Penetration Testing mailing list archives

Re: Windows XP / 2K3 Default Users

From: Peter Wood <peterw () firstbase co uk>
Date: Wed, 01 Nov 2006 09:05:48 +0000

At 17:27 31/10/2006 -0700, Thor wrote:
<snip>
>Maybe I'm just in a different environment, but when I see people report
>"routine" cracking SAM's, it really makes we wonder who the client-base is.
>I think the last time I was paid for any work with LM cracking was over 10
>years ago.  I've been turning off LM since Win2k came out, and have been
>telling people to use pass-phrases instead of passwords since Win2000
>allowed 126 character passcodes. Even something as simple as "my dog has
>fleas" couldn't be rainbow cracked with anything I've seen out there.  Of
>course, when you have a pass phrase like "OK, this is my passphrase--crack
>THIS 1 homeboy!" Then the whole thing goes out the window.
<snip>

Hi Thor

We are professional penetration testers based in the UK but workingworldwide, with large corporate clients (many international) in allindustry sectors. I conduct a large number of on-site penetrationtests every year. To date I have yet to find one client who hasconsistently implemented Windows passwords/phrases longer than 14characters and the vast majority have *no* passwords longer than 14.None of these clients have turned off LM compatibility in policyeither. I give regular talks at (non-hacker) conferences and findmost people have no idea about this issue, despite what you and Iboth know and have known since W2K came out.


best wishes
Pete

-----------------------------------------------------------------
Peter Wood FBCS CITP FIMIS MIEEE CISSP
Chief of Operations
First Base Technologies
tel: +44 1273 454525
mob: +44 7774 239915
www.fbtechies.co.uk
www.white-hats.co.uk


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Current thread:

Re: Windows XP / 2K3 Default Users Lee Lawson (Nov 01)
- <Possible follow-ups>
- Re: Windows XP / 2K3 Default Users Peter Wood (Nov 01)
- Re: Windows XP / 2K3 Default Users jmk (Nov 01)
  - Re: Windows XP / 2K3 Default Users Ivan Arce (Nov 01)
    - Small hardware network sniffer - does it exist? Petr . Kazil (Nov 02)
    - RE: Small hardware network sniffer - does it exist? Marc (Nov 02)
    - Re: Small hardware network sniffer - does it exist? Matthew Leeds (Nov 02)
    - RE: Small hardware network sniffer - does it exist? Clemens, Dan (Nov 02)
    - Re: Small hardware network sniffer - does it exist? FocusHacks (Nov 02)
    - Re: Small hardware network sniffer - does it exist? Javier Reyna Padilla (Nov 04)
    - Re: Small hardware network sniffer - does it exist? - yup Alvin Oga (Nov 06)
    - RE: Small hardware network sniffer - does it exist? Isaac Van Name (Nov 06)

(Thread continues...)