Re: Brute-forcing cached Windows login password hashes

From: Mathieu CHATEAU (gollum123@free.fr)
Date: Fri Jul 27 2007 - 02:13:49 EDT

this works if you have the mscache rainbow table that match the login you
want to break...

Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com

----- Original Message -----
From: "Carl Livitt" <carllivitt@yahoo.com>
To: "Ben Greenberg" <Ben.Greenberg@senet-int.com>;
<pen-test@securityfocus.com>
Sent: Thursday, July 26, 2007 4:39 PM
Subject: Re: Brute-forcing cached Windows login password hashes

>
> The hash algorithm is a salted MD4. It's impossible (ok, to be pedantic
> it's mathematically infeasible) to use rainbow tables because of the
> salting, so that leaves you with dictionary and brute-force.
>
> The latest version of John and the MS Cache Hash patches are all
> available from http://openwall.com/john/. I believe v1.7.2 is the latest
> version.
>
> Regards,
> Carl
>
>
> Ben Greenberg wrote:
>> Greetings all,
>>
>> My question is regarding the encrypted password hashes that Windows
>> stores in
>> the registry of the last 10 logins to a workstation.
>>
>> I read the original white paper written by Arnaud Pilon and I've used his
>> cachedump tool to extract the password hashes from the registry. What I'm
>> wondering is what type of hash those passwords use. Is it straight MD4? I
>> know that each hash is salted with a machine-specific unique string. What
>> I
>> am unclear on is what exactly the password hash is and how it can be
>> brute-forced. I know that there is a patch for John the Ripper, but every
>> mention I can find refers to a two year old version of John. Does anyone
>> know
>> if the most recent version has this patch in it already? Also, is anyone
>> familiar with any rainbow tables for cracking these passwords? Are
>> rainbow
>> tables possible for these hashes because of the salting?
>>
>> Thanks all.
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Need to secure your web apps NOW?
>> Cenzic finds more, "real" vulnerabilities fast.
>> Click to try it, buy it or download a solution FREE today!
>>
>> http://www.cenzic.com/downloads
>> ------------------------------------------------------------------------
>>
>>
>>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:58 EDT