Skip to comments.
Cracking Windows passwords in 5 seconds (Cool concept, unless you, you know, use Windows)
SecurityFocus BUGTRAQ Mailing List ^
| July 22, 2003
| Philippe Oechslin
Posted on 07/22/2003 8:38:27 PM PDT by Timesink
To: BugTraq
Subject: Cracking windows passwords in 5 seconds
Date: Jul 22 2003 8:37PM
Author: Philippe Oechslin
As opposed to unix, windows password hashes can be calculated in advance because no salt or other random information si involved. This makes so called time-memory trade-off attacks possible. This vulnerability is not new but we think that we have the first tool to exploit this.
At LASEC (lasecwww.epfl.ch) we have developed an advanced time-memory trade-off method. It is based on original work which was done in 1980 but has never been applied to windows passwords. It works by calculating all possible hashes in advance and storing some of them in an organized table. The more information you keep in the table, the faster the cracking will be.
We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average (see http://lasecpc13.epfl.ch/ntcrack). With the help of 0.95GB of data we can find the password after an average of 4 million hash operation. A brute force cracker would need to calculate an average of 50% of all hashes, which amounts to about 40 billion hases for alphanumerical passwords (lanman hash).
More info about the method can be found at in a paper at http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03.
Philippe Oechslin
TOPICS: Crime/Corruption; Extended News; Miscellaneous; Technical
KEYWORDS: computersecurityin; microsoft; passwords; security; techindex; windows
Navigation: use the links below to view more comments.
first 1-20, 21-40, 41-60, 61-80 ... 101-105 next last
1
posted on
07/22/2003 8:38:29 PM PDT
by
Timesink
To: Timesink
Great News! [sarc]
2
posted on
07/22/2003 8:45:14 PM PDT
by
Cold Heat
(Negotiate!! .............(((Blam!.)))........... "Now who else wants to negotiate?")
To: *tech_index; *Microsoft; *Computer Security In
bump for bump lists
3
posted on
07/22/2003 8:51:25 PM PDT
by
Timesink
To: Bush2000
...
4
posted on
07/22/2003 8:53:48 PM PDT
by
Jhoffa_
(For the clueless: Conservatives DO NOT believe in "subsidized" drugs.)
To: Timesink
This would be more useful if I knew what a "lanmanager hash" was. They want information from me that I don't even have, let alone am willing to give out. So what's the catch - you give them a code, they decode it for you?
5
posted on
07/22/2003 8:54:07 PM PDT
by
meyer
To: Timesink
This is almost completely useless as an exploit.
6
posted on
07/22/2003 8:55:12 PM PDT
by
general_re
(The wheel is turning but the hamster is dead.)
To: meyer
It's not useful to anyone as much of anything, other than maybe as a proof of concept sort of thing. Nobody is going to be using this to crack into your system, particularly if you use Windows 2000 or later, or NT4 with SYSKEY enabled.
7
posted on
07/22/2003 9:11:26 PM PDT
by
general_re
(The wheel is turning but the hamster is dead.)
To: Timesink
Oh please. All you need is the emergency boot disk to have access to the whole Windows system sans password.
8
posted on
07/22/2003 9:15:24 PM PDT
by
Southack
(Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
To: Timesink
This isn't an exploit. It's a cute sophomore computer science programming exercise.
9
posted on
07/22/2003 9:19:32 PM PDT
by
Ramius
To: general_re
Or, what you said. :-)
10
posted on
07/22/2003 9:20:01 PM PDT
by
Ramius
To: Southack
Well, yes. Physical access to any machine is pretty much the same as complete access. Mostly.
11
posted on
07/22/2003 9:21:11 PM PDT
by
Ramius
To: Ramius
I like your version better - brevity is the soul of wit, after all ;)
12
posted on
07/22/2003 9:21:35 PM PDT
by
general_re
(The wheel is turning but the hamster is dead.)
To: general_re
I don't think it is ... if you can get the hashed version of the password you can then crack it as they don't use any "salt" in the hash. So "xyzzy" will always hash to "wqrtw" whereas in the unix world you'll throw some other characters in the password before hashing it. That salt is included as plaintext in the hash.
That means that you only have to hash all the possible combinations of 8 letter words to get their full dictionary of possibilities. If they had salt in there (say numbers 0->255) you would have to have a list that's 255 times bigger. I'm not sure what the salt number range is in unix.
Its my understanding that if you sniff the wire when login into a domain you might be able to get this hashed password.
13
posted on
07/22/2003 9:22:42 PM PDT
by
lelio
To: meyer
I went to high school with Lanmanager Hash. He wore denim leisure suits and smelled like roast pork.
14
posted on
07/22/2003 9:23:15 PM PDT
by
dead
To: wirestripper
I hope every Windows administrator is doing the following:
Set your password policy to 8 Chars, complexity enabled, password history 24.
Set your account policy to three attempts, lockout indef, duration 30 minutes.
Rename the administrator account to something else. Use restricted groups on Domain Admins, Enterprise Admins and Administrators.
Set audit policy to failure on account logon.
Set idle timeout to some minimum.
It's just like not leaving the keys in the ignition, locking the doors, rolling up the windows, moving all visable values into the trunk, and parking in a well-lit area if you don't want your car stolen.
To: dead
Someone offered me some Lanmanager Hash at a seedy party once.
16
posted on
07/22/2003 9:29:07 PM PDT
by
lelio
To: lelio
That sh!t will make you crazy.
17
posted on
07/22/2003 9:32:26 PM PDT
by
dead
To: Ramius
"Well, yes. Physical access to any machine is pretty much the same as complete access. Mostly."I don't see it, even with the "mostly" caveat tossed in.
How many people, given full access to an ATM or POS terminal, could debit the accounts of other bank customers?
You see, **security** is more than just protecting a machine's physical access. Good security will survive even with a machine physically compromised.
18
posted on
07/22/2003 9:34:36 PM PDT
by
Southack
(Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
To: lelio
Its my understanding that if you sniff the wire when login into a domain you might be able to get this hashed password. Well, yes. But if I have people sniffing on my network I think I already have way bigger problems, don'tcha think?
19
posted on
07/22/2003 9:36:52 PM PDT
by
Ramius
To: dead
(sarcasm on)
Dude,
Lanmanager Hash is from Maui man.
His brother is Sniff and his sister is Doue.
(now returning to regularly scheduled cynicism)
20
posted on
07/22/2003 9:38:50 PM PDT
by
bonesmccoy
(Defeat the terrorists... Vaccinate!)
Navigation: use the links below to view more comments.
first 1-20, 21-40, 41-60, 61-80 ... 101-105 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson