[Dshield] Fun with passwords

Frank Knobbe frank at knobbe.us
Thu Jul 10 15:29:44 GMT 2008

On Tue, 2008-07-08 at 04:26 -0400, Chris Brenton wrote:
> Could also be an older hash system like DES or LanMan. BTW, most folks
> don't realize that the NoLMHash reg key still gets set to "0" by
> default. So if your users have a 14 character or less password a LanMan
> hash is getting created that is a whole lot easier to crack than its NT
> hash equivalent (not that an NT hash without salt is all that strong but
> its at least better than LanMan).

I know this thread started around SSH passwords, but expanded along the
way. I don't believe that discussion the strength of hashes is of value
anymore when tools like pass-the-hash allow you access to machines
simply by knowing/using the hash, not the actual password (of course all
the recommendations to date, ie NTLMv2 only, still apply).

I wouldn't be surprised if over the course of the coming year(s) we
start to realize how broken the SMB protocol really is and start working
with or recommending alternatives authentication mechanisms in the
Windows world. However, I'm not convinced that MS Kerberos will be
answer as I fear that the MS version might contain flaws as well (ticket
replay attacks?).

I think it's high-time to investigate alternative, 3rd party, strong
authentication solutions to replace the current, native ones.


PS: In a recent pentest, the client had a 50+ character NTLM-only
password for the renamed Domain Admin account, but we still compromised
the network and accessed all resources with Domain Admin rights. It
wasn't really the clients fault as they configured everything perfectly
(with one minor exception). I do believe that it was Microsofts fault.

It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.sans.org/pipermail/list/attachments/20080710/41932c08/attachment.bin 

More information about the list mailing list