If a user can see any NT Hash, he has your password

[somereseller]

I don't know how IIS shared hosting works, but I just wanted to let you know that if a Vortech user can see the NT Hash of passwords stored on an win2k box, he can get all the passwords in no time. A recent discovery has shown that M$'s way of encoding passwords is very weak...

On unix, you can also see the password and try to crack it, but it takes time if the password is well chosen.

[Brangwyn]

Thats really nothing recent actually if NT is using lanman compatability mode (basically to enable win95 and win98 computers to conenct to it) then the hash is quite vulernable, however it is significantly stronger if LM is not on.

Given the hash of any password you can brute force it given time, I understand LASEC are reporting they have some new fantastic tool that can do it in considerable less time but as yet I've not seen any solid proof that its capable of doing what it reports in any less time than a full bruteforce attack on a complex password would take.

[somereseller]

Weakness in Lanman is nothing new, but M$ has put NT Hash in place, as a replacement. It now appears that it was just a lure, not really any better.

You can submit your hash to the lab and they will indicate in how much time it was cracked. It usually takes seconds. Compare that to a brute force attack on a unix password....

[Brangwyn]

NT Hash isn't new either really, been in place for probably 4+ years

Your post reminded me to check their site out, looks like most of the results on the page are "not found" to me and it won't let me submit something of my own, so I'll remain unconvinced for now ... I actually find it hard to believe that with so many people working on cryptography (and many of them are virtual mathematical geniuses) that new applications of the particular technique they cliam to be using haven't been found or published long before now.

[somereseller]

What error did you get when trying to submit your own?

About the notfound errors : "The most likely reason for not finding a half of a password is that it contains a character which is neither a letter nor a digit".

That means that if hosted win users were allowed to insert special characters, they could be safe for a while, but I think Hsphere does not allow that.

Mathematical geniuses don't care about M$ passwords . But then students love to crack M$ software

[Brangwyn]

I got too many entries in the Q when trying to submit.

Its not about cracking Microsoft passwords, its common knowledge exactly what algorithims are that they use etc it has more do do about the alogorithim being used to process "appranatly" so many hashes at once, which is something cryptologists are always working on. How or what the theorys are applied to is pretty much irrelevant to them

Any password worth its salt (hehe cuse the pun) will always have special characters in it.

Yeah H-Sphere for some unknown reason doen't allow specials, I'm sure psoft has a valid reason for it, though I can't think of one.

[somereseller]

Well, they have a new technique in place that apparently works very well (Rainbow tables).

One of the reason Psoft does that is that they can't find a way to store those characters in a neutral way. Some browsers convert those characters before sending them in a form and I guess they don't want to trap all those exceptions...

But i've done some research and Hsphere allows this : a-z A-Z 0-9 _ = ! .

So I guess it's time to change all those weak passwords....

[Brangwyn]

Yeah but when browsers convert them they convert them to ascii codes basically, so if the server can interpret them then so can H-Sphere, I'm thinking perhaps the big problem is probably users with funny LCID's and non "western" character sets perhaps

Interesting they support a couple of specials anyway I guess

[somereseller]

But if you read their page carefully, you'll notice that they have another script that accept 16 special characters. It just takes a bit more time...Over a minute instead of 5 secs ;P

I wouldn't be surprised to see tons of compromised boxes appear all over the planet in no time...Unless those hash maps can be hidden in some safe place (I don't know much about IIS hosting, I simply don't trust it)?

EDIT : You=we, I should have mentioned it earlier.

[Brangwyn]

Theres only three ways to retrieve the hash really anyway, one is by extracting it from the registry so you need to already have access to the machine, the second is by packet sniffing within the same network and the thrid is by taking it from a SAM file. All three methods need virtually physical access to the machine in question, so I don't think there will be any big rush on NT Hash exploits.

[somereseller]

Yeah, I've read some stuff about all this and found out that there are ways to administrate a win box that can keep it safe from those Hash extractors.

Why would one need physical access to extract the registry or sniff the network. This can easily be done (at least the sniffing part) by just having an account, no?

[Brangwyn]

Quote:

virtually physical

If the only account that has access to read the registry doesn't have remote logon permissions then you would physically have to be on the machine

As for sniffing you have to be able to place a sniffer on the same lan segment, which would normally mean your in the same office/building/location as the machine, so again you might as well just go straight to the machine.

[somereseller]

Isn't it possible to just upload a sniffer on one of the nt machines?
It would be useless if the sniffer needs admin rights or needs to access the nic in promiscuous mode I guess.

[Brangwyn]

If you were going to those lengths then you'd probably just try uploading a keylogger instead

Most sniffers require the nic in promiscuous mode afaik.

[somereseller]

Indeed, seems easier to trojan an admin that uses IE to get all his passes than to go into great length to sniff an entire network =)