RE : Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)

From: Geoffroy Raimbault (graimbault@lynx-technologies.com)
Date: Fri Jun 11 2004 - 03:47:53 EDT

• Next message: Pursifull, Mike: "RE: Multiple IP on the same server howo to idenfity"
• Previous message: raza sharif: "Hacking Demo and Test Lab"
• In reply to: Romes, Randall J.: "Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)"
• Next in thread: Peter Parker: "Re: Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Try Id Password Recovery form Cqure.net

http://www.cqure.net/tools.jsp?id=4

"IPR is a tool for recovering passwords on Lotus Notes ID files. It
does this by guessing passwords you supply in a dictionary file. It
guesses approximately 400-500 passwords a second on a PIII 1Ghz. The
tool should be used by administrators for finding weak passwords in
user id files."

Geoffroy

-----Message d'origine-----
De : Romes, Randall J. [mailto:Rromes@larsonallen.com]
Envoyé : jeudi 10 juin 2004 13:43
À : pen-test@securityfocus.com
Objet : Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)

Any one familiar with a means of recovering/cracking the password for lotus
notes which resides in the .id file?

Any one know how the password is encrypted/hashed?

Thanks
Randy

-----Original Message-----
From: Nicolas RUFF (lists) [mailto:ruff.lists@edelweb.fr]
Sent: Tuesday, May 25, 2004 10:17 AM
To: pen-test
Subject: Re: Cached NT/W2k passwords

> Has anyone been able to decrypt the hash password from
> the cached login on NT or W2K ?
> We're is it located ? In the registry ? If so what's
> the key....
> I've been looking around the only thing I can find is
> how to disable this feature :(

        Hi,

If you're talking about the CachedLogonsCount registry key, there has been a
thread 2 weeks ago on FOCUS-MS :

http://www.securityfocus.com/archive/88/362946/2004-05-21/2004-05-27/0

Basically, storage is either in LSA Secrets or NL$ registry keys (depending
on Windows version), and there is no publicly available tool to decrypt the
hash. The stored value is a salted hash : NTLM( username + NTLM(password)).
This is hard to crack by brute-force if password > 6 chars.

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
-----------------------------------
--------------------------------------------------------
 
This message (including any attachments) may contain confidential client
information. The information is intended only for the use of the individual
or entity to whom it is addressed. If you are not the addressee or the
employee or agent responsible to deliver this e-mail to its intended
recipient, you are hereby notified that any review, use, dissemination,
distribution, disclosure, copying or taking of any action in reliance on the
contents of this information is strictly prohibited.

• Next message: Pursifull, Mike: "RE: Multiple IP on the same server howo to idenfity"
• Previous message: raza sharif: "Hacking Demo and Test Lab"
• In reply to: Romes, Randall J.: "Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)"
• Next in thread: Peter Parker: "Re: Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT