Re: Symantec A/V - netscan password in registry

From: miguel.dilaj@pharma.novartis.com
Date: Thu Feb 06 2003 - 10:40:08 EST


Hi nobody

It's not standard MD2, MD4 or MD5, because this hash is longer than those
standards.
It's not NT, because NTLM is just MD4/Unicode, so still this hash is too
long, and If I remember correctly, old LM hashes are the same lenght as
NTLM.
It's not SHA-1 or RIPEMD-160, again those are shorter than your example.
It's definitely not Blowfish MD5, used today by Linux, and doesn't look
like the good old crypt(3).
(It's not even the Lotus Domino R4 hash, but I'll never expect that!)

In my humble opinion, it's some kind of hash, but the algorithm used
simply beats me, sorry.

I can confirm that it's not an algorithm supported by our tool "Lepton's
Crack", and I've never seen something similar in John The Ripper, but it
have been some time since I used it...

So far I think that's the same or less level of exposure of other
encrypted passwords in the system. I'm not personally aware of any
exploitable situation with the antivirus in the server.

Silly question: Have you tried THAT as the password???

Kind regards,

Miguel Dilaj
aka Nekromancer

nobody <pentester@yahoo.com>
05/02/2003 23:00

 
        To: pentest_list <pen-test@securityfocus.com>
        cc:
        Subject: Symantec A/V - netscan password in registry

All,

recently installed Symantec A/V and looked at the
registry in my PC. XP sp1

clear text entries for an NT server and the share name
that it uses.

An entry for a "netscanpassword" that looks encrypted
?

20AA9E1606F91E64ABF97162783AE5E059E48797D7F

Questions ?
1. is this password encrypted via Windows ( lmhash
ntlm)
2. some crypt function (ala the UNIX world)
3. some other algorithms ? MD4 MD5 etc?

Can I cut and paste the above into John-the-ripper or
the crypt function ?

What I have in clear text is the NT machine, it's
share name and the NT account (user) that it uses.
All in the registry or event log.

It does "phone home" every week - but I have yet to
catch the packet traffic with Ethereal to see what
type of authentication it is doing.

Anyone else besides me think that this may present a
security exposure ( inside our network - of course) ?

It seems to me that placing this on every user's
desktop is exposing the A/V server to more risk than
is required ? if ? the account and password (if it can
be cracked) can access the server in any manner not
expected by the installer.

Or - is this old news and already been spotted ?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT