Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Cracking Windows passwords in 5 seconds (Cool concept, unless you, you know, use Windows)
SecurityFocus BUGTRAQ Mailing List ^ | July 22, 2003 | Philippe Oechslin

Posted on 07/22/2003 8:38:27 PM PDT by Timesink

click here to read article


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 101-105 next last
To: lelio
if you can get the hashed version of the password you can then crack it as they don't use any "salt" in the hash.

That's sort of like giving flying instructions akin to "Step one: Once you're airborne..." - the problem is getting hold of the hashes in the first place.

Its my understanding that if you sniff the wire when login into a domain you might be able to get this hashed password.

Kerberos and IPsec will prevent that - assuming that the bad guy managed to "Mission:Impossible" himself into your building in the first place ;)

21 posted on 07/22/2003 9:39:58 PM PDT by general_re (The wheel is turning but the hamster is dead.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Alas Babylon!
hehehe... nice policy, if you can get it. Like they say: this networking crap would be a lot of fun if it weren't for all these darn *users*.

One thought though: An indefinite lockout makes for the easiest DOS attack on the planet.
22 posted on 07/22/2003 9:40:30 PM PDT by Ramius
[ Post Reply | Private Reply | To 15 | View Replies]

To: Southack
I don't know about 2000 or XP, but in 98 you just boot from a floppy and delete all *.PWL files and then reboot with your own PW. I can't see why NT based OS would be different.
23 posted on 07/22/2003 9:41:04 PM PDT by chuckles
[ Post Reply | Private Reply | To 18 | View Replies]

To: Southack
How many people, given full access to an ATM or POS terminal, could debit the accounts of other bank customers?

An ATM or POS term doesn't give you access to the machine. Can't reboot it from there to another system, yadda yadda yadda. But can you say the same thing for somebody that has access to the *inside* of the ATM??

*That's* access.

24 posted on 07/22/2003 9:43:39 PM PDT by Ramius
[ Post Reply | Private Reply | To 18 | View Replies]

To: chuckles
Win 98 doesn't have security, and never even pretended to. The login there is really only for setting profiles and little else.
25 posted on 07/22/2003 9:45:37 PM PDT by Ramius
[ Post Reply | Private Reply | To 23 | View Replies]

To: Alas Babylon!; Ramius
For the truly paranoid, and/or those who have a fetish for truly fascist security schemes, the NSA published a series of guides about locking down Windows 2000 a few years ago. Although it's good to look through for tips about stuff that might have been missed, I recall leafing through it and thinking that only the truly masochistic would feel compelled to implement it all ;)
26 posted on 07/22/2003 9:45:49 PM PDT by general_re (The wheel is turning but the hamster is dead.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: general_re
Truly, I could have said "truly" once or twice more. F*** it - it's late... ;)
27 posted on 07/22/2003 9:47:00 PM PDT by general_re (The wheel is turning but the hamster is dead.)
[ Post Reply | Private Reply | To 26 | View Replies]

Comment #28 Removed by Moderator

To: Ramius
If you are inside **either** an ATM or a Windows PC, you can take the hard drive or the cash or whatever, but that physical strategy is useless against the ATM's security sytem for the bank's customers, as no matter what you do to the ATM (well, barring running the machine and copying new cards from the typed in PINs), you can't touch the actual accounts of other bank customers, and certainly can't do it en masse to the entire bank.

So putting networked PC's in vulnerable locations, combined with storing critical data on a secure LAN, would seem to have some level of security value. That's what works for ATM's and POS terminals, after all.

And we're all wired. This is the 21st Century. We all have access to the biggest LAN around.

Pity that not all of our security takes that fact into account...

29 posted on 07/22/2003 9:50:06 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Alas Babylon!
You forgot the one about setting up a "guest" account and naming it "administrator" to throw off would-be intruders.
30 posted on 07/22/2003 9:52:24 PM PDT by Dimensio (Sometimes I doubt your committment to Sparkle Motion!)
[ Post Reply | Private Reply | To 15 | View Replies]

To: general_re
I did go through that. Funny you should mention it, and you're right. Only people that have a dungeon in the basement could endure it.

With *any* system, there is a trade-off between security and usability. Perfect security is impossible. Excellent security is possible, but most users will only put up with it for a little while before they go screaming to the board of directors wanting someone's head on a plate.

Good security is what we settle for in the real world.

Like I told my board of directors once: Look, you can spend however many millions of dollars on system security that you want, but you're protecting that server room with a twenty dollar lock.
31 posted on 07/22/2003 9:52:37 PM PDT by Ramius
[ Post Reply | Private Reply | To 26 | View Replies]

To: Southack
"Well, yes. Physical access to any machine is pretty much the same as complete access. Mostly."

"I don't see it, even with the "mostly" caveat tossed in."

