Discussion in 'other security issues & news' started by Antarctica, Jul 24, 2003.
From CNET News Security.
Nothing new but faster than the well known ways like L0phtcrack and john the ripper and really easy to prevent
For WinXP for instance :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Modify or create the DWORD value NoLMHash Value 1.
Reboot and change all users'pwds and you are done
JacK, maybe I'm a little dense on this, but can you tell me what the point of the Swiss (or anybody else for that matter) publicly announcing (and at the same time -exposing-) stuff like this which apparently assists in the compromise of most systems? Is it a test in the ongoing battle or something?
Just sensationnalism AFM : Everybody knows for years the weakness of the old LM hash passwords stored... (if you run W98/Me, god help you ...) No need on Win2K and up.
This password hash (the LM hash) hasn't been safe for years . . . the average time to crack went from like a minute to a few seconds. Big deal. It only took minutes before, it's not any
less safe now. L0phtcrack has been praying on the LM hash for years successfully. However as part of a good defense in
depth if you remove the LM hash from the SAM, LC4 will have a MUCH tougher time cracking your passwords if at all. If
you remove the hash from the SAM and use a password / passphrase like "You;will;never;ever;guess;this!" and LC4 will
never crack it in any reasonable amount of time (especially if you force passwords to expire every 42 days etc.).
I recommand to read : http://support.microsoft.com/?id=299656
and : http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/Windows/Win2kHG/03OSInstl.asp
I have seen some giving their @mail and asking the programm to find the pwd which will be publish on the site ! As the lambda user often uses the same authentication to login on the W3, it's kind of supermarket for scriptkiddies.... One might also ask for the pswd for some proxies....
Really a bad idea to put that in the open.
Really stupid from "seakers" IMHO
Thanks very much, JacK...'seems like I have ALOT of study ahead about this...geez...
The fun part is of course that these Swiss were not only able to create a lookup table for the bad lanman hash, but for the NT hash as well. This password encryption scheme is lots better than the lanman hash, but it still contains one major weakness:
For other OS's you can't use a lookup table, because there's no direct relation between the entered password and the encrypted form of the password.
So you may call this a marketing plot for exposing an old vulnerability, to me this is applied science. Before you could only use password cracking tools, which means that the risk of exploiting other peoples password was a more or less academic risk. Right now, thanks to this academy it's a real threat.
If you have or can get access to the password file you probably also have or can get access to install a keystroke logger. A keystroke logger will eventually end up giving you all the passwords, not just the M$ related ones.
Which makes the whole discussion of decrypting the password file less of a practical concern and more an interesting academic exercise.
The other thing is that passwords aren't encryption. Password protection does not safeguard your files they way encryption does. Password protection only prevents standard tools reading files.
This is like discussing the theft of automobiles or car stereo systems.
- It shouldn't suprise anyone the crime can be done. (The US army has had tanks stolen. Crimes is really hard to totally prevent.)
-Publishing step-by-step how-to's to an audience that includes criminals (on occassions when that happens) in order to boost sales of a protection service or to gain publicity is ethically unacceptable for a professional.
On the other hand, the general public does need to have general information on how to prevent serious breeches of security.
Hello, It just confirm you need to use strong pwds
I give NTHash as I don't use LMHash : nope : unable to find a rather weak pwd 8 caracters NiBJ0!
Hello, No need for a keylogger : if you have access with an Admin account, that means root access, nothing else needed
'Learning quite a bit here...also found this post on "cryptographic salts"...
Thanks for the reg hack, JacK! Done. Pete
Separate names with a comma.