Re: Brute-forcing cached Windows login password hashes

To:	Ben Greenberg <Ben.Greenberg@senet-int.com>, pen-test@securityfocus.com
Subject:	Re: Brute-forcing cached Windows login password hashes
From:	Carl Livitt <carllivitt@yahoo.com>
Date:	Thu, 26 Jul 2007 07:39:00 -0700
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-YMail-OSG:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding; b=KvCTECyGVTBxhY4rvC1fMQQD2GdU/3o6sG5OuJNSx5bEzRyhtHTzn1Mwmj1b8qK88FuWMeV3g2J0abzf0fzfBVibYQ2GrBiyzkPXdpB4vfq7yxVYC/ddiJnRSQ6+No/Q9Y+qIS0mwPbrwuYSlTBSDZMJzQJlCynVFp7Mnk+RCrs= ;
In-reply-to:	<CE446230FD6A66468C69A25C27ED35961BC418@flame.senet-int.com>
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
References:	<CE446230FD6A66468C69A25C27ED35961BC418@flame.senet-int.com>
Resent-date:	Thu, 26 Jul 2007 22:20:57 -0600 (MDT)
Resent-from:	pen-test-return-1078484706@securityfocus.com
Resent-message-id:	<20070727042057.37048237053@outgoing3.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com
User-agent:	Thunderbird 2.0.0.0 (X11/20070326)

The hash algorithm is a salted MD4. It's impossible (ok, to be pedantic
it's mathematically infeasible) to use rainbow tables because of the
salting, so that leaves you with dictionary and brute-force.

The latest version of John and the MS Cache Hash patches are all
available from http://openwall.com/john/. I believe v1.7.2 is the latest
version.

Regards,
Carl


Ben Greenberg wrote:
> Greetings all,
>  
> My question is regarding the encrypted password hashes that Windows stores in
> the registry of the last 10 logins to a workstation.
>
> I read the original white paper written by Arnaud Pilon and I've used his
> cachedump tool to extract the password hashes from the registry. What I'm
> wondering is what type of hash those passwords use. Is it straight MD4? I
> know that each hash is salted with a machine-specific unique string. What I
> am unclear on is what exactly the password hash is and how it can be
> brute-forced. I know that there is a patch for John the Ripper, but every
> mention I can find refers to a two year old version of John. Does anyone know
> if the most recent version has this patch in it already? Also, is anyone
> familiar with any rainbow tables for cracking these passwords? Are rainbow
> tables possible for these hashes because of the salting?
>
> Thanks all.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>   

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Brute-forcing cached Windows login password hashes, Ben Greenberg Re: Brute-forcing cached Windows login password hashes, Jerome Athias RE: Brute-forcing cached Windows login password hashes, Ben Greenberg SV: Brute-forcing cached Windows login password hashes, Per Thorsheim Re: Brute-forcing cached Windows login password hashes, Mathieu CHATEAU Re: Brute-forcing cached Windows login password hashes, Carl Livitt <= Re: Brute-forcing cached Windows login password hashes, Mathieu CHATEAU Re: Brute-forcing cached Windows login password hashes, Carl Livitt SV: Brute-forcing cached Windows login password hashes, Per Thorsheim Re: Brute-forcing cached Windows login password hashes, wymerzp

Previous by Date:	Re: Breaking from MySQL to Linux system (SQL Injection)., Marco Ivaldi
Next by Date:	Re: Brute-forcing cached Windows login password hashes, Mathieu CHATEAU
Previous by Thread:	Re: Brute-forcing cached Windows login password hashes, Mathieu CHATEAU
Next by Thread:	Re: Brute-forcing cached Windows login password hashes, Mathieu CHATEAU
Indexes:	[Date] [Thread] [Top] [All Lists]