If you can get physical access to a windows machine, there are some cute tools to crack every password on the system. The only guard against these is to enforce complex passwords that have no patterns. Simple passwords can be cracked in seconds, complex take forever. The beauty of Windows...
32 posted on 07/22/2003 9:59:49 PM PDT by cspackler (There are 10 kinds of people in this world, those who understand binary and those who don't.)
[ Post Reply | Private Reply | To 18 | View Replies]

To: Southack
I'm not disagreeing with you... perhaps we're just playing a semantic game with the meaning of "physical access". I would say that walking up to an ATM isn't access, any more than hitting a bank's web site is. Access to the box and the ability to reboot it to your own system... *that's* access.
33 posted on 07/22/2003 10:00:43 PM PDT by Ramius
[ Post Reply | Private Reply | To 29 | View Replies]

To: Ramius
Physical access to any machine is pretty much the same as complete access. Mostly.

The next version of Mac OS X will have on-the-fly encryption/decryption of the user's home directory. With that system, mere physical access will not be sufficient for an unauthorized person to use your files.

34 posted on 07/22/2003 10:04:07 PM PDT by HAL9000
[ Post Reply | Private Reply | To 11 | View Replies]

To: cspackler
"The only guard against these is to enforce complex passwords that have no patterns."

Nonsense. Bank account holders are protected by a simple 4 digit PIN for a password, yet gaining full physical access to an ATM won't help you crack open and debit all the account holders of the entire bank.

Hmmm... Simple password, but secure system. Wow, that must be an **architectural** solution to a security problem as opposed to a simple tactical solution!

To paraphrase Star Wars, "Use the network, Luke"! Secure the network. Put critical data on your secure system. Put worthless or trivial data on your vulnerable PC's.

Get the picture?!

35 posted on 07/22/2003 10:05:56 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 32 | View Replies]

To: cspackler
I have a tool that, if you can boot on it, will crack all the passwords complex or otherwise on a windows, NT, 2K or XP box. That's why we don't rely on local windows hashes to protect networks.

Network managers need those tools though, to get *back* into machines when the @#$%@#$ user has flummoxed the whole thing up while they were drunk in their hotel room.

And just for the record... give anybody worth their salt physical access to a unix or linux box and they'll own that one too. It ain't a windows thing. It's a computer thing. Systems Security doesn't mean cutting off all possible access once you have physical control of the box. You wouldn't want that, even if you could get it.
36 posted on 07/22/2003 10:07:09 PM PDT by Ramius
[ Post Reply | Private Reply | To 32 | View Replies]

To: Ramius
Physical access to any machine is pretty much the same as complete access. Mostly.

Only for the most poorly secured systems. Strong security such that access to the physical machine won't net you anything is pretty cheap these days, even if they have the ability to install rudimentary sniffers on the hardware. It is not even particularly inconvenient at that.

37 posted on 07/22/2003 10:08:44 PM PDT by tortoise (All these moments lost in time, like tears in the rain.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Ramius
"I would say that walking up to an ATM isn't access, any more than hitting a bank's web site is. Access to the box and the ability to reboot it to your own system... *that's* access."

You can steal and reboot an ATM or POS terminal from now until doomsday, but that won't let you access the secure data, simply because the secure data is protected by an architectural solution (i.e. storing critical data in a secure location while putting trivial or worthless data in the vulnerable remote locations where ATMs and POS temrinals spend their working days).

If you are depending upon physical access being denied in vulnerable locations, then something is wrong with your concept of security. For God's sake, at the very least encrypt everything on your hard drive so that first pass physical access is worthless.

Or better yet, take it to the next level and use the Net to isolate and connect vulnerable PC's to and from their critical data.

38 posted on 07/22/2003 10:10:39 PM PDT by Southack (Media bias means that Castro won't be punished for Cuban war crimes against Black Angolans in Africa)
[ Post Reply | Private Reply | To 33 | View Replies]

To: Ramius
Good security is what we settle for in the real world.

That's about the size of it. I make things difficult for people who might want to break in, hopefully difficult enough that the effort is not worth whatever they might recover, but I have no illusions about making it impossible for people to break in. And so besides me and my coworkers worrying about network security, we have a host of folks whose job it is to worry about physical security. If they do their job, and we do ours, the results should be more than enough to protect us from the black hats of the world, but neither of us is worth much without the other.

Like I told my board of directors once: Look, you can spend however many millions of dollars on system security that you want, but you're protecting that server room with a twenty dollar lock.

I once pointed out to a co-worker that if the information on his system were really valuable enough to me, no password policy and no encryption in the world could prevent me from taking a rubber hose and simply beating his password out of him... ;)

39 posted on 07/22/2003 10:12:19 PM PDT by general_re (The wheel is turning but the hamster is dead.)
[ Post Reply | Private Reply | To 31 | View Replies]

To: Ramius
And just for the record... give anybody worth their salt physical access to a unix or linux box and they'll own that one too.

That depends on how it is set up. I have a highly secure FreeBSD system that all the physical access in the world won't give you access to. Your ideas on security have been polluted by conventional practice.

40 posted on 07/22/2003 10:13:37 PM PDT by tortoise (All these moments lost in time, like tears in the rain.)
[ Post Reply | Private Reply | To 36 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 101-105 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson