Re: Win98 and NT4.0 passwords

New Message Reply About this list Date view Thread view Subject view Author view

Mike Stay (staym@accessdata.com)
Fri, 28 Aug 1998 21:05:28 -0600


Windows 98, as far as I know, uses a PWL file. MD5 hash your password 9
times to get the 128-bit key to init RC4. The stream is reused,
however, so with glide.c you can recover up to 56 bytes of stream and
decode most of the passwords stored in the PWL file. (They also reuse
the stream in Office '97 docs, too, so a statistical analysis will
recover a lot of compound docs without a need for the password.)
Unfortunately, the login password isn't stored in the PWL file. It may,
however, be the same as the e-mail password; both Netscape Navigator and
Eudora store their password uuencoded in the registry and an .INI file,
respectively.

The NT password is not stored encrypted; it is hashed once with MD4 and
the hash is encrypted once with DES. The DES key is a derivative of the
RID, which is publicly known.

Also, there's the NT LANMAN password, which is case insensitive and
conveniently broken into two halves (one for the first seven characters
and one for the last seven) so you don't have to brute force so large a
keyspace.

If you want the whole technical rant, see
http://www.l0pht.com/l0phtcrack/rant.html

If you want to sniff passwords, NT by default looks for a .DLL that
checks password construction (i.e., is it long enough, does it have
numbers and punctuation), but doesn't actually ship the DLL. So if you
write your own & put it there, you can sniff the passwords of any user
that logs in to the box.

-- 
Mike Stay
Cryptographer / Programmer
AccessData Corp.
mailto:staym@accessdata.com


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:11:02