Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Windows XP salted hashed verification of domain passwords
From: "Security Guy" <security () sligoinc com>
Date: Mon, 5 Mar 2007 13:25:37 -0500

Indeed, I assume you're talking about cached passwords on Windows
systems on a domain.

see http://www.irongeek.com/i.php?page=security/cachecrack

Cracking requires local admin privs to get to the reg keys that
contain the hashes in the first place, but not hard if you've got
physical access to the target, or can remotely setup an elevation
attack.

On 3/5/07, Michael Hendrickx <Michael.Hendrickx () du ae> wrote:
Dear,

MD4 is a one way hash, though cryptographic collisions are found against
it, the clear text password cannot be derived straight away, unless a
brute force attack is performed against the hashes.

Thanks,

Michael Hendrickx
Senior Applications & Systems Analyst - Enterprise IT Security
Technology security & Risk Management


Emirates Integrated Telecommunications Company, PJSC
P.O. Box 502666, Dubai, U.A.E.

Tel (Dir)  : +971 4 3693919
Fax         : +971 4 3604414
www.du.ae
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Matthew Webster
Sent: Saturday, March 03, 2007 12:12 AM
To: pen-test
Subject: Windows XP salted hashed verification of domain passwords

Folks,

    For domain accounts, the passwords are not kept on a system.  The
verification is salted and hashed with md4 twice.  I am trying to assess
the following risks.  1) What is the danger that that verification could
be misused on another system?  2) From that salted, hashed verification,
can the password be derived?  How likely is this?

     Also, how would one perform a pen test against those salted, hashed
verifications?  Lets assume in the registry no one was ignorant enough
to put the registry key which provides the password.

Thanks,

Matt



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


This email and any attachments may contain confidential information. If you or your organization are not the intended 
recipient and have received them in error, please delete them and contact du. If the content of this email does not relate 
to du's business, du does not endorse it. Without exception, du does not enter into agreements by exchange of emails 
and nothing in this mail shall be construed or interpreted as binding du or creating any obligation on behalf of du. You 
should check attachments for viruses before opening.

Authorised, issued and fully paid up share capital of AED 4 billion

Commercial Licence No. 576513; Commercial Registration No. 77967


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault