RE: Basic question

From: dave kleiman (dave_at_isecureu.com)
Date: 03/11/05

  • Next message: Depp, Dennis M.: "RE: Basic question" 
    To: "'Roman L. Daszczyszak II'" <romandas@gmail.com>, <focus-ms@securityfocus.com>
Date: Fri, 11 Mar 2005 05:03:59 -0500

    Roman,

    An excellent write-up on LM-v2 is "The NTLM Authentication Protocol"
    http://davenport.sourceforge.net/ntlm.html It does not cover your Kerberos
    request.

    Although technically NT-W2K3 passwords are based on the Unicode character
    set and can be up to 128 characters long, Pre-W2K user interfaces limits do
    not allow passwords to exceed the LanMan 16 byte long, which that write-up
    above shows, is 14 characters.

    At this moment the source eludes me, but I remember seeing several times not
    to use longer than 64 character passwords, it may have been something to do
    with Kerb, or possibly Inter-OS operability. If I find it I will forward the
    source. I have read several times the same thing with usernames 104
    characters limit. "Logon names can be up to 104 characters. However, it
    isn't practical to use logon names that are longer than 64 characters". And
    remember it only uses the first 20 characters, which must be unique in the
    domain/workstation for Pre-W2K compatibility, and don’t forget the display
    name is limited to 64 characters as well.

    I sure do wish they would give us "real" off switch for Pre-W2K
    compatibility.

    As far as "that authenticating to a domain-based machine from a machine
    outside the domain"

    If you need to use CHAP or Digest etc. authentication for IIS/IAS or such,
    then your password would have choose that "option" that says "Store password
    using reversible encryption" which "is essentially the same as storing
    plaintext versions of the passwords". It is always best to use something
    like SSL etc. to communicate from the outside to your domain-based machine
    to add a layer of protection for your authentication.

    Regards,
    ___________________________________________________
    Dave Kleiman, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE

    www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com

    -----Original Message-----
    From: Roman L. Daszczyszak II [mailto:romandas@gmail.com]
    Sent: Thursday, March 10, 2005 15:57
    To: focus-ms@securityfocus.com
    Subject: Basic question

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Does anyone have a good reference on the differences between LanMan, NTLM,
    NTLMv2 and Kerberos? Also, is there any restriction on the length of a
    password used across a network/LAN for authentication? I'm aware in
    NT/2K/XP/2003 the max length of a password is 127 characters, but am curious
    if this is still true for network/domain authentication.

    Lastly, I have heard (and would like confirmation/denial) that
    authenticating to a domain-based machine from a machine outside the domain
    causes an otherwise normally encrypted password to be sent cleartext when
    authenticating with an IIS server. Can anyone point me to references about
    this?

    Thank you for any information y'all can provide.

    Roman
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.6 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFCMLSUszjStpsfjf8RAtNLAJsGmQv5p9B1bk7msxzK0zrDkpcSKgCgxEKl
    hoC2TjFp71dLF3Regw1c6qA=
    =vQB2
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Depp, Dennis M.: "RE: Basic question"

    Relevant Pages

    • NTLM v2 implementation
      ... This is a follow up of an ongoing thread but I made it a new thread as the ... After working with pwdump and L0phtcrack, i would like to implement NTLM v2 ... others people no matter how long, how many special characters you use, how ... Q147706 - How to Disable LM Authentication on Windows NT ...
      (Focus-Microsoft)
    • Re: Windows 2000 getting hacked - Help!
      ... > No consecutively reoccurring characters. ... up with people using weak passwords. ... The problem is that since he exposes the authentication ability from the ...
      (comp.security.firewalls)
    • Re: Q: add an ssh login failure delay like it is for plain login
      ... > Athentification. ... The last line of characters i don't understand. ... contraction of: authentication and identification ... ...
      (comp.os.linux.misc)
    • Re: Q: add an ssh login failure delay like it is for plain login
      ... >> Athentification. ... > The last line of characters i don't understand. ... > contraction of: authentication and identification ... ...
      (comp.os.linux.misc)
    • RE: Basic question
      ... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
      (Focus-Microsoft)