RE: WinNT and previously used passwords

From: Brett Moore (brett@softwarecreations.co.nz)
Date: 05/27/02 

From: "Brett Moore" <brett@softwarecreations.co.nz>
To: "Jesper M. Johansson" <jesper_m_johansson@hotmail.com>, "'KF'" <dotslash@snosoft.com>, <vuln-dev@security-focus.com>
Date: Mon, 27 May 2002 10:53:40 +1200

The concept is a good one. A lot of people will use common combinations.
If for example the last few passwords were
tiger10
tiger11
tiger12
etc..

Lophtcrack will already crack them as it can do 'add numbers to end and
begin'

but if last passwords were like
t10iger
ti11ger
tig12er

the LC will fail. whereas if we could see them in 'real text' we could
easily guess the next. The problem is that we can't see them in real text,
and lophtcrack can't give them to us.

If though, which KF has already pointed out.
The last few passwords were like
apple
bannana
grape
tomato

Then LC would show us, and we would have a good starting point for guessing
future passwords.

-------------------------------------
How to find the unknown passwords (if we are real lucky)
: this is an example of 1 method :
-------------------------------------
Where are they stored? Anyone, Microsoft, Numega?

1) Make sure that the last password checking is enabled. Upping the number
of stored passwords will increase our chances of easily identifying them.
2) They are stored in 'registry','disk file','other?'
3) Using softice debugger, or possible regmon or filemon, or even all.
4) Set relevant breakpoints for logging of filereads,reg reads
5) Change our password to a known NON used one, and await the reponse.
6) Look at our logs of calls.
7) If we are extrememly lucky we might see '10' calls to "regreadkey
/location/location1-10"
8) Change our password to a KNOWN used one, and await the reponse.
7) If we are extrememly lucky we might see '3' calls to "regreadkey
/location/location1-3" with our used password been number 3.

Otherwise it would be a 'semi-complicated' reverse engineering job for
someone with spare time. Weigh up the usefullness of the information?

Brett

> -----Original Message-----
> From: Jesper M. Johansson [mailto:jesper_m_johansson@hotmail.com]
> Sent: Saturday, 25 May 2002 16:14
> To: 'KF'; vuln-dev@security-focus.com
> Subject: RE: WinNT and previously used passwords
>
>
> >Today I got a message when I logged in to my domain about my pass being
>
> >expired... so as expected I went ahead and typed in a new password.
> Next
> >thing I know NT (win2k really) is barking at me saying I can not use
> any
> >of my previous 10 passwords.
>
> You, or whoever the administrator is, must have told it to remember the
> last 10 passwords. This is a security feature, actually.
>
> >So my question is
> >are there any tools similar to l0pht crack in which the last 10
> >passwords can be extracted from either the registry or the SAM file or
> >where ever they are hiding?
>
> First of all, it is not storing the password. It is storing a hash (two
> hashes actually, unless you use the NoLMHash switch). Second, I don't
> think there are any such utilities. Generally speaking, I would be more
> interested in cracking your current password than 10 of your old ones,
> considering that the current one has a better chance of still being
> valid by the time I crack it. Presumably, if your new password is based
> on your old one, I would probably be able to crack the new one just as
> easily as the old one, and it allows me to do so using 1/11th the amount
> of work, assuming you are storing 10 passwords.
>
> Now, this might be interesting to do if your objective, as a white-hat
> administrator, is to catch people who reuse passwords. However, my
> experience is that most people would get more mileage out of teaching
> people to use good current passwords instead of cracking old ones.
> Better yet, implement smart card logon and get rid of passwords
> altogether.
>
>

Relevant Pages

  • Re: Login
    ... and using a matching string conversion ... before storing the password and when logging in can remedy this problem. ... forget their passwords, and needing to read the passwords is kind of ... security, but someone phone number, especially when findable through ...
    (alt.php)
  • HELP ASAP test man
    ... deleting it is still storing the email address... ... the Manage Network Passwords link. ... > Hi I am using Windows messenger v 4.6.. ...
    (microsoft.public.windowsxp.general)
  • Re: Putting passwords in a properties file?
    ... I agree that storing is stupid, ... (a long time ago it was a lame 12-bit salt, ... without the equivalent of shadow passwords would be "toy security"? ... hashedWord = hash ...
    (comp.lang.java.programmer)
  • password memory
    ... I like the feature of storing certain passwords on various sites so I don't ... have to put in ID/pwrd ea. ... One site, for some reason, only has half my email addree stored which is of ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • RE: WinNT and previously used passwords
    ... I agree this might be something valuable to add to a password cracking ... and hold 10 passwords that means a great chance to get the first password ... If we are extrememly lucky we might see '10' calls to "regreadkey ... it is not storing the password. ...
    (Vuln-Dev)