Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Cracking Windows passwords in 5 seconds (Cool concept, unless you, you know, use Windows)
SecurityFocus BUGTRAQ Mailing List ^ | July 22, 2003 | Philippe Oechslin

Posted on 07/22/2003 8:38:27 PM PDT by Timesink

To: BugTraq

Subject: Cracking windows passwords in 5 seconds

Date: Jul 22 2003 8:37PM

Author: Philippe Oechslin

As opposed to unix, windows password hashes can be calculated in advance because no salt or other random information si involved. This makes so called time-memory trade-off attacks possible. This vulnerability is not new but we think that we have the first tool to exploit this.

At LASEC (lasecwww.epfl.ch) we have developed an advanced time-memory trade-off method. It is based on original work which was done in 1980 but has never been applied to windows passwords. It works by calculating all possible hashes in advance and storing some of them in an organized table. The more information you keep in the table, the faster the cracking will be.

We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average (see http://lasecpc13.epfl.ch/ntcrack). With the help of 0.95GB of data we can find the password after an average of 4 million hash operation. A brute force cracker would need to calculate an average of 50% of all hashes, which amounts to about 40 billion hases for alphanumerical passwords (lanman hash).

More info about the method can be found at in a paper at http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03.

Philippe Oechslin


TOPICS: Crime/Corruption; Extended News; Miscellaneous; Technical
KEYWORDS: computersecurityin; microsoft; passwords; security; techindex; windows
Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100101-105 next last
To: Ramius
Later...
61 posted on 07/22/2003 10:48:06 PM PDT by Michael Barnes
[ Post Reply | Private Reply | To 59 | View Replies]

To: Russian Sage
"There is no technology to make a short password secure."

So how many digits are in your ATM password?!

62 posted on 07/22/2003 10:48:29 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 56 | View Replies]

To: unix
Roger that. :-)

Be good. or if not... be untraceable.

Later,

63 posted on 07/22/2003 10:49:42 PM PDT by Ramius
[ Post Reply | Private Reply | To 57 | View Replies]

To: Southack
Not really an ATM hack, but there was a case in NYC where the cashier would swipe your card on the store's credit card machine, and then again on their local card reader. When you entered your PIN on the keypad someone was watching to get the 4 digits.
I think the plan was to clone your card and then use it. I can't see how this system would fail as its my understanding that nothing's written to your card when you swipe it through a machine. If there was you could easily detect this as the 2nd card wouldn't know the 2nd bit turned from "AD" to "BC" or something similiar.
64 posted on 07/22/2003 10:52:48 PM PDT by lelio
[ Post Reply | Private Reply | To 60 | View Replies]

To: Southack
Duress is when a foreign agent is beating the crap out of your wife and baby daughter until you give him a password that accesses all of your information.

Except that while the "duress" password will give said access to most or all of your critical data, it also signals your own team to come swooping in to the rescue.

That's great if you're the CIA or some such. For the rest of us, having a SWAT team on 24-hour standby is not exactly a practical alternative - rather, the name of the game is to prevent such attacks in the first place by controlling physical access in such a way that only authorized users get in the door. That way, the bad guy doesn't bother kidnapping you because even if he has your password, the large men stationed near the front door will prevent him from sitting down at a terminal and typing away.

65 posted on 07/22/2003 10:52:53 PM PDT by general_re (The wheel is turning but the hamster is dead.)
[ Post Reply | Private Reply | To 53 | View Replies]

To: lelio
"I can't see how this system would fail..."

Well, there's always that pesky camera taking digital pictures of every ATM use/attempt!

66 posted on 07/22/2003 10:55:35 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 64 | View Replies]

To: general_re
"the name of the game is to prevent such attacks in the first place by controlling physical access in such a way that only authorized users get in the door."

So ATM's and POS terminals control the physical access to their boxes in such a way that only authorized users can be physically near them?!

Come on guys, there is more to security than tactical solutions. Architect your system such that vulnerable data is NOT on vulnerable machines. Mimic what already works out in the field.

Anyone can gain physical access to an ATM or POS terminal, but that doesn't mean that the entire bank or even one account holder is compromised.

Use the Net!

67 posted on 07/22/2003 10:59:40 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 65 | View Replies]

To: Southack
So how many digits are in your ATM password?!

The same as in the last four digits of my social security number, which some banks use as a "password" for phone banking!
68 posted on 07/22/2003 11:01:19 PM PDT by Russian Sage
[ Post Reply | Private Reply | To 62 | View Replies]

To: Russian Sage
The same as in the last four digits of my social security number, which some banks use as a "password" for phone banking!

