RE: COELACANTH: Phreak Phishing Expedition]

From: Jelmer (jkuperus_at_planet.nl)
Date: 06/24/04

  • Next message: David Brodbeck: "RE: Is predictable spam filtering a vulnerability? (silently drop ping messages)"
    Date: Thu, 24 Jun 2004 04:33:33 +0200
    To: 'Drew Copley' <dcopley@eEye.com>, 'Thor Larholm' <thor@pivx.com>, full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
    
    

    One final addendum to this ongoing thread

    Drew Copley was kind enough to point out to me that can steal any user's
    windows password simply by having them view a specially prepared page using
    this exploit

    What basically happens is that the server sends an 8 byte challenge to the
    browser, the browser uses the lanman and nt password hashes to generate a
    response by appending some zero's to the hash and then using it as a des key
    to encode the message. This message explains it more thoroughly

    http://www.insecure.org/sploits/l0phtcrack.lanman.problems.html

    If you know the response and you know the challenge (obviously we do since
    we control what's being sent) you can crack it quite easily using l0phtcrack
    Amazing that that insecure lanman hash is still being sent after all that
    time

    Anyway great find Bitlance winter!!

    Updated demo at

    http://jelmer.homedns.org/test2.htm

    Updated (very messy) code at

    http://jelmer.homedns.org/code2.zip

    This page does a pretty good job at describing the ntlm protocol

    http://www.innovation.ch/java/ntlm.html


  • Next message: David Brodbeck: "RE: Is predictable spam filtering a vulnerability? (silently drop ping messages)"

    Relevant Pages

    • [Full-Disclosure] RE: COELACANTH: Phreak Phishing Expedition]
      ... windows password simply by having them view a specially prepared page using ... browser, the browser uses the lanman and nt password hashes to generate a ... If you know the response and you know the challenge (obviously we do since ... Amazing that that insecure lanman hash is still being sent after all that ...
      (Full-Disclosure)
    • RE: COELACANTH: Phreak Phishing Expedition]
      ... windows password simply by having them view a specially prepared page using ... browser, the browser uses the lanman and nt password hashes to generate a ... If you know the response and you know the challenge (obviously we do since ... Amazing that that insecure lanman hash is still being sent after all that ...
      (Full-Disclosure)
    • Re: Newbie - Windows Authentication And New Password
      ... Panel -> Administrative Tools. ... response. ... >Vyas, MVP (SQL Server) ... >my new Windows password it should use when starting up. ...
      (microsoft.public.sqlserver.security)
    • Password LOST!
      ... I have forgotten my windows password. ... complete a clean installation of XP. ... disks but I don't know what I really need to do here. ... response would be excellent ...
      (microsoft.public.windowsxp.security_admin)
    • Password LOST!
      ... I have forgotten my windows password. ... complete a clean installation of XP. ... disks but I don't know what I really need to do here. ... response would be excellent ...
      (microsoft.public.windowsxp.security_admin)