Yes, what you say is true, but in order to obtain LM hashes, you must be either a domain admin (for AD retrieval) or a local admin. We can then get into a chicken/egg type debate here, but I'm not trying to accuse you of FUD spreading but it seems your point has migrated from "windows sucks" to "windows admins suck". This may well be empirically true, but hardly the point, no?
I do not take issue with a single word, though the points you take aren't quite the points I intended. To be clear, my point is 1) LM authentication is broken, 2) Windows admins typically don't know LM authentication is broken, and 3) Those Windows admins who know LM authentication is broken are generally not successful in removing it.
So why are we still burdened with it? Because removing it outright would be a PIA for MS and Co. MS would have to distribute updated code for older clients. Many Windows shops would have to update their entire population. I guess MS feels it's too big of a pain for themselves and their customers.
But anyone who runs Windows has to be aware of constant updates and patches. Forcing a change to the client isn't that big of a deal when considering all the updates that come out of Redmond. Still, MS would rather have this glaring security issue remain than inconvenience their customers. Now whose interests do you think the boys in Redmond are protecting? (Hint: Ain't yours (unless your a stockholder...))
Cool. Will this full rainbow table allow for simpler decryption of Windows encrypted files?
Based on my limited Windows knowledge I believe it will: The NTLM hash is not one-to-one. However the rainbow table can (in theory) provide multiple NTLM keys, one of which is probably the original user password that will ALSO re-hash for EFS.
Seems like your LM RT is an EFS accelerant. Comments?
Wow, I hadn't really considered it. I'll have to research it. If it's so, well, I'm pretty much floored by that one...
For those of you still on a Microsoft platform: I've heard that L0phtcrack works wonders reversing an LM hash on modern hardware.
I've used LC and you're right, it works pretty well. It's also ungodly expensive and the serial number is tied to your hardware, so using it on another machine requires tech support "blessing". LC5 is licensed in truly bizarre ways, and did I mention that it's ungodly expensive?
For the same or better brute forcing speed, lower cost, no hassles moving to another machine, and generally a more polite program, try SamInside Best $40 LM hash cracker around.
Now for a "free" instant password cracker, use Rainbow Tables, a db of password/hashes that does all the brute forcing up front. For details, check out my journal. I'm soliciting participants to help generate the 128GB of data needed. Other than the pain of generating and storing all that data, it's free and extremely fast.
Not sure I understand you. You seem to be implying that when LM auth is disabled (via local/group policy), it is still exploitable? This is news to me.
You can certainly turn it off, but unless you disable storing the LM hash, it's still available for cracking. In the wild, my experience is that LM hashes are available as a general rule (90% of the time or better). My insistance that LM authentication be removed outright is due to the "lazy admin" factor. So yes*, in practice, unless it is removed outright, many times it is still exploitable.
*Definately needs qualifying. Can you turn off LM effectively? (yes) Do admins do it? ('fraid not...)
Until LanManager authentication is totally removed (not just turned off) from Windows, Windows will not be secure. There are just too many exploits involving LM authentication to take Windows seriously.
Re:Question (Score:1) by julesh (229690) on Saturday July 03, @04:21PM (#9601525) Hmmm. User ID 686460 suggests user ID 678202 is 'new here' and it gets modded as insightful. Come on!
Oh, and before you mention it, no I've been here for about 6 years.
That's why we have that whole "beyond a reasonable doubt" burden of proof thing. If they have a low-res recording of you building a bomb, your defense attorney can reasonably argue that the blob the jury sees could be doing anything. I doubt such images would ever even be considered admissible by the courts if they were of such low quality.
It would never make it to court. The low-res version could consitute "reasonable suspicion" and result in a warrant. Being caught building the bomb would be "beyond a reasonable doubt."
Well, if you're successful with just a CD's worth, I may have to eat my own words! (Wouldn't be the first time, I'm afraid...) If you are interested in colaborating on generating larger keyspaces, I would be happy to have someone else to work with. I have the complete alpha-numeric space already generated. I am working on the complete keyspace. If we could muster 20 or so like-minded individuals to help generate the needed files, we could all benefit from the exercise fairly quickly.
I sent an email to your listed address. If you wish to participate, send a reply with your thoughts, etc. and we'll work something out. (I don't have gmail yet, so pitching large files around will require a solution.) If I get really motivated, I may write up a journal entry to solicit more participants.
Granted all the software is released under GPL and source code included, all it would take is for the kid to either A) Learn a little C++ (or whatever language this software is coded in) to make the software worthless or B) Start hunting for a patch that someone else was nice enough to build. Though if your kid can learn C++ I presume he's probably mature enough to view anything he wants and parents should stay back.
