Re: Windows XP salted hashed verification of domain passwords

From: Tim (tim-pentest@sentinelchicken.org)
Date: Mon Mar 05 2007 - 08:45:08 EST

• Next message: David Swafford: "Re: The legal / illegal line?"
• Previous message: Barry Fawthrop: "Re: The legal / illegal line?"
• In reply to: Matthew Webster: "Windows XP salted hashed verification of domain passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Matt,

I've done some reading on these cached hashes recently as well, and I'm
still fuzzy on a few things. I'll provide answers as best I can.

> For domain accounts, the passwords are not kept on a system. The
> verification is salted and hashed with md4 twice. I am trying to assess
> the following risks. 1) What is the danger that that verification could
> be misused on another system? 2) From that salted, hashed verification,
> can the password be derived? How likely is this?

First off, have you found a good reference which details exactly how the
hashes are generated? You say hashed twice with md4... does that mean
the same data hashed twice, or hashed in two chunks (like LM hashes)? I
have yet to find a good reference (besides uncommented source code that
I have yet to pick through).

Well, MD4 is a very weak hash, and dictionary attacks will certainly
work if users pick any kind of predictable password. These would likely
be harder to crack than LM hashes, since they are salted and building a
rainbow table would be harder, but bad passwords are always pretty easy
to crack. I'd be very interested to know exactly how these are
salted...

> Also, how would one perform a pen test against those salted,
> hashed verifications? Lets assume in the registry no one was ignorant
> enough to put the registry key which provides the password.

Have you seen these references?

General description:
  http://www.irongeek.com/i.php?page=security/cachecrack

Look down the page for a cached password crack patch:
  http://www.openwall.com/john/

Another description and tool for grabbing cached passwords:
  http://www.gotroot.com/downloads/ftp/security/cain_and_abel/topics/mscache_hashes_dumper.htm

So there are obviously plenty of real-world tools out there. I have yet
to try them, so YMMV.

HTH,
tim

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: David Swafford: "Re: The legal / illegal line?"
• Previous message: Barry Fawthrop: "Re: The legal / illegal line?"
• In reply to: Matthew Webster: "Windows XP salted hashed verification of domain passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:38 EDT