From: philippe.nospam.oechslin@objectif-securite.nospam.ch
Date: Fri Sep 23 2005 - 02:48:14 EDT
The characterset used for LanMan passwords is the OEM character set used in original IBM PCs.
The reference to 142 characters probably refers to the number of chars that you could type on a standard keyboard.
In recent Window OSs there is no limitation about the character set. You can use any 8bit character that you are able to type in a text box or on a command line.
A quick test on my XP system show that characters above 127 can be used in "net user /add" command. Strangely enough some groups of them generate the same LMHash while generating different NThashes:
128,135
129,154
130,144
131,133,160
132,142
134,143
136,137,138
139,140,141,161
145,146
147,149,162
148,153
150,151,163
152,255
164,165
228,229
232,237
which yields 106 different character above 127.
from the lower 128 chars, tab, space and delete are not easy not enter in an input field.
This leaves us with a total of 231 working characters...
cheers,
Philippe
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:59 EDT