RE: Defeating password cracking

From: Wilcox, Stephen (StephenWilcox@universalcomputersys.com)
Date: 02/18/03

  • Next message: Frank Heyne: "Restricting CmdExec Rights to Sysadmin" 
    Date: Tue, 18 Feb 2003 16:08:04 -0600
From: "Wilcox, Stephen" <StephenWilcox@universalcomputersys.com>
To: "dave" <dave@netmedic.net>, <focus-ms@securityfocus.com>

    Dave,

    Here is an old article you might be interested in
     
     http://online.securityfocus.com/infocus/1554. Note Myth #2.
     

    -----Original Message-----
    From: dave [mailto:dave@netmedic.net]
    Sent: Tuesday, February 18, 2003 1:36 PM
    To: focus-ms@securityfocus.com
    Subject: Defeating password cracking

    Simple ways to defeating password recovery boot-disk and password crackers,
    on NT/2000 machines.

    I was bored and trying different characters that L0phtCrack and other
    cracking programs could not detect. While doing so I discovered that by
    using these same characters in user names you could prevent the Boot-disk
    password changers from being able to change the Admin and other passwords.

    Possibly this is old news but I found it quite interesting. I am posting it
    to see if anyone else has found similar results, and maybe even ways to
    defeat this.

    1. The character list: These are all ALT characters that L0phtCrack and
    Advanced NT Security Explorer could not detect. I made the password 5
    characters long and added them to the custom character sets. For my test,
    after testing all of them, I decided to use Alt-251 (v) it is the square
    root symbol but shows as a small v in the cracking programs, or not at all
    in the password recovery boot disks.
    1-32
    127-130
    132
    134
    135
    142-146
    148
    153-159
    164-255
    0127
    0131
    0135
    0149
    0160-0167
    0170-0172
    0176-0178
    0181-0183
    0186-0189
    0191
    0196-0199
    0201
    0209
    0214
    0220
    0223
    0228-0231
    0233
    0241
    0246
    0247

    2. Defeating password crackers: Ok so now we make a user name "joev"
    (without the quotes) and we make the password "1234v". Well I spent 3 days
    and could not get the password cracked even after I added it to the custom
    character sets; maybe I am just an amateur. So please let me know if I am
    doing something wrong. Notice the username displays as joev in L0phtCrack
    and the others. Also try using sid2user and other user information
    utilities on it. Most will tell you the user does not exist, whether you
    add the special character or put it as a small v. Even the W2000 Resource
    Kit "showmbrs.exe" does not display the special character.

    3. Ok so know we have to prevent the Password recovery boot disks from being
    able to change the passwords. I had the "Linux boot-disk password changer"
    and the one from Win/sysinternals.

    4. First, no matter what you change the name of the built-in administrator
    account to you can always change the password with these tools, I am
    assuming it is because the SID is always the same. You cannot disable it so
    had to come up with a way to get around that. So I simply created a group
    called "no access" added the built in administrator account to it. I added
    deny logon locally and deny access this computer from the network
    privileges, and took away all access to the drives, essentially disabling
    it.

    5. Ok now we made joev a member of the admin group. We boot to the
    Password recovery disk. The users except for joev show normal he shows as
    joe. Since we know his real username we try entering it that way, and the
    way it displays, either way we get cannot find user. I could change any
    password except for the joev. If we change the built in admin accounts
    password all is great, of course we cannot log in as him. If we use one of
    these Alt characters in all the usernames we essentially can prevent any of
    the passwords (except the built in admin account) from being changed.

    6. Well now I know there are other ways of editing the registry, installing
    a separate installation of the OS etc. etc.. But I believe this is a pretty
    cool way of thwarting the basic "hacker" that thinks he is going to walk up
    to your system and boot to this disk and change the password and get in.
    Further it is nice to know that there are passwords you can make that even
    the common crackers cannot crack.

    Well this is my little discovery your thoughts and counter-thoughts are
    greatly appreciated. I do not mean this to be an end-all way of defeating
    these programs, but every little bit helps.

     
    ______________________
    Dave Kleiman
    dave@netmedic.net
    www.netmedic.net

    Relevant Pages

    • Defeating password cracking
      ... Simple ways to defeating password recovery boot-disk and password crackers, ... I was bored and trying different characters that L0phtCrack and other ...
      (Focus-Microsoft)
    • Defeating password cracking
      ... Simple ways to defeating password recovery boot-disk and password crackers, ... I was bored and trying different characters that L0phtCrack and other ...
      (Security-Basics)
    • Re: Access security - is it just a joke?
      ... 'unreadable' characters such as Altxxxxx and so on. ... A password recovery program ... I assume the need to set up security is to protect the database. ...
      (microsoft.public.access.security)
    • RE: Defeating password cracking
      ... non-printable characters i.e. (alt 251) would be easy to remember. ... Ok now we made joev a member of the admin group. ... >> Dave Kleiman ...
      (Focus-Microsoft)
    • Re: hacker to my account
      ... jeffrey wrote: ... > Yes, but if you try to do a password recovery, you might still be ... > able to get it back, depending if the hacker changed the email ... > characters, example if you want to use toaster as the password, use ...
      (microsoft.public.windowsxp.security_admin)