 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
help w/ hash. |
 |
 Posted: Fri Apr 04, 2008 6:55 pm |
 |
|
| willvic |
| Regular user |
 |
|
| Joined: Apr 04, 2008 |
| Posts: 14 |
|
|
|
 |
|
 |
|
admittedly new to this, got a few so far, can't get this one.
pandenclv:"":"":AAD3B435B51404EEAAD3B435B51404EE:4355D77672F12CAB3962DBC21A44479A |
|
|
|
|
|
Re: help w/ hash. |
|
| Posted: Fri Apr 04, 2008 9:55 pm |
|
|
| ToXiC |
| Moderator |
 |
|
| Joined: Dec 01, 2004 |
| Posts: 181 |
| Location: Cyprus |
|
|
|
|
|
|
| willvic wrote: | admittedly new to this, got a few so far, can't get this one.
pandenclv:"":"":AAD3B435B51404EEAAD3B435B51404EE:4355D77672F12CAB3962DBC21A44479A |
if you want to reverse that hash you probably need to provide some more information regarding where you found it etc. so that those who are willing to help you will try to find the algorithm that is used to produce that hash . |
|
_________________
who|grep -i blonde|talk; cd~;wine;talk;touch;unzip;touch; strip;gasp;finger;gasp;mount; fsck; more; yes; gasp; umount; make clean; sleep;wakeup;goto http://www.md5this.com |
|
|
|
| Posted: Sat Apr 05, 2008 3:04 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Seems to be NTLM hash. I tried bruteforce and wordlists and got no success though ... |
|
|
|
|
|
It's NTLM |
|
| Posted: Mon Apr 07, 2008 12:53 pm |
|
|
| willvic |
| Regular user |
|
|
| Joined: Apr 04, 2008 |
| Posts: 14 |
|
|
|
|
|
|
|
Yes, it's NTLM out of a dump from AD.
I tried to brute force it as well but I couldn't get it. I'm not sure, maybe it's longer of a pw than I thought.
I have a followup question on this, maybe someone can let me know..
If I set the user account w/ this password in AD to reversible encryption.. will that change the pw immediately (or at least on next logon) or will the pw have to change, for it to be stored reversible.
If stored reversible, how easy is it to crack then?
My thought was set to reversible, wait a week.. dump it.. and set it to non-reversible. |
|
|
|
|
|
haven't tried yet... |
|
| Posted: Tue Apr 08, 2008 8:11 pm |
|
|
| willvic |
| Regular user |
|
|
| Joined: Apr 04, 2008 |
| Posts: 14 |
|
|
|
|
|
|
|
Seems I can't find much documentation on the "store as reversible" field.
Microsoft doesn't document when the change is made... I've searched everywhere I can think of though.
Anyone tried it ever? |
|
|
|
|
|
|
|
|
| Posted: Wed Apr 09, 2008 12:28 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
I don't have experience with this specific feature. But there is some information available:
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx
| Quote: |
Store password using reversible encryption for all users in the domain
This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption; it provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords. For this reason, this policy setting should never be enabled unless application requirements outweigh the need to protect password information. The default value for this policy setting is Disabled.
This policy setting must be enabled when using the Challenge-Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Service (IAS). It is also required when using Digest Authentication in Microsoft Internet Information Services (IIS).
Ensure that the Store password using reversible encryption for all users in the domain setting is configured to Disabled, which is how it is configured in the Default Domain GPO of Windows Server 2003 and in the local security policy for workstations and servers. This policy setting is also Disabled in the two environments that are defined in this guide.
|
If currently passowords are hashed via one-way algo, then of course you can't expect to get original plaintext passwords, unless they are really weak. About "reversible" algo in AD ... "Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords" ... seems like some form of encoding. You must search for more information or test on local system.
This is interesting forum thread:
http://www.petri.co.il/forums/showthread.php?t=1797&highlight=%27Store+Password+using+Reversible+Encryption
| Quote: |
I have turned the google upside down (I guess you have already done that) and came up with nothing, but I did find some references to the need to enable rev. enc. when synchronizing passwords across directories via some metadirectory applications (e.g. DirSync). So despite not being able to find any proof of concept, I think it would be a rather educated speculation to assume that products that are capable of performing password synchronization across directories do accomodate the logic for deciphering the passwords stored with rev. enc.
The other way to look at it, would be the fact that if you have a very strict password policy (let's say you require 16 chars-long passwords or passphrases and are enforcing password complexity), you might end up (assuming you have been able to obtain offline copy of the DIT) with LC running for ages.
Having the passwords in reversible form would require a very simple (linear ?) deciphering algorithm.
Actually, I think it would not require very much effort to disassemble the algorithm used to create reversible hashes by setting up your own AD and debugging the OS when setting someone's password while rev. enc. is enabled. Personally have never done that, but I do not see any obstacles that could get in the way of a good programmer.
