Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Cracking Windows passwords in 5 seconds (Cool concept, unless you, you know, use Windows)
SecurityFocus BUGTRAQ Mailing List ^ | July 22, 2003 | Philippe Oechslin

Posted on 07/22/2003 8:38:27 PM PDT by Timesink

To: BugTraq

Subject: Cracking windows passwords in 5 seconds

Date: Jul 22 2003 8:37PM

Author: Philippe Oechslin

As opposed to unix, windows password hashes can be calculated in advance because no salt or other random information si involved. This makes so called time-memory trade-off attacks possible. This vulnerability is not new but we think that we have the first tool to exploit this.

At LASEC (lasecwww.epfl.ch) we have developed an advanced time-memory trade-off method. It is based on original work which was done in 1980 but has never been applied to windows passwords. It works by calculating all possible hashes in advance and storing some of them in an organized table. The more information you keep in the table, the faster the cracking will be.

We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average (see http://lasecpc13.epfl.ch/ntcrack). With the help of 0.95GB of data we can find the password after an average of 4 million hash operation. A brute force cracker would need to calculate an average of 50% of all hashes, which amounts to about 40 billion hases for alphanumerical passwords (lanman hash).

More info about the method can be found at in a paper at http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03.

Philippe Oechslin


TOPICS: Crime/Corruption; Extended News; Miscellaneous; Technical
KEYWORDS: computersecurityin; microsoft; passwords; security; techindex; windows
Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100101-105 next last
To: cspackler; general_re; Russian Sage
"If you were to break in through the 3 inch thick steel door in the back of the ATM, you would have full access and be able to have some real fun."

Nonsense. I can physically give you an ATM machine, but that won't enable you to access the accounts of the bank's customers.

Same goes for a POS terminal. You can buy one on eBay right now, but that won't give you access to the data that you want on someone else's network, even though you clearly have full physical access to it.

In short, claiming that physical access defeats security is just baby-talk for admitting that **your** own security is child's play.

Same goes for spouting off about needing big, long, complex passwords. POS terminals (and ATMs for that matter) only require a 4 digit password, yet the posters on this thread clearly can't get through that level of security due to the **architecture** involved.

So here's a tip: if you can't guarantee the physical secuirty of a PC, POS terminal, or ATM, then you simply don't place valuable data onto said "vulnerable" machines.

Store such data somewhere else. Somewhere safe.

That's how banks do it today. Steal an old ATM, drill through its armour, boot up the ancient AT&T 3B2 inside with any startup disk that you want, it still won't give you access to all of the customer accounts of any bank, even though said machine has its physical access compromised and even though said machine only asks for a simple numeric 4 digit password.

It ain't the tactics, people; it's the architecture.

81 posted on 07/23/2003 9:48:17 AM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 79 | View Replies]

To: Southack; general_re; Russian Sage
However, we are not talking about ATMs. These are apples and oranges that you are trying to compare *architectures*. If you are using Windows, that is your architecture. If someone can get access to a Windows pc on your corportate network inside your firewall, they can have access to all of your passwords. It really doesn't matter if there is any sensitive data on the exact machine that you are accessing. If your admin password is hacked, every pc on your network is wide open. That is the *architecture* that you are stuck with. That is the whole point of the thread. There is no way to *architect* around that vulnerabilty, unless you believe that you can run your corporation on a bunch of ATM machines.
82 posted on 07/23/2003 11:24:33 AM PDT by cspackler (There are 10 kinds of people in this world, those who understand binary and those who don't.)
[ Post Reply | Private Reply | To 81 | View Replies]

To: cspackler
"If someone can get access to a Windows pc on your corportate network inside your firewall, they can have access to all of your passwords. It really doesn't matter if there is any sensitive data on the exact machine that you are accessing. If your admin password is hacked, every pc on your network is wide open. "

Hypothetically, what would prevent a savvy system administrator from having a Windows network that only accesses and stores secure data through a new-fangled invention called a "browser"?

Of course, everyone on the Internet has access to the network that your browser is accessing, so your entire web-based network must be completely vulnerable, right?!

< /MOCKING >

83 posted on 07/23/2003 12:49:42 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 82 | View Replies]

To: Southack
Hypothetically, what would prevent a savvy system administrator from having a Windows network that only accesses and stores secure data through a new-fangled invention called a "browser"?

Common sense. "Hello, I'm the Network Admin. You can no longer use any of the applications on your desktop. Word? Forget it, just create some HTML to communcate. Excel? Never mind. All of the corporate applications that are currently not browser based? GONE!!!!! We are only going to allow incoming traffic on port 8080... What do you mean, I'm fired?"

Of course, everyone on the Internet has access to the network that your browser is accessing, so your entire web-based network must be completely vulnerable, right?!

No, that's why we have those new-fangled things called "firewalls".
84 posted on 07/23/2003 1:03:34 PM PDT by cspackler (There are 10 kinds of people in this world, those who understand binary and those who don't.)
[ Post Reply | Private Reply | To 83 | View Replies]

To: Timesink
Does this mean my wife will be able to find my porn?

Techies, anyone?

85 posted on 07/23/2003 1:07:00 PM PDT by TravisBickle
[ Post Reply | Private Reply | To 1 | View Replies]

To: cspackler
MS Word works wonderfully over the internet through your browser. You should try it some day.

Also, on that "network access" comment, you must have missed my < /MOCKING > tag. My whole point is that you **can** secure your network.

Oh, now here's a thought...If you can secure your network but not your PC's, in which place should you store your sensitive data?!

