From: Javier Jarava (jjarava@gmail.com)
Date: Thu Mar 08 2007 - 07:29:02 EST
Hi!!
A couple of pointers on the isse of *how* windows stores passwords, how they
are "hashed", etc. that I believe might be interesting for this argument...
Security Management - October 2005
Frequently Asked Questions About Passwords
http://www.microsoft.com/technet/community/columns/secmgmt/sm1005.mspx
Interesting... And at the same time somewhat alarming, the mention of the
fact that it's not *that* important or relevant to crack the hashes to get
the original password, as there are tools that make use of the hashes
themselves..
And a 3-part article on the issue of passwords vs. pass phrases. Not
entirely related to the thread, but interesting read...
Security Management - October 2004
The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3
http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx
Security Management - November 2004
The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3
http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx
Security Management - December 2004
The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3
http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx
Just my 0.002
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Matthew Webster
Sent: Saturday, March 03, 2007 12:12 AM
To: pen-test
Subject: Windows XP salted hashed verification of domain passwords
Folks,
For domain accounts, the passwords are not kept on a system. The
verification is salted and hashed with md4 twice. I am trying to assess
the following risks. 1) What is the danger that that verification could
be misused on another system? 2) From that salted, hashed verification,
can the password be derived? How likely is this?
Also, how would one perform a pen test against those salted, hashed
verifications? Lets assume in the registry no one was ignorant enough
to put the registry key which provides the password.
Thanks,
Matt
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------
This email and any attachments may contain confidential information. If you
or your organization are not the intended recipient and have received them
in error, please delete them and contact du. If the content of this email
does not relate to du's business, du does not endorse it. Without exception,
du does not enter into agreements by exchange of emails and nothing in this
mail shall be construed or interpreted as binding du or creating any
obligation on behalf of du. You should check attachments for viruses before
opening.
Authorised, issued and fully paid up share capital of AED 4 billion
Commercial Licence No. 576513; Commercial Registration No. 77967
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000
0008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:38 EDT