Yeah, if you let your kids run as root! No joke, my kids had this bad habit of picking up all kinds of spyware on their Windows box. Finally, after my nth reload, no more Admin rights for you rugrats. Now I have to install all of their software (bad), but they don't pick up near the number of cooties they used to...
Now if your kid cracks your account and installs a root-kit, yank the box and give them your old C64 or Atari 800. That'll show the little bast@rd!;)
(Note: Mild profanity munged to prevent triggering web filters... How's that for irony?)
I took a closer look at the examples on the website. The database for [A-Z] is 610MB, which would leave lots of room for boot sector + freebie NTFSDOS.
Look again... You need multiple files. They are just split that way to facilitate CD burning. You will not have enough data space on a single CD for effective pw cracking.
A Common Carrier is required to carry whatever content is provided on a non-discriminatory basis. That means they don't get to drop something just because they don't like it (as ISP's routinely do with SPAM and such). But because they have to carry it (even if it may be illegal) they can't be held responsible for doing so.
But unlike telcos, ISPs provide more than a wire. They provide services, such as email and DNS. Using your logic, I could see that an ISP, as a common carrier, would have to carry the spam, but as a service provider could then very well not deliver it. It's mildly similar to call-blocking features sold by the telcos. Sound reasonable?
I took a closer look at the examples on the website. The database for [A-Z] is 610MB, which would leave lots of room for boot sector + freebie NTFSDOS.
Source compiles under Linux just fine. NTFS read support is built in.
If you crack passwords from read-only media, where do you put the results?
How big do the hashes get? Could I comfortably fit rainbowcrack+database on a bootable CDROM?
Well, likely not, but you can generate a db for all hashes for passwords using any alpha or numeric character and fit the works on a DVD. The entire keyspace (i.e. alphas, numerics, and symbols) takes 180gb, as well as 200 days to generate. Will crack any LM password, though. And unlike LC5 or any other brute forcer, it's instant (almost).
I am unaware of open source software that meets the functionality of PWSEX or LC5.
Then you're gonna love this. Why brute LM hashes when you can precompute password/hash pairs then look them up from a database? Initial db generation takes a while, but you can customize the keyspace to whatever you want. When you're done, query a hash, get a password. This stuff works extremely well...
The LEN statement is a bit fuzzy--I can't remember if that was available in the dialect that I'm thinking of. The int(rnd()) construct is certainly indicative of a particular dialect.
This is GW-BASIC, standard in DOS until DOS 5, I believe... (It should run in QBASIC and even VB!) The LEN returns the LENgth of the enclosed string... The joke is that the code returns a random character for every character in the input, thereby "simulating" DES... Since you were the only one that "got" the joke, maybe I should code jokes in C from now on.;) (But it's just FUNNIER to code jokes in GW-BASIC!)
all my DK is on 2nd or 3rd generation live bootleg cassette tape.
LOL! Who said I was punk? At the time, I really dug punk chicks, though. Nothing better than some freak chick with low self-esteem... If you don't mind crabs, that is...
This is THE lesson they learned from the PC. While backward compatability severely limited the potential of the PC, it was absolutely required to maintain continuity (check OS/2 sales for reference). The game market is different. If you really need a box for your old XBox games, get an XBox (for prolly >$100 by then).
This will cause some consumer backlash, however. Maybe it will affect sales, maybe it won't.... Since when has the game (or PC, for that matter) market been directed by technical truth rather than marketing FUD?
Hey! Now there is poetic justice! Good luck, BillyBoy!;)
Nope... No such requirement. Yes there is. It's in the DMCA: http://www.bizjournals.com/sanjose/stories/ 1998/ 12/07/story7.html http://cse.stanford.edu/class/c s201/projects-99- 00/dmca-2k/macrovision.html
"On April 26, 2002, under section 1201k of the Digital Millenium Copyright Act, no analog video recording devices may be manufactured that do not contain Automatic Gain Control circuitry."
I stand corrected... Didn't realize DMCA had provisions for analog copy protection, specifically, Macrovision (though not referenced by name... it's patented, so who else could it be).
Slashdot Mirror
Yes, what you say is true, but in order to obtain LM hashes, you must be either a domain admin (for AD retrieval) or a local admin. We can then get into a chicken/egg type debate here, but I'm not trying to accuse you of FUD spreading but it seems your point has migrated from "windows sucks" to "windows admins suck". This may well be empirically true, but hardly the point, no?
I do not take issue with a single word, though the points you take aren't quite the points I intended. To be clear, my point is 1) LM authentication is broken, 2) Windows admins typically don't know LM authentication is broken, and 3) Those Windows admins who know LM authentication is broken are generally not successful in removing it.
