mailing list archives
NT password dictionary attack.
From: ashtonp () GB SWISSBANK COM (Paul Ashton)
Date: Tue, 18 Feb 1997 12:55:00 GMT
I previously sent this to ntbugtraq in response to an article entitled
"Windows NT authentication weakness" regarding SMB/CIFS problems with
the weak challenge response system used by windows nt, but it went
into a black hole.
Set up Samba on a Unix machine together with libdes for DES encryption
Write a 20 line program that takes /usr/dict/words or other similar
word list, computes the MD4 hash of each word and then use that to
encrypt an eight byte fixed challenge (i.e. all zeroes).
Make a one line change to the challenge generation code to always
generate this fixed value.
Start Samba and give it a suitably interesting name, such as "Public
Wait for someone to attempt to connect to your server, send the fixed
challenge, receive the fixed challenge encrypted by the users hashed
Instantaneously look up the hash in the precomputed database.
If it is not a dictionary word, stuff it into a history file and run a
modified crack on it later.
A good job that NT's C2 configuration tool disables the network...