Re: WinNT and previously used passwords

From: Kit (securityfocus@smallfoxx.com)
Date: 05/25/02 

From: "Kit" <securityfocus@smallfoxx.com>
To: "KF" <dotslash@snosoft.com>, <vuln-dev@security-focus.com>
Date: Fri, 24 May 2002 19:28:35 -0500

It's been a while since I've looked at this, but if I remember correctly,
the password history is stored in the SAM with the account as NTLM hashes
(this of course all changes with Active Directory). As such, if you're
going to go through the hashes to get the history, might as well just break
the current one rather than the history.

However, if you're asking if the passwords are stored in plan text or
reversible encryption, no. The authentication system (the NT server) never
actually knows the password itself and therefore never stores it. Rather,
the password is always transmitted in some hashed form of the NTLM hash of
the password itself.

This is where l0pht comes it. It just brute forces the hash until it can
duplicate it. Theoretically, when you crack the hash, you may not be using
the exact same password, but rather a statistical anomaly which just happens
to produce the same hash.

-K

----- Original Message -----
From: "KF" <dotslash@snosoft.com>
To: <vuln-dev@security-focus.com>
Sent: Friday, May 24, 2002 1:51 AM
Subject: WinNT and previously used passwords

> Today I got a message when I logged in to my domain about my pass being
> expired... so as expected I went ahead and typed in a new password. Next
> thing I know NT (win2k really) is barking at me saying I can not use any
> of my previous 10 passwords. Aparantly the one I wanted to use today was
> one I used a while ago. I found it interesting that SOMEWHERE my last
> 10 passwords are achived in the SAM or registry maybe? So my question is
> are there any tools similar to l0pht crack in which the last 10
> passwords can be extracted from either the registry or the SAM file or
> where ever they are hiding? If I remember correctly l0pht crack grabs
> the CURRENT password and trys to crack the hash . I am not aware of it
> going after the old passwords so forgive me if l0pht crack already does
> this. I think being able to determine a persons last 10 passwords would
> help in guessing what they may pick next... people tend to form patterns.
>
> -KF
>
>
>

Relevant Pages

  • Re: Windows 2K/XP/2K3 password question
    ... "Matt Gibson" wrote in message ... > One way hash. ... I know it is saved in SAM registry? ... >> Windows encrypt a password in one way ...
    (microsoft.public.windows.server.security)
  • Re: Adding a unique user name in a file
    ... Jürgen Exner wrote in comp.lang.perl.misc: ... > sam wrote: ... >> to speed up the search rather than using linear search. ... existing users into a hash looks reasonable. ...
    (comp.lang.perl.misc)
  • Re: Windows 2K/XP/2K3 password question
    ... One way hash. ... You can use tools like dumpsec to dump the SAM. ... > user mode program or kernel mode driver? ... > Windows encrypt a password in one way ...
    (microsoft.public.windows.server.security)
  • Re: In what order are dict values returned by "dict get"?
    ... Officially random. ... it depends on a whole bunch of factors ... including the history of the hash that backs the implementation. ...
    (comp.lang.tcl)
  • Re: search history
    ... I have xp home with sp2. ... When I search for something for example in Google it keeps a history of ... I do not want this history displayed. ...
    (microsoft.public.windowsxp.help_and_support)