Good topic ! I'd be glad to hear what others have to say about it.
|
So seems like this algorithm is one the many Microsoft's "secrets" ... |
|
|
|
|
|
|
Very interesting.. thanks |
|
| Posted: Wed Apr 09, 2008 12:54 pm |
|
|
| willvic |
| Regular user |
|
|
| Joined: Apr 04, 2008 |
| Posts: 14 |
|
|
|
|
|
|
|
It seems like it's a possibility. Just not sure.
I went ahead and set the account to reversible. I'm going to dump the AD out tomorrow, and see if C&A can figure anything out..
For whatever reason the LM hash showed as empty.
Not sure why that would be. You'd think it would store the LM hash. Is there a way to force it to store the LM hash? That's an easier crack.
Or did I just get a weird dump the first time that stored the LM as empty? |
|
|
|
|
| Posted: Wed Apr 09, 2008 1:32 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Empty LM hash is normal phenomena:
http://support.microsoft.com/kb/299656
Most of the NT-based computers are using only NTLM hashes in year 2008, because LM is really weak - with help of rainbow tables even most complicated passwords can be revealed within reasonable timeframe. |
|
|
|
|
|
Not so much a bump, as a new idea... |
|
| Posted: Thu May 01, 2008 7:19 pm |
|
|
| willvic |
| Regular user |
|
|
| Joined: Apr 04, 2008 |
| Posts: 14 |
|
|
|
|
|
|
|
Ok I have a hard drive from the domain controller of the system I was working on, installed into a separate piece of hardware....
So I have this "clone" of the DC, totally outside the network, offline, with full access to the SAM, etc...
I was going to install Cain/Abel on the box, and run it against the password for the account in question...
Anything else that is more reliable or a better way to do it? |
|
|
|
|
|
|
|
|
| Posted: Thu May 01, 2008 8:23 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
I fail to see other possible ways to "recover" password, then NTLM hash fetching and then trying to crack it. And if original password was good enough, then you cannot reveal it. This is how cryptography works 
I can recommend NTLM rainbow tables or distributed cracking or even using GPU for faster cracking. But still - cracking can be successful only, if original password was weak. Because there is no known NTLM weaknesses for this day, which can let us somehow "bypass" one-way hashing. |
|
|
|
|
|
hmm |
|
| Posted: Thu May 01, 2008 8:26 pm |
|
|
| willvic |
| Regular user |
|
|
| Joined: Apr 04, 2008 |
| Posts: 14 |
|
|
|
|
|
|
|
cain/abel w/ the syskey won't work?
As I said, new to this, so I'm kind of grasping at straws...
I thought maybe if I can dump the sam, it would work. |
|
|
|
|
| Posted: Thu May 01, 2008 8:29 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| From first post it seems that you allready got NTLM hash, right? So please explain, what you want to do now? |
|
|
|
|
|
forgive my neophyte questions... |
|
| Posted: Thu May 01, 2008 8:35 pm |
|
|
| willvic |
| Regular user |
|
|
| Joined: Apr 04, 2008 |
| Posts: 14 |
|
|
|
|
|
|
|
I'll apologize now before I annoy the crap out of you... Appreciate the help.
Got winrtgen... generating tables for pw's of 7-15 characters... that will make 600mb of rainbow tables. I could then do a cryptoanalysis w/ cain, using those tables? That might work?
One thing I did do earlier was set to reversible...
Seems that the NT hash changed..
Well, using winrtgen now... actually up to 12 characters...
Got 22 days to try and figure this out... |
|
|
|
|
|
|
|
|
| Posted: Thu May 01, 2008 8:44 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
NTLM rainbow tables will need lots of Gigabytes HDD space and are useful only for shorter passwords.
Example:
http://www.freerainbowtables.com/rainbow_tables/ntlm.html
loweralpha-numeric [abcdefghijklmnopqrstuvwxyz0123456789]
length 1-8 chars
20 GB
loweralpha [abcdefghijklmnopqrstuvwxyz]
length 1-9 chars
32 GB
loweralpha-numeric [abcdefghijklmnopqrstuvwxyz0123456789]
length 1-9 chars
123 GB
And believe, it's more realistic to download them, then generate them |
|
|
|
|
|
Re: forgive my neophyte questions... |
|
| Posted: Thu May 01, 2008 8:48 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| willvic wrote: |
One thing I did do earlier was set to reversible...
Seems that the NT hash changed..
|
Hmm, so let me see ... someone (victim) had previously NTLM hashed password, then you changed password algorithm to reversible, right? And then what? Do this mean, that victim (or "target") was forced to change his password and this time it is stored as reversible? If so, then Cain is not the right tool, as far as i know. But i can be wrong ... |
|
|
|
|
www.waraxe.us Forum Index -> All other hashes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 52
Members: 0
Total: 52
