So, like I said, mathematically infeasible. Can we have a show of hands
for all those who've got a rainbow table set for the administrator
account? (Government agencies and those with silent black helicopters
need not apply)
Mathieu CHATEAU wrote:
> this works if you have the mscache rainbow table that match the login
> you want to break...
>
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> ----- Original Message ----- From: "Carl Livitt" <carllivitt@yahoo.com>
> To: "Ben Greenberg" <Ben.Greenberg@senet-int.com>;
> <pen-test@securityfocus.com>
> Sent: Thursday, July 26, 2007 4:39 PM
> Subject: Re: Brute-forcing cached Windows login password hashes
>
>
>>
>> The hash algorithm is a salted MD4. It's impossible (ok, to be pedantic
>> it's mathematically infeasible) to use rainbow tables because of the
>> salting, so that leaves you with dictionary and brute-force.
>>
>> The latest version of John and the MS Cache Hash patches are all
>> available from http://openwall.com/john/. I believe v1.7.2 is the latest
>> version.
>>
>> Regards,
>> Carl
>>
>>
>> Ben Greenberg wrote:
>>> Greetings all,
>>>
>>> My question is regarding the encrypted password hashes that Windows
>>> stores in
>>> the registry of the last 10 logins to a workstation.
>>>
>>> I read the original white paper written by Arnaud Pilon and I've
>>> used his
>>> cachedump tool to extract the password hashes from the registry.
>>> What I'm
>>> wondering is what type of hash those passwords use. Is it straight
>>> MD4? I
>>> know that each hash is salted with a machine-specific unique string.
>>> What I
>>> am unclear on is what exactly the password hash is and how it can be
>>> brute-forced. I know that there is a patch for John the Ripper, but
>>> every
>>> mention I can find refers to a two year old version of John. Does
>>> anyone know
>>> if the most recent version has this patch in it already? Also, is
>>> anyone
>>> familiar with any rainbow tables for cracking these passwords? Are
>>> rainbow
>>> tables possible for these hashes because of the salting?
>>>
>>> Thanks all.
>>>
>>> ------------------------------------------------------------------------
>>>
>>> This list is sponsored by: Cenzic
>>>
>>> Need to secure your web apps NOW?
>>> Cenzic finds more, "real" vulnerabilities fast.
>>> Click to try it, buy it or download a solution FREE today!
>>>
>>> http://www.cenzic.com/downloads
>>> ------------------------------------------------------------------------
>>>
>>>
>>>
>>>
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Need to secure your web apps NOW?
>> Cenzic finds more, "real" vulnerabilities fast.
>> Click to try it, buy it or download a solution FREE today!
>>
>> http://www.cenzic.com/downloads
>> ------------------------------------------------------------------------
>>
>>
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
|