86 posted on 07/23/2003 1:10:49 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 84 | View Replies]

To: cspackler
"You can no longer use any of the applications on your desktop. Word? Forget it, just create some HTML to communcate. Excel? Never mind. All of the corporate applications that are currently not browser based? GONE!!!!!"

Goodness, an Excel Spreadsheet that works through a browser! What a find! I bet that no one has heard of this!

< /MOCKING >

87 posted on 07/23/2003 1:18:47 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 84 | View Replies]

To: Southack
MS Word works wonderfully over the internet through your browser. You should try it some day.

Works, yes. Wonderfully, no. If it worked that well, MS wouldn't still be selling the app. The short story is, using a crack program on a floppy, anyone can walk up to ANY pc or server that is inside of your firewall and crack the windows passwords on the system. At that point, it does not matter if your data is on the pc, a network server, or the moon. Unless you are going to completely do away with Windows security and make every pc on the system strictly an ip connection with no local hard drive, all of your applications completely browser based and not share any network resources... I give up. At that point, however, you don't really have a network, but a loosely put together intranet that has no benefit for the corporation but a bunch of IP addresses.
88 posted on 07/23/2003 1:27:45 PM PDT by cspackler (There are 10 kinds of people in this world, those who understand binary and those who don't.)
[ Post Reply | Private Reply | To 86 | View Replies]

To: cspackler
"anyone can walk up to ANY pc or server that is inside of your firewall and crack the windows passwords on the system. At that point, it does not matter if your data is on the pc, a network server, or the moon."

You must not have a very secure network, then.

89 posted on 07/23/2003 1:29:45 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 88 | View Replies]

To: Southack
You must not have a very secure network, then.

That is the whole point of the article. It is an inherent windows (in this case) issue. There ain't nothin', aside from using complex passwords, that you can do about it.
90 posted on 07/23/2003 1:33:43 PM PDT by cspackler (There are 10 kinds of people in this world, those who understand binary and those who don't.)
[ Post Reply | Private Reply | To 89 | View Replies]

To: cspackler
Of course you can do something about it.

You can change the **architecture** of your Windows network such that secure data is stored only on a secure network, while worthless and trivial data is stored on vulnerable PC's.

Just because someone can hack one PC on a network doesn't mean that the whole system has to be insecure. Even a fully exposed network, such as the Internet, can be secured. One PC can be hacked that has access to the Internet, but that won't give the hacker access to **my** data. If your corporate network is less secure than that example, then you've got yourself an architectural problem.

Think!

Store your data in **secure** locations, not on vulnerable PC's.

91 posted on 07/23/2003 1:38:47 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 90 | View Replies]

To: Timesink
bttt
92 posted on 07/23/2003 1:39:47 PM PDT by tutstar
[ Post Reply | Private Reply | To 1 | View Replies]

To: Timesink
Dude, that's some powerful hash!
93 posted on 07/23/2003 1:43:06 PM PDT by jriemer (We are a Republic not a Democracy)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Alas Babylon!
The general rule on passwords is, don't use any word that's in an English dictionary, or a common name, since these are vulnerable to an attack consisting of just plugging in every word in Websters or the OED, programmatically. You might use a two-word phrase run together.
94 posted on 07/23/2003 1:50:35 PM PDT by BlazingArizona
[ Post Reply | Private Reply | To 15 | View Replies]

To: Southack
OK, one last time. Someone in the corporation has access, one way or another, to the sensitive data. This has to be true, otherwise there is no use in having it. Therefore, if I can run a crack and decipher everyone on the networks password, I can then log on as any of those people and have access to the data. How can you secure data well enough that noone can get to it? And why would you want to?
95 posted on 07/23/2003 1:51:30 PM PDT by cspackler (There are 10 kinds of people in this world, those who understand binary and those who don't.)
[ Post Reply | Private Reply | To 91 | View Replies]

To: cspackler
"Someone in the corporation has access, one way or another, to the sensitive data. This has to be true, otherwise there is no use in having it. Therefore, if I can run a crack and decipher everyone on the networks password, I can then log on as any of those people and have access to the data. How can you secure data well enough that noone can get to it?"

Gee, so bank accounts must be pretty insecure since ATM cards only require a 4 digit PIN, right?!

And VPN's must be insecure because you could run crack programs on every internet user's passwords, right?!

< /MOCKING >

96 posted on 07/23/2003 1:54:27 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 95 | View Replies]

To: cspackler
Have you discerned that there is a crucial **difference** between gaining full access to a PC from that of gaining full access to everything that's on a network?
97 posted on 07/23/2003 1:56:45 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 95 | View Replies]

To: Southack
ATM pins are not stored in Windows hashes.
98 posted on 07/23/2003 1:57:52 PM PDT by cspackler (There are 10 kinds of people in this world, those who understand binary and those who don't.)
[ Post Reply | Private Reply | To 96 | View Replies]

To: cspackler
ATM PINS aren't tough to crack, ditto for Windows passwords.

But one of those two systems usually has a more secure **architecture** than the other, rendering the passwords to a much lower place on the security totem pole...

99 posted on 07/23/2003 2:00:18 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 98 | View Replies]

To: Dimensio
The local administrator account really should have no access on a domain and little on the local machine. The GPO has priority and the local administrator account should not be placed into the Domain Admin Group.

Even with access to a local PC and the local administrator password all secure data is on servers with network and O/S file level security.

We happen to also require alpha/numeric/character combo passwords at 8 long with a 90 expiration and 3 strikes your (locked) out. (Some may well write down the password, but the access for that user is going to be limited anyway)
100 posted on 07/23/2003 2:18:32 PM PDT by CyberCowboy777 (They promise to be good masters, but they mean to be masters.)
[ Post Reply | Private Reply | To 30 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100101-105 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson