Penetration Testing mailing list archives
Re: Windows XP / 2K3 Default Users
From: Ivan Arce <ivan.arce () coresecurity com>
Date: Wed, 01 Nov 2006 20:10:45 -0300
Hello As a follow up to jmk's comment. Cracking the 'passwords' has never been really necessary because you can simply reuse a captured hash for authenticated access. This technique was pioneered by Hernan Ochoa from Core Security Technologies (sorry for the self-promoting rant but I think he deserves proper credit) and later popularized in the Hacking Exposed book and training from Foundstone, who used Hernan's tool for the trick. The gist of the 'technique' is the "Modifying Windows NT Logon Credential" paper available here: http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1030 The rationale for this (instead of modifying SAMBA) was that by changing the credentials on a existing Windows system you could then just run the existing windows applications that use the hash currently set to authenticate to remote boxes. The DCE/RPC & SMB components of the freely available Impacket python package already have support for using dumped hashes. The common use scenario is that you break into some Windows, dump the hashes from the SAM and then re-use those hashes to try to get authenticated access to other Windows boxes on the network. Impacket is part of the CORE IMPACT tool ($$, commercial) where many MS-RPC exploits take advantage of this feature, this is relevant because many recent RPC-based vulnerabilities now require authenticated access to the endpoints for successful exploitation-. Perhaps, more importantly is that Impacket is also freely available under an Apache 1.1 license here: http://oss.coresecurity.com/projects/impacket.html -ivan jmk wrote:
On Tue, 2006-10-31 at 17:27 -0700, Thor (Hammer of God) wrote:Maybe I'm just in a different environment, but when I see people report "routine" cracking SAM's, it really makes we wonder who the client-base is. I think the last time I was paid for any work with LM cracking was over 10 years ago. I've been turning off LM since Win2k came out, and have been telling people to use pass-phrases instead of passwords since Win2000 allowed 126 character passcodes. Even something as simple as "my dog has fleas" couldn't be rainbow cracked with anything I've seen out there. Of course, when you have a pass phrase like "OK, this is my passphrase--crack THIS 1 homeboy!" Then the whole thing goes out the window. That's what I was on about- while I think rainbow tables are neat, I've really not had much use for them given their size, having to have admin access to get the SAM anyway (for win machines) and how easy it is to thwart them. But that's just me ;)Unfortunately, it seems that the vast majority of clients I work with still have LM hashes enabled and usually some relatively weak passwords. John typically is able to crack the passwords quickly and, when it can't, Rainbow tables work. I'm hopeful that we're slowly getting them educated though. We did run into a situation recently where a compromised workstation contained an interesting account with only a NTLM hash. In order to use that hash against other hosts, I've modified Samba to simply pass it. Samba's "net" command can do lots of cool stuff, like add local user accounts. My updated patch is available, if anyone wants it: http://www.foofus.net/jmk/passhash.html Joe
-- --- "Buy the ticket, take the ride" -HST Ivan Arce CTO CORE SECURITY TECHNOLOGIES http://www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Windows XP / 2K3 Default Users Lee Lawson (Nov 01)
- <Possible follow-ups>
- Re: Windows XP / 2K3 Default Users Peter Wood (Nov 01)
- Re: Windows XP / 2K3 Default Users jmk (Nov 01)
- Re: Windows XP / 2K3 Default Users Ivan Arce (Nov 01)
- Small hardware network sniffer - does it exist? Petr . Kazil (Nov 02)
- RE: Small hardware network sniffer - does it exist? Marc (Nov 02)
- Re: Small hardware network sniffer - does it exist? Matthew Leeds (Nov 02)
- RE: Small hardware network sniffer - does it exist? Clemens, Dan (Nov 02)
- Re: Small hardware network sniffer - does it exist? FocusHacks (Nov 02)
- Re: Small hardware network sniffer - does it exist? Javier Reyna Padilla (Nov 04)
- Re: Small hardware network sniffer - does it exist? - yup Alvin Oga (Nov 06)
- RE: Small hardware network sniffer - does it exist? Isaac Van Name (Nov 06)
- Re: Small hardware network sniffer - does it exist? Ivan . (Nov 07)
- Re: Windows XP / 2K3 Default Users Ivan Arce (Nov 01)
- Re: Small hardware network sniffer - does it exist? Tonnerre Lombard (Nov 03)