From: Dufresne, Pierre (PIERRE.DUFRESNE@MESS.GOUV.QC.CA)
Date: Tue Sep 27 2005 - 14:57:33 EDT
I hope everybody following this thread is aware that whether any version of
a cracking tool can crack or not non-printable characters is irrelevant. If
it can't, the authors could probably patch their tool very fast.
As someone mentioned earlier, the game is now: how do you protect the hashes
when a computer is lost or stolen?
I work in a Windows environment. The only immediate measure I can think of
is the use of SYSKEY with a password prompt.
Could anyone provide me with other simple solution? Thanks
Note to moderator: may be it would be better to start a new thread with a
subject like "hashes protection in Windows"
Thanks
Pierre
>Hi Dave,
>
>Lepton's Crack can, for sure. I dunno if the version with non-printable
>characters is 20040914 or 20040916 (the later is not online, I'm afraid, I
>have it on a CD somewhere).
>Just had a look at the CHANGES file:>
>
> 20040914/
> - Added support for any ASCII character (ie. also non-printable) in
> the charset and regex definition, via \0(octal), \x(hex),
>\(decimal)
>
>Do a Google search for
>
> password cracker "non printable" characters
>
>And have fun collating the results.
>Cheers,
>
>Miguel
>
>
>-----Original Message-----
>From: dave kleiman [mailto:dave@isecureu.com]
>Sent: 26 September 2005 15:00
>To: 'Miguel Dilaj'
>Cc: pen-test@securityfocus.com
>.Subject: RE: Password "security" - was"Passwords with Lan Manager (LM)
under
>Windows" and "Whitespace in passwords"
>
>
>>
>> Regarding "Whitespace in passwords", and as some people already
>> mentioned, modern password cracking software (both commercial and
>> free) can find non-printable chars, so space or ALT-whatever are going
>> to be found anyway. Rainbow tables now tend to include space, but I
>> still haven't heard of anyone producing a table for 0x00-0xff
>> (0x0000-0xffff if you use extended unicode chars ;-)
>> Applications CAN be broken by using strange characters, so YMMV.
>>
>
>
>Can you provide a list of those that have that ability, I will gladly test
>them.
>
>The most popular ones cannot i.e. L0pht, Cain etc. See:
>http://www.securityfocus.com/archive/88/312263
>
>
>Dave
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:00 EDT