Sorry, my bad. Anyway; doing a dictionary/hybrid attack will probably give
you access a lot faster. I've done quite a bit of password audits on Windows
systems over the last 9 years or so, and based on my experience you should
get 3-10% of all passwords in a domain within a few minutes of running a
simple dictionary logon attack.
Then again; why break the passwords, as pass-the-hash is fully possible in
most Windows environments?
Regards,
Per Thorsheim
-----Opprinnelig melding-----
Fra: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] På
vegne av Carl Livitt
Sendt: 26. juli 2007 16:39
Til: Ben Greenberg; pen-test@securityfocus.com
Emne: Re: Brute-forcing cached Windows login password hashes
The hash algorithm is a salted MD4. It's impossible (ok, to be pedantic it's
mathematically infeasible) to use rainbow tables because of the salting, so
that leaves you with dictionary and brute-force.
The latest version of John and the MS Cache Hash patches are all available
from http://openwall.com/john/. I believe v1.7.2 is the latest version.
Regards,
Carl
Ben Greenberg wrote:
> Greetings all,
>
> My question is regarding the encrypted password hashes that Windows
> stores in the registry of the last 10 logins to a workstation.
>
> I read the original white paper written by Arnaud Pilon and I've used
> his cachedump tool to extract the password hashes from the registry.
> What I'm wondering is what type of hash those passwords use. Is it
> straight MD4? I know that each hash is salted with a machine-specific
> unique string. What I am unclear on is what exactly the password hash
> is and how it can be brute-forced. I know that there is a patch for
> John the Ripper, but every mention I can find refers to a two year old
> version of John. Does anyone know if the most recent version has this
> patch in it already? Also, is anyone familiar with any rainbow tables
> for cracking these passwords? Are rainbow tables possible for these hashes
because of the salting?
>
> Thanks all.
>
> ----------------------------------------------------------------------
> --
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ----------------------------------------------------------------------
> --
>
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
|