From: nobody (pentester@yahoo.com)
Date: Wed Feb 05 2003 - 18:00:28 EST
All,
recently installed Symantec A/V and looked at the
registry in my PC. XP sp1
clear text entries for an NT server and the share name
that it uses.
An entry for a “netscanpassword” that looks encrypted
?
20AA9E1606F91E64ABF97162783AE5E059E48797D7F
Questions ?
1. is this password encrypted via Windows ( lmhash
ntlm)
2. some crypt function (ala the UNIX world)
3. some other algorithms ? MD4 MD5 etc…
Can I cut and paste the above into John-the-ripper or
the crypt function ?
What I have in clear text is the NT machine, it's
share name and the NT account (user) that it uses.
All in the registry or event log.
It does "phone home" every week - but I have yet to
catch the packet traffic with Ethereal to see what
type of authentication it is doing.
Anyone else besides me think that this may present a
security exposure ( inside our network - of course) ?
It seems to me that placing this on every user’s
desktop is exposing the A/V server to more risk than
is required – if – the account and password (if it can
be cracked) can access the server in any manner not
expected by the installer.
Or - is this old news and already been spotted ?
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT