Home page logo
/

basics logo Security Basics mailing list archives

Defeating password cracking
From: "dave" <dave () netmedic net>
Date: Tue, 18 Feb 2003 14:37:43 -0500

Simple ways to defeating password recovery boot-disk and password crackers,
on NT/2000 machines.

I was bored and trying different characters that L0phtCrack and other
cracking programs could not detect.  While doing so I discovered that by
using these same characters in user names you could prevent the Boot-disk
password changers from being able to change the Admin and other passwords.

Possibly this is old news but I found it quite interesting.  I am posting it
to see if anyone else has found similar results, and maybe even ways to
defeat this.

1.  The character list:  These are all ALT characters that L0phtCrack and
Advanced NT Security Explorer could not detect.  I made the password 5
characters long and added them to the custom character sets.  For my test,
after testing all of them, I decided to use Alt-251 (v) it is the square
root symbol but shows as a small v in the cracking programs, or not at all
in the password recovery boot disks.
1-32
127-130
132
134
135
142-146
148
153-159
164-255
0127
0131
0135
0149
0160-0167
0170-0172
0176-0178
0181-0183
0186-0189
0191
0196-0199
0201
0209
0214
0220
0223
0228-0231
0233
0241
0246
0247

2.  Defeating password crackers:  Ok so now we make a user name "joev"
(without the quotes) and we make the password "1234v".  Well I spent 3 days
and could not get the password cracked even after I added it to the custom
character sets; maybe I am just an amateur.  So please let me know if I am
doing something wrong.  Notice the username displays as joev in L0phtCrack
and the others.  Also try using sid2user and other user information
utilities on it.  Most will tell you the user does not exist, whether you
add the special character or put it as a small v. Even the W2000 Resource
Kit "showmbrs.exe" does not display the special character.

3. Ok so know we have to prevent the Password recovery boot disks from being
able to change the passwords.  I had the "Linux password changer" and the
one from Win/sysinternals.  

4.  First, no matter what you change the name of the built-in administrator
account to you can always change the password with these tools, I am
assuming it is because the SID is always the same. You cannot disable it so
had to come up with a way to get around that.  So I simply created a group
called "no access" added the built in administrator account to it.  I added
deny logon locally and deny access this computer from the network
privileges, and took away all access to the drives, essentially disabling
it.

5.  Ok now we made joev a member of the admin group.  We boot to the
Password recovery disk.  The users except for joev show normal he shows as
joe.  Since we know his real username we try entering it that way, and the
way it displays, either way we get cannot find user.  I could change any
password except for the joev.  If we change the built in admin accounts
password all is great, of course we cannot log in as him. If we use one of
these Alt characters in all the usernames we essentially can prevent any of
the passwords (except the built in admin account) from being changed.

6.  Well now I know there are other ways of editing the registry, installing
a separate installation of the OS etc. etc.. But I believe this is a pretty
cool way of thwarting the basic "hacker" that thinks he is going to walk up
to your system and boot to this disk and change the password and get in.
Further it is nice to know that there are passwords you can make that even
the common crackers cannot crack.

Well this is my little discovery your thoughts and counter-thoughts are
greatly appreciated.  I do not mean this to be an end-all way of defeating
these programs, but every little bit helps.



 
______________________
Dave Kleiman
dave () netmedic net
www.netmedic.net





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault