Waraxe IT Security Portal
Login or Register
November 17, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 69
Members: 0
Total: 69
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other hashes -> help w/ hash. Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
help w/ hash.
PostPosted: Fri Apr 04, 2008 6:55 pm Reply with quote
willvic
Regular user
Regular user
Joined: Apr 04, 2008
Posts: 14




admittedly new to this, got a few so far, can't get this one.

pandenclv:"":"":AAD3B435B51404EEAAD3B435B51404EE:4355D77672F12CAB3962DBC21A44479A
View user's profile Send private message
Re: help w/ hash.
PostPosted: Fri Apr 04, 2008 9:55 pm Reply with quote
ToXiC
Moderator
Moderator
Joined: Dec 01, 2004
Posts: 181
Location: Cyprus




willvic wrote:
admittedly new to this, got a few so far, can't get this one.

pandenclv:"":"":AAD3B435B51404EEAAD3B435B51404EE:4355D77672F12CAB3962DBC21A44479A


if you want to reverse that hash you probably need to provide some more information regarding where you found it etc. so that those who are willing to help you will try to find the algorithm that is used to produce that hash .

_________________
who|grep -i blonde|talk; cd~;wine;talk;touch;unzip;touch; strip;gasp;finger;gasp;mount; fsck; more; yes; gasp; umount; make clean; sleep;wakeup;goto http://www.md5this.com
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Sat Apr 05, 2008 3:04 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Seems to be NTLM hash. I tried bruteforce and wordlists and got no success though ...
View user's profile Send private message Send e-mail Visit poster's website
It's NTLM
PostPosted: Mon Apr 07, 2008 12:53 pm Reply with quote
willvic
Regular user
Regular user
Joined: Apr 04, 2008
Posts: 14




Yes, it's NTLM out of a dump from AD.
I tried to brute force it as well but I couldn't get it. I'm not sure, maybe it's longer of a pw than I thought.

I have a followup question on this, maybe someone can let me know..

If I set the user account w/ this password in AD to reversible encryption.. will that change the pw immediately (or at least on next logon) or will the pw have to change, for it to be stored reversible.
If stored reversible, how easy is it to crack then?

My thought was set to reversible, wait a week.. dump it.. and set it to non-reversible.
View user's profile Send private message
haven't tried yet...
PostPosted: Tue Apr 08, 2008 8:11 pm Reply with quote
willvic
Regular user
Regular user
Joined: Apr 04, 2008
Posts: 14




Seems I can't find much documentation on the "store as reversible" field.
Microsoft doesn't document when the change is made... I've searched everywhere I can think of though.
Anyone tried it ever?
View user's profile Send private message
PostPosted: Wed Apr 09, 2008 12:28 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I don't have experience with this specific feature. But there is some information available:

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx

Quote:

Store password using reversible encryption for all users in the domain
This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption; it provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords. For this reason, this policy setting should never be enabled unless application requirements outweigh the need to protect password information. The default value for this policy setting is Disabled.

This policy setting must be enabled when using the Challenge-Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Service (IAS). It is also required when using Digest Authentication in Microsoft Internet Information Services (IIS).

Ensure that the Store password using reversible encryption for all users in the domain setting is configured to Disabled, which is how it is configured in the Default Domain GPO of Windows Server 2003 and in the local security policy for workstations and servers. This policy setting is also Disabled in the two environments that are defined in this guide.


If currently passowords are hashed via one-way algo, then of course you can't expect to get original plaintext passwords, unless they are really weak. About "reversible" algo in AD ... "Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords" ... seems like some form of encoding. You must search for more information or test on local system.

This is interesting forum thread:

http://www.petri.co.il/forums/showthread.php?t=1797&highlight=%27Store+Password+using+Reversible+Encryption

Quote:

I have turned the google upside down (I guess you have already done that) and came up with nothing, but I did find some references to the need to enable rev. enc. when synchronizing passwords across directories via some metadirectory applications (e.g. DirSync). So despite not being able to find any proof of concept, I think it would be a rather educated speculation to assume that products that are capable of performing password synchronization across directories do accomodate the logic for deciphering the passwords stored with rev. enc.

The other way to look at it, would be the fact that if you have a very strict password policy (let's say you require 16 chars-long passwords or passphrases and are enforcing password complexity), you might end up (assuming you have been able to obtain offline copy of the DIT) with LC running for ages.
Having the passwords in reversible form would require a very simple (linear ?) deciphering algorithm.

Actually, I think it would not require very much effort to disassemble the algorithm used to create reversible hashes by setting up your own AD and debugging the OS when setting someone's password while rev. enc. is enabled. Personally have never done that, but I do not see any obstacles that could get in the way of a good programmer.

Good topic ! I'd be glad to hear what others have to say about it.



So seems like this algorithm is one the many Microsoft's "secrets" ...
View user's profile Send private message Send e-mail Visit poster's website
Very interesting.. thanks
PostPosted: Wed Apr 09, 2008 12:54 pm Reply with quote
willvic
Regular user
Regular user
Joined: Apr 04, 2008
Posts: 14




It seems like it's a possibility. Just not sure.
I went ahead and set the account to reversible. I'm going to dump the AD out tomorrow, and see if C&A can figure anything out..
For whatever reason the LM hash showed as empty.
Not sure why that would be. You'd think it would store the LM hash. Is there a way to force it to store the LM hash? That's an easier crack.
Or did I just get a weird dump the first time that stored the LM as empty?
View user's profile Send private message
PostPosted: Wed Apr 09, 2008 1:32 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Empty LM hash is normal phenomena:

http://support.microsoft.com/kb/299656

Most of the NT-based computers are using only NTLM hashes in year 2008, because LM is really weak - with help of rainbow tables even most complicated passwords can be revealed within reasonable timeframe.
View user's profile Send private message Send e-mail Visit poster's website
Not so much a bump, as a new idea...
PostPosted: Thu May 01, 2008 7:19 pm Reply with quote
willvic
Regular user
Regular user
Joined: Apr 04, 2008
Posts: 14




Ok I have a hard drive from the domain controller of the system I was working on, installed into a separate piece of hardware....
So I have this "clone" of the DC, totally outside the network, offline, with full access to the SAM, etc...

I was going to install Cain/Abel on the box, and run it against the password for the account in question...
Anything else that is more reliable or a better way to do it?
View user's profile Send private message
PostPosted: Thu May 01, 2008 8:23 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I fail to see other possible ways to "recover" password, then NTLM hash fetching and then trying to crack it. And if original password was good enough, then you cannot reveal it. This is how cryptography works Wink
I can recommend NTLM rainbow tables or distributed cracking or even using GPU for faster cracking. But still - cracking can be successful only, if original password was weak. Because there is no known NTLM weaknesses for this day, which can let us somehow "bypass" one-way hashing.
View user's profile Send private message Send e-mail Visit poster's website
hmm
PostPosted: Thu May 01, 2008 8:26 pm Reply with quote
willvic
Regular user
Regular user
Joined: Apr 04, 2008
Posts: 14




cain/abel w/ the syskey won't work?
As I said, new to this, so I'm kind of grasping at straws...

I thought maybe if I can dump the sam, it would work.
View user's profile Send private message
PostPosted: Thu May 01, 2008 8:29 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




From first post it seems that you allready got NTLM hash, right? So please explain, what you want to do now?
View user's profile Send private message Send e-mail Visit poster's website
forgive my neophyte questions...
PostPosted: Thu May 01, 2008 8:35 pm Reply with quote
willvic
Regular user
Regular user
Joined: Apr 04, 2008
Posts: 14




I'll apologize now before I annoy the crap out of you... Appreciate the help.

Got winrtgen... generating tables for pw's of 7-15 characters... that will make 600mb of rainbow tables. I could then do a cryptoanalysis w/ cain, using those tables? That might work?

One thing I did do earlier was set to reversible...
Seems that the NT hash changed..

Well, using winrtgen now... actually up to 12 characters...
Got 22 days to try and figure this out...
View user's profile Send private message
PostPosted: Thu May 01, 2008 8:44 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




NTLM rainbow tables will need lots of Gigabytes HDD space and are useful only for shorter passwords.
Example:

http://www.freerainbowtables.com/rainbow_tables/ntlm.html

loweralpha-numeric [abcdefghijklmnopqrstuvwxyz0123456789]
length 1-8 chars
20 GB

loweralpha [abcdefghijklmnopqrstuvwxyz]
length 1-9 chars
32 GB

loweralpha-numeric [abcdefghijklmnopqrstuvwxyz0123456789]
length 1-9 chars
123 GB

And believe, it's more realistic to download them, then generate them Wink
View user's profile Send private message Send e-mail Visit poster's website
Re: forgive my neophyte questions...
PostPosted: Thu May 01, 2008 8:48 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




willvic wrote:


One thing I did do earlier was set to reversible...
Seems that the NT hash changed..



Hmm, so let me see ... someone (victim) had previously NTLM hashed password, then you changed password algorithm to reversible, right? And then what? Do this mean, that victim (or "target") was forced to change his password and this time it is stored as reversible? If so, then Cain is not the right tool, as far as i know. But i can be wrong ...
View user's profile Send private message Send e-mail Visit poster's website
help w/ hash.
www.waraxe.us Forum Index -> All other hashes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.048 Seconds