From: Anders Thulin (Anders.Thulin@kiconsulting.se)
Date: Tue Feb 25 2003 - 02:47:08 EST
wirepair wrote:
> while doing a pen-test I noticed after stealing launch.ica files from a
> users IE cache directory, they have a different ClearPassword= field.
You can also get at the .ica files by selecting application icons
from the nfuse application list and save them to a file. Bugtraq 3926
suggests a way to get at them.
> Domain=\25A43DEFACEDCODE (16 bytes, hash)
> ClearPassword=D4239AF390DB09 (16 bytes, hash..)
Never seen 16 bytes myself, only 14 hex digits, corresponding to 7 bytes
of data.
> This obviously is an issue, the ClearPassword worries me, unfortunately
> I'm not a cipher kid so I'm not exactly
> sure what type of hash this is, or how it was created.
The name 'ClearPassword' is probably kept for historical reasons, from
the time these used to be static passwords. These days, more secure practices
are followed: if you try 'Save As...' on applications icons, you'll see that
the ClearPassword changes quite frequently. It can, if I remember, even be
set up to be one-time use only. Probably a ticket ID.
You may be able to mount a password-guessing attack using the
account name 'test', but you probably have tried that already.
You may want to check error messages from entering very long usernames.
There used to be some oddities here, though I never checked them out
very closely.
-- Anders Thulin anders.thulin@kiconsulting.se 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden ---------------------------------------------------------------------------- <Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does.</Pre> <A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:29 EDT