So why are we still burdened with it? Because removing it outright would be a PIA for MS and Co. MS would have to distribute updated code for older clients. Many Windows shops would have to update their entire population. I guess MS feels it's too big of a pain for themselves and their customers.
But anyone who runs Windows has to be aware of constant updates and patches. Forcing a change to the client isn't that big of a deal when considering all the updates that come out of Redmond. Still, MS would rather have this glaring security issue remain than inconvenience their customers. Now whose interests do you think the boys in Redmond are protecting? (Hint: Ain't yours (unless your a stockholder...))
Cool. Will this full rainbow table allow for simpler decryption of Windows encrypted files?
Based on my limited Windows knowledge I believe it will: The NTLM hash is not one-to-one. However the rainbow table can (in theory) provide multiple NTLM keys, one of which is probably the original user password that will ALSO re-hash for EFS.
Seems like your LM RT is an EFS accelerant. Comments?
Wow, I hadn't really considered it. I'll have to research it. If it's so, well, I'm pretty much floored by that one...
For those of you still on a Microsoft platform: I've heard that L0phtcrack works wonders reversing an LM hash on modern hardware.
I've used LC and you're right, it works pretty well. It's also ungodly expensive and the serial number is tied to your hardware, so using it on another machine requires tech support "blessing". LC5 is licensed in truly bizarre ways, and did I mention that it's ungodly expensive?
For the same or better brute forcing speed, lower cost, no hassles moving to another machine, and generally a more polite program, try SamInside Best $40 LM hash cracker around.
Now for a "free" instant password cracker, use Rainbow Tables, a db of password/hashes that does all the brute forcing up front. For details, check out my journal. I'm soliciting participants to help generate the 128GB of data needed. Other than the pain of generating and storing all that data, it's free and extremely fast.
Not sure I understand you. You seem to be implying that when LM auth is disabled (via local/group policy), it is still exploitable? This is news to me.
You can certainly turn it off, but unless you disable storing the LM hash, it's still available for cracking. In the wild, my experience is that LM hashes are available as a general rule (90% of the time or better). My insistance that LM authentication be removed outright is due to the "lazy admin" factor. So yes*, in practice, unless it is removed outright, many times it is still exploitable.
*Definately needs qualifying. Can you turn off LM effectively? (yes) Do admins do it? ('fraid not...)
Until LanManager authentication is totally removed (not just turned off) from Windows, Windows will not be secure. There are just too many exploits involving LM authentication to take Windows seriously.
Re:Question (Score:1)
by julesh (229690) on Saturday July 03, @04:21PM (#9601525)
Hmmm. User ID 686460 suggests user ID 678202 is 'new here' and it gets modded as insightful. Come on!
Oh, and before you mention it, no I've been here for about 6 years.
Imagine that... A "6 digit" getting all uppidy...
Same thing for windows users (only different) is here. Submit an LM or NT hash, get the password emailed back to you...
That's why we have that whole "beyond a reasonable doubt" burden of proof thing.
If they have a low-res recording of you building a bomb, your defense attorney can reasonably argue that the blob the jury sees could be doing anything. I doubt such images would ever even be considered admissible by the courts if they were of such low quality.
It would never make it to court. The low-res version could consitute "reasonable suspicion" and result in a warrant. Being caught building the bomb would be "beyond a reasonable doubt."
Well, if you're successful with just a CD's worth, I may have to eat my own words! (Wouldn't be the first time, I'm afraid...) If you are interested in colaborating on generating larger keyspaces, I would be happy to have someone else to work with. I have the complete alpha-numeric space already generated. I am working on the complete keyspace. If we could muster 20 or so like-minded individuals to help generate the needed files, we could all benefit from the exercise fairly quickly.
I sent an email to your listed address. If you wish to participate, send a reply with your thoughts, etc. and we'll work something out. (I don't have gmail yet, so pitching large files around will require a solution.) If I get really motivated, I may write up a journal entry to solicit more participants.
Granted all the software is released under GPL and source code included, all it would take is for the kid to either A) Learn a little C++ (or whatever language this software is coded in) to make the software worthless or B) Start hunting for a patch that someone else was nice enough to build. Though if your kid can learn C++ I presume he's probably mature enough to view anything he wants and parents should stay back.
;)
Yeah, if you let your kids run as root! No joke, my kids had this bad habit of picking up all kinds of spyware on their Windows box. Finally, after my nth reload, no more Admin rights for you rugrats. Now I have to install all of their software (bad), but they don't pick up near the number of cooties they used to...
Now if your kid cracks your account and installs a root-kit, yank the box and give them your old C64 or Atari 800. That'll show the little bast@rd!
(Note: Mild profanity munged to prevent triggering web filters... How's that for irony?)
I took a closer look at the examples on the website. The database for [A-Z] is 610MB, which would leave lots of room for boot sector + freebie NTFSDOS.
Look again... You need multiple files. They are just split that way to facilitate CD burning. You will not have enough data space on a single CD for effective pw cracking.
A Common Carrier is required to carry whatever content is provided on a non-discriminatory basis. That means they don't get to drop something just because they don't like it (as ISP's routinely do with SPAM and such). But because they have to carry it (even if it may be illegal) they can't be held responsible for doing so.
But unlike telcos, ISPs provide more than a wire. They provide services, such as email and DNS. Using your logic, I could see that an ISP, as a common carrier, would have to carry the spam, but as a service provider could then very well not deliver it. It's mildly similar to call-blocking features sold by the telcos. Sound reasonable?
Damn, LC5 (some editions) uses precomputed dictionaries. Looks like I'm the goat. Sorry about that.
LC5 uses precomputed dictionaries just like RainbowCrack.
Dictionaries are not hash tables. LC5 dictionaries are not precomputed. Rainbow Crack does not use dictionaries. Strike three, you're out.
I took a closer look at the examples on the website. The database for [A-Z] is 610MB, which would leave lots of room for boot sector + freebie NTFSDOS.
Source compiles under Linux just fine. NTFS read support is built in.
If you crack passwords from read-only media, where do you put the results?
Nifty.
How big do the hashes get? Could I comfortably fit rainbowcrack+database on a bootable CDROM?
Well, likely not, but you can generate a db for all hashes for passwords using any alpha or numeric character and fit the works on a DVD. The entire keyspace (i.e. alphas, numerics, and symbols) takes 180gb, as well as 200 days to generate. Will crack any LM password, though. And unlike LC5 or any other brute forcer, it's instant (almost).
I am unaware of open source software that meets the functionality of PWSEX or LC5.
Then you're gonna love this. Why brute LM hashes when you can precompute password/hash pairs then look them up from a database? Initial db generation takes a while, but you can customize the keyspace to whatever you want. When you're done, query a hash, get a password. This stuff works extremely well...
The LEN statement is a bit fuzzy--I can't remember if that was available in the dialect that I'm thinking of. The int(rnd()) construct is certainly indicative of a particular dialect.
;) (But it's just FUNNIER to code jokes in GW-BASIC!)
This is GW-BASIC, standard in DOS until DOS 5, I believe... (It should run in QBASIC and even VB!) The LEN returns the LENgth of the enclosed string... The joke is that the code returns a random character for every character in the input, thereby "simulating" DES... Since you were the only one that "got" the joke, maybe I should code jokes in C from now on.
"Go build an application that simulates RSA cryptography." And in GW too!
;)
Input "Plaintext";x$: Print "Cyphertext:": for i = 1 to len(x$): print(chr$(int(rnd()*256)+1);: next: Print
Simulated enough for ya?
pfeh, that's not punk.
all my DK is on 2nd or 3rd generation live bootleg cassette tape.
LOL! Who said I was punk? At the time, I really dug punk chicks, though. Nothing better than some freak chick with low self-esteem... If you don't mind crabs, that is...
We have Steve Wozniak, Kevin Mitnick, and Jello Biafra
Name a hacker, a cracker, and a whacker...
I'm not picking on Jello... All my DK is on vinyl kiddies!
Downtrodden means "oppressed or tyrannized." I think the word you're looking for is "crestfallen" :-)
"I've dropped the toothpaste!", Tom said, crestfallen.
(That one always cracks me up...)
This is THE lesson they learned from the PC. While backward compatability severely limited the potential of the PC, it was absolutely required to maintain continuity (check OS/2 sales for reference). The game market is different. If you really need a box for your old XBox games, get an XBox (for prolly >$100 by then).
;)
This will cause some consumer backlash, however. Maybe it will affect sales, maybe it won't.... Since when has the game (or PC, for that matter) market been directed by technical truth rather than marketing FUD?
Hey! Now there is poetic justice! Good luck, BillyBoy!
Nope... No such requirement./ 1998/ 12/07/story7.htmlc s201/projects-99- 00/dmca-2k/macrovision.html
Yes there is. It's in the DMCA:
http://www.bizjournals.com/sanjose/stories
http://cse.stanford.edu/class/
"On April 26, 2002, under section 1201k of the Digital Millenium Copyright Act, no analog video recording devices may be manufactured that do not contain Automatic Gain Control circuitry."
I stand corrected... Didn't realize DMCA had provisions for analog copy protection, specifically, Macrovision (though not referenced by name... it's patented, so who else could it be).
100% of VCRs are Macrovision-compliant by law.
Nope... No such requirement.