Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re[2]: Stealing NT passwords through WiFi?

Re[2]: Stealing NT passwords through WiFi?

From: 3APA3A <3APA3A_at_SECURITY.NNOV.RU>
Date: Thu, 20 May 2004 21:46:49 +0400

Dear Ugen,

--Thursday, May 20, 2004, 7:31:38 PM, you wrote to 3APA3A_at_SECURITY.NNOV.RU:

>>
>>
U> I am under impression that as an authentication server the rogue system
U> can require any version of
U> MS-CHAP it chooses. If the original system is configured to support both
U> (and XP supplicant does,
U> not even sure if there is an easy way to force v2. only) the reply will

I have no Wi-Fi to check, for dialup connection you can (advanced
settings of security option for connection).

U> include LM hash. Got to test
U> that, of course.

It depends on security settings. Group policy (or local security policy)
can prevent system from handshaking LM response and from storing LM
hash.

>>It doesn't matter if you recover cleartext password by bruterforcing
>>password or you recover password hash by cracking DES, because with
>>password hash you can connect to any resource without cleartext
>>password.
>>
>>
U> I took a shortcut in description here indeed :) This is the crucial
U> point though - I haven't found
U> ready made tools to work this step, though there was mention somewhere

I patched md4.c from Samba distribution to convert from hex instead of
hashing password (NT hash is actually an MD4 from Unicode password) if
already given something like hash (32 Unicode [0-9A-F] charecters). This
small patch allows to use smbclient with a hash in a hex instead of
cleartext password.

        D = 0x10325476;
+
+
+ if(n == 64){
+ int j;
+ unsigned char * hexd = (unsigned char *)"0123456789ABCDEF";
+ for(j = 0; j<16; j++){
+ if(!strchr(hexd, in[(j<<2)]))break;
+ if(in[(j<<2)+1])break;
+ if(!strchr(hexd, in[(j<<2)+2]))break;
+ if(in[(j<<2)+3])break;
+ out[j] = ((strchr(hexd, in[(j<<2)]) - (char *)hexd)<<4);
+ out[j] ^= (strchr(hexd, in[(j<<2)+2]) - (char *)hexd);
+ }
+ if(j == 16) {
+ return;
+ }
+ }
                                                                                
        while (n > 64) {

U> that l0phtcrack is able
U> to use MS-CHAP (no version specified) data as an input. This is where
U> I'd welcome good
U> suggestions.

Any NTLM cracking tool is OK for MS-CHAPv1. For DES bruteforcing you can
use any DES cracking tool, like john-the-ripper with challenge as a salt
and each 8 bytes of the response as a crypted password. First 16 of
resulting 21 bytes are password hash. Approx. half of year is required
to crack 3 DES portions on single PC (because full bruteforcing is
required) with fast "sliced" DES implementation. Test code I wrote works
too slow, because standard DES it used. 

-- 
~/ZARAZA
Жало мне не понадобится (С. Лем)
Received on May 20 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos