Re: Using hashes, not text credentials...?

From: Ben Greenbaum (bgreenbaum@securityfocus.com)
Date: 07/24/01


Date: Tue, 24 Jul 2001 09:26:58 -0600 (MDT)
From: Ben Greenbaum <bgreenbaum@securityfocus.com>
To: Todd Sabin <tas@webspan.net>
Subject: Re: Using hashes, not text credentials...?
Message-ID: <Pine.GSO.4.30.0107240922570.23901-100000@mail>


On 23 Jul 2001, Todd Sabin wrote:

> Ben Greenbaum <bgreenbaum@securityfocus.com> writes:
> > Exactly what you describe is possible with LanMan hashes
>
> This is not really correct.
> If 'caught using l0pht for instance' means sniffed off the wire, then
> what you've got is not technically the password hash, it's a
> challenge/response pair. That can be cracked, assuming the password
> is weak enough, but you can't do anything else with it.

Thanks Todd. I should have been more clear.

> If you've got an actual password hash, as from dumping the SAM, then
> yes, you can use that directly without having to crack it. The tools
> required to do so are not available publicly, AFAIK. There's a
> write-up by Hernan Ochoa about how you would do it. Do a search for
> "Modifying Windows NT logon credentials".

Sorry about the long URL, but that paper can be read at:
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=6247&id=1512

Ben Greenbaum
Director of Product Development - SIA/VulDB
SecurityFocus
http://www.securityfocus.com