Re: Windows XP / 2K3 Default Users


As a follow up to jmk's comment. Cracking the 'passwords' has never been
really necessary because you can simply reuse a captured hash for
authenticated access. This technique was pioneered by Hernan Ochoa from
Core Security Technologies (sorry for the self-promoting rant but I think
he deserves proper credit) and later popularized in the Hacking Exposed
book and training from Foundstone, who used Hernan's tool for the trick.

The gist of the 'technique' is the "Modifying Windows NT Logon Credential"
paper available here:

The rationale for this (instead of modifying SAMBA) was that by changing
the credentials on a existing Windows system you could then just run the
existing windows applications that use the hash currently set to
authenticate to remote boxes.

The DCE/RPC & SMB components of the freely available Impacket python
package already have support for using dumped hashes. The common use
scenario is that you break into some Windows, dump the hashes from the SAM
and then re-use those hashes to try to get authenticated access to other
Windows boxes on the network. Impacket is part of the CORE IMPACT tool
($$, commercial) where many MS-RPC exploits take advantage of this
feature, this is relevant because many recent RPC-based vulnerabilities
now require authenticated access to the endpoints for successful

Perhaps, more importantly is that Impacket is also freely available under
an Apache 1.1 license here:


jmk wrote:
On Tue, 2006-10-31 at 17:27 -0700, Thor (Hammer of God) wrote:
Maybe I'm just in a different environment, but when I see people report
"routine" cracking SAM's, it really makes we wonder who the client-base is.
I think the last time I was paid for any work with LM cracking was over 10
years ago. I've been turning off LM since Win2k came out, and have been
telling people to use pass-phrases instead of passwords since Win2000
allowed 126 character passcodes. Even something as simple as "my dog has
fleas" couldn't be rainbow cracked with anything I've seen out there. Of
course, when you have a pass phrase like "OK, this is my passphrase--crack
THIS 1 homeboy!" Then the whole thing goes out the window.

That's what I was on about- while I think rainbow tables are neat, I've
really not had much use for them given their size, having to have admin
access to get the SAM anyway (for win machines) and how easy it is to thwart
them. But that's just me ;)

Unfortunately, it seems that the vast majority of clients I work with
still have LM hashes enabled and usually some relatively weak passwords.
John typically is able to crack the passwords quickly and, when it
can't, Rainbow tables work. I'm hopeful that we're slowly getting them
educated though.

We did run into a situation recently where a compromised workstation
contained an interesting account with only a NTLM hash. In order to use
that hash against other hosts, I've modified Samba to simply pass it.
Samba's "net" command can do lots of cool stuff, like add local user
accounts. My updated patch is available, if anyone wants it:


"Buy the ticket, take the ride" -HST

Ivan Arce


PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Relevant Pages

  • Re: Password hashes
    ... NTLM hash as the key. ... There is however no locally stored NTLMV2 hash of passwords. ... Auditing and reviewing the security logs ... secure their network and data and the documentation to do such at TechNet ...
  • Re: SQL Storing Passwords?
    ... Subject: SQL Storing Passwords? ... First of all, storing salts next to a hash is not bad design, it ... we examine the importance of Apache-SSL and who needs an SSL ... use a thawte Digital Certificate on your Apache web server. ...
  • Re: Pidgin IM Client Password Disclosure Vulnerability.
    ... because we need to be able to generate the hash a given ... Some protocols can ask for different types of hashes at ... passwords stored in it ... lost, you have much bigger problems than lost IM passwords. ...
  • Re: Decrypt fails
    ... I am creating a MD5 hash data and then using it to derive a key ... (CALG_RC2 encryption algorithm). ... My requirement concerns more with not storing passwords in plain ... > that he provided and compare it to the hash in the database. ...