Skip to comments.
Cracking Windows passwords in 5 seconds (Cool concept, unless you, you know, use Windows)
SecurityFocus BUGTRAQ Mailing List ^
| July 22, 2003
| Philippe Oechslin
Posted on 07/22/2003 8:38:27 PM PDT by Timesink
To: BugTraq
Subject: Cracking windows passwords in 5 seconds
Date: Jul 22 2003 8:37PM
Author: Philippe Oechslin
As opposed to unix, windows password hashes can be calculated in advance because no salt or other random information si involved. This makes so called time-memory trade-off attacks possible. This vulnerability is not new but we think that we have the first tool to exploit this.
At LASEC (lasecwww.epfl.ch) we have developed an advanced time-memory trade-off method. It is based on original work which was done in 1980 but has never been applied to windows passwords. It works by calculating all possible hashes in advance and storing some of them in an organized table. The more information you keep in the table, the faster the cracking will be.
We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average (see http://lasecpc13.epfl.ch/ntcrack). With the help of 0.95GB of data we can find the password after an average of 4 million hash operation. A brute force cracker would need to calculate an average of 50% of all hashes, which amounts to about 40 billion hases for alphanumerical passwords (lanman hash).
More info about the method can be found at in a paper at http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03.
Philippe Oechslin
TOPICS: Crime/Corruption; Extended News; Miscellaneous; Technical
KEYWORDS: computersecurityin; microsoft; passwords; security; techindex; windows
Navigation: use the links below to view more comments.
first previous 1-20 ... 41-60, 61-80, 81-100, 101-105 next last
To: Ramius
Later...
To: Russian Sage
"There is no technology to make a short password secure."So how many digits are in your ATM password?!
62
posted on
07/22/2003 10:48:29 PM PDT
by
Southack
(Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
To: unix
Roger that. :-)
Be good. or if not... be untraceable.
Later,
63
posted on
07/22/2003 10:49:42 PM PDT
by
Ramius
To: Southack
Not really an ATM hack, but there was a case in NYC where the cashier would swipe your card on the store's credit card machine, and then again on their local card reader. When you entered your PIN on the keypad someone was watching to get the 4 digits.
I think the plan was to clone your card and then use it. I can't see how this system would fail as its my understanding that nothing's written to your card when you swipe it through a machine. If there was you could easily detect this as the 2nd card wouldn't know the 2nd bit turned from "AD" to "BC" or something similiar.
64
posted on
07/22/2003 10:52:48 PM PDT
by
lelio
To: Southack
Duress is when a foreign agent is beating the crap out of your wife and baby daughter until you give him a password that accesses all of your information.
Except that while the "duress" password will give said access to most or all of your critical data, it also signals your own team to come swooping in to the rescue. That's great if you're the CIA or some such. For the rest of us, having a SWAT team on 24-hour standby is not exactly a practical alternative - rather, the name of the game is to prevent such attacks in the first place by controlling physical access in such a way that only authorized users get in the door. That way, the bad guy doesn't bother kidnapping you because even if he has your password, the large men stationed near the front door will prevent him from sitting down at a terminal and typing away.
65
posted on
07/22/2003 10:52:53 PM PDT
by
general_re
(The wheel is turning but the hamster is dead.)
To: lelio
"I can't see how this system would fail..."Well, there's always that pesky camera taking digital pictures of every ATM use/attempt!
66
posted on
07/22/2003 10:55:35 PM PDT
by
Southack
(Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
To: general_re
"the name of the game is to prevent such attacks in the first place by controlling physical access in such a way that only authorized users get in the door."So ATM's and POS terminals control the physical access to their boxes in such a way that only authorized users can be physically near them?!
Come on guys, there is more to security than tactical solutions. Architect your system such that vulnerable data is NOT on vulnerable machines. Mimic what already works out in the field.
Anyone can gain physical access to an ATM or POS terminal, but that doesn't mean that the entire bank or even one account holder is compromised.
Use the Net!
67
posted on
07/22/2003 10:59:40 PM PDT
by
Southack
(Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
To: Southack
So how many digits are in your ATM password?!
The same as in the last four digits of my social security number, which some banks use as a "password" for phone banking!
To: Russian Sage
The same as in the last four digits of my social security number, which some banks use as a "password" for phone banking!
When I went to college your SSN was your student id number. Yikes! Some professors wised up to that and when posting test scores they would only do the last four digits of your SSN.
