Re: Whitespace in passwords

From: Steve.Cummings@barclayscapital.com
Date: Tue Sep 20 2005 - 12:45:34 EDT


It wasn't a space character rather a whitespace genereated via alt 255things like john and lopht just can decipher it as it is not in the vocabularily
 

-----Original Message-----
From: Tim <pand0ra.usa@gmail.com>
To: pen-test@securityfocus.com <pen-test@securityfocus.com>
Sent: Tue Sep 20 05:54:18 2005
Subject: Re: Whitespace in passwords

A-z, 0-9 and all special characters is about 44GB and those go only to
7 characters for LanMan (why bother doing more the 7 characters on
LanMan?). I agree, you need to protect the hashes, but they are the
last line of defense and must hold out over time. Not all of the
rainbow tables have been generated either (yet). Though the point I am
trying to make is that the longer the passphrase the more difficult it
will be to recover, and yes the rainbow tables, when completed, will
make passwords/phrases obsolete.

I have generated the old LanMan hashes and it took 3 GB and a week on
4 machines to create only doing 0-9 & a-z. I am currently downloading
the Shmoo lm_alpha-numeric-symbol32-space which is 44GB, this is
LanMan. Though I did mention in my first post that LanMan is bad and
should be disabled. Rainbowcrack does have some of the tables done for
NTLM but still many are needed because it takes lots of time to
generate (and the LanMan hashes are not completed yet). I am not
saying that a all lowercase 14 char passphrase are secure or that they
should not adhere to company policy, but they are significantly more
secure then a 8 char password.

Even with rainbowcrack the longer the passphrase the more time and
resources are required to generate those tables.

Personally, I don't think that adding some odd character into your
password is going to protect it from being recovered (like a space
which was the topic of the thread). I am interested in the RSA keypair
that you mention.

On 9/19/05, Craig Wright <cwright@bdosyd.com.au> wrote:
> Hi
>
> I assume you have not checked the latest stats (www.rainbowcrack.com) -
> "take more time then I have on this planet" - I am sorry - what cancer?
> I had cancer years ago - it is a bugger.
>
> Have a look at the progress tables
> http://www.rainbowcrack.com/rainbowtables.php?PHPSESSID=96d8bbd546409f98
> a6ec9f648da70372
>
> There is NTLM and not just lanman - even on the areas not completely
> cracked - expect this to be a matter of weeks or months to complete and
> even with an incomplete table there is even with "alpha numeric symbol
> 14" sets a 80+% crack rate.
>
> Further "alpha numeric symbol 5" does not mean the length is 5 chars -
> it is still 14 chars in length. It refers to the symbol set not the
> length just as "alpha numeric symbol 14" again refers to the symbol set
> used. (PS the complete lanman "alpha numeric symbol 14" is available for
> purchase from the researcher on a set of DVD's now and 100% complete -
> just wait for the post). Crack one table and get 1 weeks access (or
> there about)
>
> My last review of a large US corporate netted me 90% of passphares (up
> to 14 chars) in 30 minutes for 1800 of the 2000 captured users. This
> included several domain and enterprise admins. This was using NTLMv2.
>
> Ipsec tunnels and kerberos give about zero (apart from some ignorantly
> blank ones on a group policy with 8 char min) and just over zero
> respectively.
>
> 90 days - if I have 90 days and a 256 char "pass phrase" policy I will
> have your complete list of pass phrases if I can get the hash. The issue
> should be protecting access to getting the hash
>
> The Rainbow crack default tables are up to 14 chars. Any password of up
> to 14 chars (with the correct tables)
>
> In the old days we tried to protect the /etc/shadow files etc. The same
> applies today - stop access to the source and you will stop anyone
> cracking them
>
> "Any password that is under 10 characters is EASILY recoverable" - make
> that Any password that is under 15 characters is EASILY recoverable (in
> seconds), Any password that is under 32 characters is moderately
> recoverable, Any password that is under 128 characters is difficult but
> still recoverable in 90 days
>
> Any password that is between 129 and 256 chars (on systems which support
> this) are very difficult - but wait....
> http://www.ietf.org/rfc/rfc2104.txt
>
> We can still try to negotiate NTLMv2 to force short ie "data_len = 8
> bytes" ie (and cut and pasted from the NTLMv2 negotiations -
> "The 16-byte NTLM hash is null-padded to 21 bytes.
> This value is split into three 7-byte thirds"
>
> Can we look at 3 separate MD5 "thirds" - well yes, the MD5 tables just
> happen to be available as well. Yes this makes life a little harder -
> like trying to crack 3 pass phrases - but do-able
>
> Craig
>
> PS
> Even NTLM v2 does not salt - this makes life very easy for an attacker
>
> -----Original Message-----
> From: Tim [mailto:pand0ra.usa@gmail.com]
> Sent: 20 September 2005 5:10
> To: pen-test@securityfocus.com
> Subject: Re: Whitespace in passwords
>
> Ok, we are now onto Rainbow tables. Sure, they can recover passwords
> very quickly BUT they too have a limitation. Currently the Shmoo tables
> are focused on LanMan challenge/responses which we all know are WEAK (in
> soo many meanings of the word). Rainbow tables take quite a bit of time
> to generate and to go through all of the possible combinations for a
> table that is ALL LOWERCASE and 14 characters long regardless of the
> algo would take more time then I have on this planet (possibly more time
> that all of us combined).
>
> I am soo sorry for using LanMan as an example in my earlier post.
> LanMan only goes to 7 characters as that is the foundation of one of
> it's biggest flaws. Also, keep in mind that there are not too many
> programs that accept Alt-ASCII characters so that may not be acceptable.
> Bryan Allott posted earlier the biggest point --> passPHRASES <-- Go
> back to my earlier post with the math (ignore that I used LanMan as an
> example).
>
> The longer the passPHRASE it becomes exponentally more difficult to
> recover he passPHRASE. Any password that is under 10 characters is
> EASILY recoverable within the typical 90 day expiration time. That is
> why pushing the users to create easily remembered passPHRASES is much
> more effective then some sort of goobly gook that they will have a hard
> time remembering and end up writing down in a post-it note stuck to
> their monitor. One stupid character (regardless of what it is) will NOT
> make a significant difference. Do not assume that by throwing in a
> Alt-182 character will make your password 'unbreakable'.
>
> ------------------------------------------------------------------------
> ------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your website. Up to 75% of cyber attacks are launched on shopping carts,
> forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting and other web
> attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ------------------------------------------------------------------------
> -------
>
>

-- 
Tim Van Cleave, CISSP, NSA IAM, CXE
AIM - pand0rausa
MSN - m0rt15
Yahoo - pand0ra_usa
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.
Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.
------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:57 EDT