Re: Brute-forcing cached Windows login password hashes

From: Carl Livitt (carllivitt@yahoo.com)
Date: Thu Jul 26 2007 - 10:39:00 EDT

• Next message: Mathieu CHATEAU: "Re: Brute-forcing cached Windows login password hashes"
• Previous message: Marco Ivaldi: "Re: Breaking from MySQL to Linux system (SQL Injection)."
• In reply to: Ben Greenberg: "Brute-forcing cached Windows login password hashes"
• Next in thread: Mathieu CHATEAU: "Re: Brute-forcing cached Windows login password hashes"
• Reply: Mathieu CHATEAU: "Re: Brute-forcing cached Windows login password hashes"
• Reply: Per Thorsheim: "SV: Brute-forcing cached Windows login password hashes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The hash algorithm is a salted MD4. It's impossible (ok, to be pedantic
it's mathematically infeasible) to use rainbow tables because of the
salting, so that leaves you with dictionary and brute-force.

The latest version of John and the MS Cache Hash patches are all
available from http://openwall.com/john/. I believe v1.7.2 is the latest
version.

Regards,
Carl

Ben Greenberg wrote:
> Greetings all,
>
> My question is regarding the encrypted password hashes that Windows stores in
> the registry of the last 10 logins to a workstation.
>
> I read the original white paper written by Arnaud Pilon and I've used his
> cachedump tool to extract the password hashes from the registry. What I'm
> wondering is what type of hash those passwords use. Is it straight MD4? I
> know that each hash is salted with a machine-specific unique string. What I
> am unclear on is what exactly the password hash is and how it can be
> brute-forced. I know that there is a patch for John the Ripper, but every
> mention I can find refers to a two year old version of John. Does anyone know
> if the most recent version has this patch in it already? Also, is anyone
> familiar with any rainbow tables for cracking these passwords? Are rainbow
> tables possible for these hashes because of the salting?
>
> Thanks all.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Mathieu CHATEAU: "Re: Brute-forcing cached Windows login password hashes"
• Previous message: Marco Ivaldi: "Re: Breaking from MySQL to Linux system (SQL Injection)."
• In reply to: Ben Greenberg: "Brute-forcing cached Windows login password hashes"
• Next in thread: Mathieu CHATEAU: "Re: Brute-forcing cached Windows login password hashes"
• Reply: Mathieu CHATEAU: "Re: Brute-forcing cached Windows login password hashes"
• Reply: Per Thorsheim: "SV: Brute-forcing cached Windows login password hashes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:58 EDT