However that ignores that the first three digits are easily guessed as its based on the state you
received your number in. Since it was a state school you could surmise that the person was one of 5 numbers. Then all you had to do was guess the two digit middle number.
69
posted on
07/22/2003 11:06:58 PM PDT
by
lelio
To: Southack
So ATM's and POS terminals control the physical access to their boxes in such a way that only authorized users can be physically near them?! You've never used an ATM machine in an atrium or other entryway, the kind where you had to slide your card in a slot to get the electronic lock to switch off before you could even get at the machine?
I wanna move wherever you are - it sounds like a much nicer and more innocent place than the rest of the world ;)
Anyone can gain physical access to an ATM or POS terminal, but that doesn't mean that the entire bank or even one account holder is compromised.
That's great, but unfortunately my computer has to have access to anyone's account that I so choose, rather than simply restricting me to one account - my own. Why? Because that's what I do all day. I have to be able to do things that ATM machines are designed to prevent people from doing, so telling me to make it like an ATM machine doesn't solve my problem. And that kind of power raises issues that the people who make ATM's don't have to worry about, like really controlling who has physical access to my machine.
70
posted on
07/22/2003 11:12:16 PM PDT
by
general_re
(The wheel is turning but the hamster is dead.)
bump
71
posted on
07/22/2003 11:12:28 PM PDT
by
amarok
To: lelio
"they don't use any "salt" in the hash. So "xyzzy" will always hash to "wqrtw" whereas in the unix world you'll throw some other characters in the password before hashing it. That salt is included..."More salt and hash here than in the greasy spoon up the street.
To: HAL9000
The next version of Mac OS X will have on-the-fly encryption/decryption of the user's home directory. With that system, mere physical access will not be sufficient for an unauthorized person to use your files.
The Mac's most secure feature is that nobody uses it.
73
posted on
07/22/2003 11:51:00 PM PDT
by
Bush2000
To: general_re
That's true, General. Good security is a fine balance between the users and and the system. If it's too hard, you'll spend all your time resetting passwords, and the users will wind up writing down the passwords, etc. Too lax, and anyone can get through it in a minute or so.
That's why I use the analogy of locking your car so it won't be stolen. Bottom line, a few simple steps can keep that from happening in most situations. A determined car thief, who really wants your car, can probably steal it despite any measures you take save sleeping in it with a shotgun. Same goes for network security.
To: Timesink
We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average Except we only allow 3 bad passwords in a row. Sorry
75
posted on
07/23/2003 4:29:05 AM PDT
by
AppyPappy
(If You're Not A Part Of The Solution, There's Good Money To Be Made In Prolonging The Problem.)
To: Southack
"
Except that while the 'duress' password will give said access to most or all of your critical data, it also signals your own team to come swooping in to the rescue."
Similar to the duress code programmed into some business and home alarms. It sends a silent alarm without requiring a response from the monitoring agent - the agent is to instantly dispatch assistance.
76
posted on
07/23/2003 5:51:21 AM PDT
by
azhenfud
Comment #77 Removed by Moderator
To: HAL9000
Very kewl. My hat's off to Apple yet again. (With that said, I'm sure there's some lag time in doing so. I'd be interesting in seeing how this runs on a G4 500, for instance...)
78
posted on
07/23/2003 6:03:56 AM PDT
by
=Intervention=
(White devils for Sharpton Central Florida chapter)
To: Southack
Get the picture?!
Physical access to a keypad on an ATM is completely different that physical access to a PC. Last I saw, there was no floppy drive on the outside of an ATM that I can stick a boot floppy into to run a password crack program. If you were to break in through the 3 inch thick steel door in the back of the ATM, you would have full access and be able to have some real fun. You can "secure your network" all you want, but if I can get access to a pc on your network with a floppy drive, I can post your 4 digit password on DEJA before "Luke" could pull the force outta his rear end.
Get the picture?
79
posted on
07/23/2003 7:02:42 AM PDT
by
cspackler
(There are 10 kinds of people in this world, those who understand binary and those who don't.)
To: Dimensio
The SID of the real admin account is always the same. It wouldn't throw off most crackers.
80
posted on
07/23/2003 7:16:02 AM PDT
by
adam_az
(This space for rent.)
Navigation: use the links below to view more comments.
first previous 1-20 ... 41-60, 61-80, 81-100, 101-105 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson