Vulnerability Development mailing list archives

Re: Password Cracking Challenge...

From: David Riley <oscar () the-rileys net>
Date: Mon, 28 Jul 2003 16:47:19 -0400 (EDT)

On Mon, 28 Jul 2003, Justin Pryzby wrote:

Date: Mon, 28 Jul 2003 12:44:45 -0700
From: Justin Pryzby <justinpryzby () users sf net>
To: "vuln-dev () securityfocus com" <vuln-dev () securityfocus com>
Subject: Re: Password Cracking Challenge...

Can't say for sure, but the zero's are interesting.  I know the MS NTLM
scheme takes passwords longer than 7(?) and breaks them up into two
passwords, each of maximum length 7(?).  That's the first thing I'd try.
The encryption is documented, [http://www.innovation.ch/java/ntlm.html]
is a good starting point.


It is a good starting point, and that's what I thought of as well.
However, the cutoff here seems to be 8 bytes instead of 7.  I'm still
looking at it, but the encoding of the second chunk seems dependent on the
first (e.g. the "321" chunk of "Pa$$word321" is different than that of
"Password321".

Just my 2 cents.

Current thread:

Password Cracking Challenge... Ronish Mehta (Jul 28)
- RE: Password Cracking Challenge... David Schwartz (Jul 28)
- <Possible follow-ups>
- Re: Password Cracking Challenge... Justin Pryzby (Jul 28)
  - Re: Password Cracking Challenge... David Riley (Jul 28)
- RE: Password Cracking Challenge... Michael Wojcik (Jul 28)
- Re: Password Cracking Challenge... Vizzy (Jul 28)
- Re: Password Cracking Challenge... Ronish Mehta (Jul 31)
- RE: Password Cracking Challenge... Michael Wojcik (Jul 31)