Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Cracking Windows passwords in 5 seconds (Cool concept, unless you, you know, use Windows)
SecurityFocus BUGTRAQ Mailing List ^ | July 22, 2003 | Philippe Oechslin

Posted on 07/22/2003 8:38:27 PM PDT by Timesink

To: BugTraq

Subject: Cracking windows passwords in 5 seconds

Date: Jul 22 2003 8:37PM

Author: Philippe Oechslin

As opposed to unix, windows password hashes can be calculated in advance because no salt or other random information si involved. This makes so called time-memory trade-off attacks possible. This vulnerability is not new but we think that we have the first tool to exploit this.

At LASEC (lasecwww.epfl.ch) we have developed an advanced time-memory trade-off method. It is based on original work which was done in 1980 but has never been applied to windows passwords. It works by calculating all possible hashes in advance and storing some of them in an organized table. The more information you keep in the table, the faster the cracking will be.

We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average (see http://lasecpc13.epfl.ch/ntcrack). With the help of 0.95GB of data we can find the password after an average of 4 million hash operation. A brute force cracker would need to calculate an average of 50% of all hashes, which amounts to about 40 billion hases for alphanumerical passwords (lanman hash).

More info about the method can be found at in a paper at http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03.

Philippe Oechslin


TOPICS: Crime/Corruption; Extended News; Miscellaneous; Technical
KEYWORDS: computersecurityin; microsoft; passwords; security; techindex; windows
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 ... 101-105 next last

"Fascinating."


1 posted on 07/22/2003 8:38:29 PM PDT by Timesink
[ Post Reply | Private Reply | View Replies]

To: Timesink
Great News! [sarc]
2 posted on 07/22/2003 8:45:14 PM PDT by Cold Heat (Negotiate!! .............(((Blam!.)))........... "Now who else wants to negotiate?")
[ Post Reply | Private Reply | To 1 | View Replies]

To: *tech_index; *Microsoft; *Computer Security In
bump for bump lists
3 posted on 07/22/2003 8:51:25 PM PDT by Timesink
[ Post Reply | Private Reply | To 2 | View Replies]

To: Bush2000
...
4 posted on 07/22/2003 8:53:48 PM PDT by Jhoffa_ (For the clueless: Conservatives DO NOT believe in "subsidized" drugs.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Timesink
This would be more useful if I knew what a "lanmanager hash" was. They want information from me that I don't even have, let alone am willing to give out. So what's the catch - you give them a code, they decode it for you?
5 posted on 07/22/2003 8:54:07 PM PDT by meyer
[ Post Reply | Private Reply | To 1 | View Replies]

To: Timesink
This is almost completely useless as an exploit.
6 posted on 07/22/2003 8:55:12 PM PDT by general_re (The wheel is turning but the hamster is dead.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: meyer
It's not useful to anyone as much of anything, other than maybe as a proof of concept sort of thing. Nobody is going to be using this to crack into your system, particularly if you use Windows 2000 or later, or NT4 with SYSKEY enabled.
7 posted on 07/22/2003 9:11:26 PM PDT by general_re (The wheel is turning but the hamster is dead.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Timesink
Oh please. All you need is the emergency boot disk to have access to the whole Windows system sans password.
8 posted on 07/22/2003 9:15:24 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Timesink
This isn't an exploit. It's a cute sophomore computer science programming exercise.
9 posted on 07/22/2003 9:19:32 PM PDT by Ramius
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re
Or, what you said. :-)
10 posted on 07/22/2003 9:20:01 PM PDT by Ramius
[ Post Reply | Private Reply | To 6 | View Replies]

To: Southack
Well, yes. Physical access to any machine is pretty much the same as complete access. Mostly.
11 posted on 07/22/2003 9:21:11 PM PDT by Ramius
[ Post Reply | Private Reply | To 8 | View Replies]

To: Ramius
I like your version better - brevity is the soul of wit, after all ;)
12 posted on 07/22/2003 9:21:35 PM PDT by general_re (The wheel is turning but the hamster is dead.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: general_re
I don't think it is ... if you can get the hashed version of the password you can then crack it as they don't use any "salt" in the hash. So "xyzzy" will always hash to "wqrtw" whereas in the unix world you'll throw some other characters in the password before hashing it. That salt is included as plaintext in the hash.
That means that you only have to hash all the possible combinations of 8 letter words to get their full dictionary of possibilities. If they had salt in there (say numbers 0->255) you would have to have a list that's 255 times bigger. I'm not sure what the salt number range is in unix.
Its my understanding that if you sniff the wire when login into a domain you might be able to get this hashed password.
13 posted on 07/22/2003 9:22:42 PM PDT by lelio
[ Post Reply | Private Reply | To 6 | View Replies]

To: meyer
I went to high school with Lanmanager Hash. He wore denim leisure suits and smelled like roast pork.
14 posted on 07/22/2003 9:23:15 PM PDT by dead
[ Post Reply | Private Reply | To 5 | View Replies]

To: wirestripper
I hope every Windows administrator is doing the following:

Set your password policy to 8 Chars, complexity enabled, password history 24.
Set your account policy to three attempts, lockout indef, duration 30 minutes.
Rename the administrator account to something else. Use restricted groups on Domain Admins, Enterprise Admins and Administrators.
Set audit policy to failure on account logon.
Set idle timeout to some minimum.

It's just like not leaving the keys in the ignition, locking the doors, rolling up the windows, moving all visable values into the trunk, and parking in a well-lit area if you don't want your car stolen.

15 posted on 07/22/2003 9:28:48 PM PDT by Alas Babylon!
[ Post Reply | Private Reply | To 2 | View Replies]

To: dead
Someone offered me some Lanmanager Hash at a seedy party once.
16 posted on 07/22/2003 9:29:07 PM PDT by lelio
[ Post Reply | Private Reply | To 14 | View Replies]

To: lelio
That sh!t will make you crazy.
17 posted on 07/22/2003 9:32:26 PM PDT by dead
[ Post Reply | Private Reply | To 16 | View Replies]

To: Ramius
"Well, yes. Physical access to any machine is pretty much the same as complete access. Mostly."

I don't see it, even with the "mostly" caveat tossed in.

How many people, given full access to an ATM or POS terminal, could debit the accounts of other bank customers?

You see, **security** is more than just protecting a machine's physical access. Good security will survive even with a machine physically compromised.

18 posted on 07/22/2003 9:34:36 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 11 | View Replies]

To: lelio
Its my understanding that if you sniff the wire when login into a domain you might be able to get this hashed password.

Well, yes. But if I have people sniffing on my network I think I already have way bigger problems, don'tcha think?

19 posted on 07/22/2003 9:36:52 PM PDT by Ramius
[ Post Reply | Private Reply | To 13 | View Replies]

To: dead
(sarcasm on)
Dude,
Lanmanager Hash is from Maui man.
His brother is Sniff and his sister is Doue.
(now returning to regularly scheduled cynicism)
20 posted on 07/22/2003 9:38:50 PM PDT by bonesmccoy (Defeat the terrorists... Vaccinate!)
[ Post Reply | Private Reply | To 14 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 ... 101-105 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson