time. Weigh up the usefullness of the information? Brett
-----Original Message----- From: Jesper M. Johansson [mailto:jesper_m_johansson () hotmail com] Sent: Saturday, 25 May 2002 16:14 To: 'KF'; vuln-dev () security-focus com Subject: RE: WinNT and previously used passwordsToday I got a message when I logged in to my domain about my pass beingexpired... so as expected I went ahead and typed in a new password.Nextthing I know NT (win2k really) is barking at me saying I can not useanyof my previous 10 passwords.You, or whoever the administrator is, must have told it to remember the last 10 passwords. This is a security feature, actually.So my question is are there any tools similar to l0pht crack in which the last 10 passwords can be extracted from either the registry or the SAM file or where ever they are hiding?First of all, it is not storing the password. It is storing a hash (two hashes actually, unless you use the NoLMHash switch). Second, I don't think there are any such utilities. Generally speaking, I would be more interested in cracking your current password than 10 of your old ones, considering that the current one has a better chance of still being valid by the time I crack it. Presumably, if your new password is based on your old one, I would probably be able to crack the new one just as easily as the old one, and it allows me to do so using 1/11th the amount of work, assuming you are storing 10 passwords. Now, this might be interesting to do if your objective, as a white-hat administrator, is to catch people who reuse passwords. However, my experience is that most people would get more mileage out of teaching people to use good current passwords instead of cracking old ones. Better yet, implement smart card logon and get rid of passwords altogether.
Current thread:
- WinNT and previously used passwords KF (May 24)
- Re: WinNT and previously used passwords Kit (May 25)
- RE: WinNT and previously used passwords V (May 25)
- MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
- Re: MacOS X 10.1.4 MAC Address Spoofing jsyn (May 27)
- MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
- RE: WinNT and previously used passwords Jesper M. Johansson (May 25)
- Re: WinNT and previously used passwords Kevin Finisterre (May 25)
- Re: WinNT and previously used passwords Roland Postle (May 26)
- RE: WinNT and previously used passwords Brett Moore (May 26)
- <Possible follow-ups>
- RE: WinNT and previously used passwords Seymour, Keith (May 28)
- RE: WinNT and previously used passwords Keith T. Morgan (May 28)