When I went to college your SSN was your student id number. Yikes! Some professors wised up to that and when posting test scores they would only do the last four digits of your SSN.
However that ignores that the first three digits are easily guessed as its based on the state you received your number in. Since it was a state school you could surmise that the person was one of 5 numbers. Then all you had to do was guess the two digit middle number.
69 posted on 07/22/2003 11:06:58 PM PDT by lelio
[ Post Reply | Private Reply | To 68 | View Replies]

To: Southack
So ATM's and POS terminals control the physical access to their boxes in such a way that only authorized users can be physically near them?!

You've never used an ATM machine in an atrium or other entryway, the kind where you had to slide your card in a slot to get the electronic lock to switch off before you could even get at the machine?

I wanna move wherever you are - it sounds like a much nicer and more innocent place than the rest of the world ;)

Anyone can gain physical access to an ATM or POS terminal, but that doesn't mean that the entire bank or even one account holder is compromised.

That's great, but unfortunately my computer has to have access to anyone's account that I so choose, rather than simply restricting me to one account - my own. Why? Because that's what I do all day. I have to be able to do things that ATM machines are designed to prevent people from doing, so telling me to make it like an ATM machine doesn't solve my problem. And that kind of power raises issues that the people who make ATM's don't have to worry about, like really controlling who has physical access to my machine.

70 posted on 07/22/2003 11:12:16 PM PDT by general_re (The wheel is turning but the hamster is dead.)
[ Post Reply | Private Reply | To 67 | View Replies]

bump
71 posted on 07/22/2003 11:12:28 PM PDT by amarok
[ Post Reply | Private Reply | To 1 | View Replies]

To: lelio
"they don't use any "salt" in the hash. So "xyzzy" will always hash to "wqrtw" whereas in the unix world you'll throw some other characters in the password before hashing it. That salt is included..."

More salt and hash here than in the greasy spoon up the street.

72 posted on 07/22/2003 11:16:15 PM PDT by RightOnline
[ Post Reply | Private Reply | To 13 | View Replies]

To: HAL9000
The next version of Mac OS X will have on-the-fly encryption/decryption of the user's home directory. With that system, mere physical access will not be sufficient for an unauthorized person to use your files.

The Mac's most secure feature is that nobody uses it.
73 posted on 07/22/2003 11:51:00 PM PDT by Bush2000
[ Post Reply | Private Reply | To 34 | View Replies]

To: general_re
That's true, General. Good security is a fine balance between the users and and the system. If it's too hard, you'll spend all your time resetting passwords, and the users will wind up writing down the passwords, etc. Too lax, and anyone can get through it in a minute or so.

That's why I use the analogy of locking your car so it won't be stolen. Bottom line, a few simple steps can keep that from happening in most situations. A determined car thief, who really wants your car, can probably steal it despite any measures you take save sleeping in it with a shotgun. Same goes for network security.

74 posted on 07/23/2003 4:27:17 AM PDT by Alas Babylon!
[ Post Reply | Private Reply | To 26 | View Replies]

To: Timesink
We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average

Except we only allow 3 bad passwords in a row. Sorry

75 posted on 07/23/2003 4:29:05 AM PDT by AppyPappy (If You're Not A Part Of The Solution, There's Good Money To Be Made In Prolonging The Problem.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Southack
"Except that while the 'duress' password will give said access to most or all of your critical data, it also signals your own team to come swooping in to the rescue."

Similar to the duress code programmed into some business and home alarms. It sends a silent alarm without requiring a response from the monitoring agent - the agent is to instantly dispatch assistance.

76 posted on 07/23/2003 5:51:21 AM PDT by azhenfud
[ Post Reply | Private Reply | To 53 | View Replies]

Comment #77 Removed by Moderator

To: HAL9000
Very kewl. My hat's off to Apple yet again. (With that said, I'm sure there's some lag time in doing so. I'd be interesting in seeing how this runs on a G4 500, for instance...)

78 posted on 07/23/2003 6:03:56 AM PDT by =Intervention= (White devils for Sharpton Central Florida chapter)
[ Post Reply | Private Reply | To 34 | View Replies]

To: Southack
Get the picture?!

Physical access to a keypad on an ATM is completely different that physical access to a PC. Last I saw, there was no floppy drive on the outside of an ATM that I can stick a boot floppy into to run a password crack program. If you were to break in through the 3 inch thick steel door in the back of the ATM, you would have full access and be able to have some real fun. You can "secure your network" all you want, but if I can get access to a pc on your network with a floppy drive, I can post your 4 digit password on DEJA before "Luke" could pull the force outta his rear end.

Get the picture?
79 posted on 07/23/2003 7:02:42 AM PDT by cspackler (There are 10 kinds of people in this world, those who understand binary and those who don't.)
[ Post Reply | Private Reply | To 35 | View Replies]

To: Dimensio
The SID of the real admin account is always the same. It wouldn't throw off most crackers.
80 posted on 07/23/2003 7:16:02 AM PDT by adam_az (This space for rent.)
[ Post Reply | Private Reply | To 30 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100101-105 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson