staym@accessdata.com
Fri, 04 Dec 1998 11:38:18 -0700
PWL files encrypt multiple streams with the same RC4 stream. The RC4
stream is initialized with a 9-round MD5 of the password. A program
called "glide" (available on most hacker sites) can recover the first 56
bytes of the stream, revealing most passwords. There is a way you can
turn off password caching; I don't remember the details right now.
Anyone?
A simple API call (WNetGetCachedPasswords) will dump all the passwords
stored in the cache if someone is already logged on.
Also, the passwords protecting shared drives are stored with some
trivial obfuscation in the registry; if someone has read capability to
your windows directory, they can recover any write-allow passwords.
-- Mike Stay Cryptographer / Programmer AccessData Corp. mailto:staym@accessdata.com
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:17:37