Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Windows XP salted hashed verification of domain passwords
From: Tim <tim-pentest () sentinelchicken org>
Date: Mon, 5 Mar 2007 08:45:08 -0500


Hello Matt,

I've done some reading on these cached hashes recently as well, and I'm
still fuzzy on a few things. I'll provide answers as best I can.

    For domain accounts, the passwords are not kept on a system.  The
verification is salted and hashed with md4 twice.  I am trying to assess
the following risks.  1) What is the danger that that verification could
be misused on another system?  2) From that salted, hashed verification,
can the password be derived?  How likely is this?

First off, have you found a good reference which details exactly how the
hashes are generated?  You say hashed twice with md4... does that mean
the same data hashed twice, or hashed in two chunks (like LM hashes)?  I
have yet to find a good reference (besides uncommented source code that
I have yet to pick through).

Well, MD4 is a very weak hash, and dictionary attacks will certainly
work if users pick any kind of predictable password.  These would likely
be harder to crack than LM hashes, since they are salted and building a
rainbow table would be harder, but bad passwords are always pretty easy
to crack.  I'd be very interested to know exactly how these are
salted...

     Also, how would one perform a pen test against those salted,
hashed verifications?  Lets assume in the registry no one was ignorant
enough to put the registry key which provides the password.

Have you seen these references?

General description:
  http://www.irongeek.com/i.php?page=security/cachecrack

Look down the page for a cached password crack patch:
  http://www.openwall.com/john/

Another description and tool for grabbing cached passwords:
  http://www.gotroot.com/downloads/ftp/security/cain_and_abel/topics/mscache_hashes_dumper.htm


So there are obviously plenty of real-world tools out there.  I have yet
to try them, so YMMV.

HTH,
tim

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]