[3638] in bugtraq
Re: BoS: NT Password Cracker
daemon@ATHENA.MIT.EDU (nihil@onyx.infonexus.com)
Mon Nov 18 22:00:27 1996
Date: Mon, 18 Nov 1996 18:28:10 -0800
Reply-To: nihil@onyx.infonexus.com
From: nihil@onyx.infonexus.com
X-To: route@onyx.infonexus.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <19961118060221.14026.qmail@onyx.infonexus.com> from
"route@onyx.infonexus.com" at Nov 17, 96 10:02:21 pm
A recent thread has occurred on the NT security mailing list about this
(ntsecurity@iss.net). It is time to bring the truth to light:
It is quite infeasible to do a full key space search to recover *any
possible* password that is valid on a NT system. MWC's recovery service
most likely involves installing a trojan horse service that replaces a
non critical service running under the system account. At reboot the
trojan service make a new admin level account with a known password.
The administrator's password is then reset set to a known value. The
wording in MWC's advertisement is ambiguous.
If the file permissions are set securely, all that has to be done is
move the hard drive to a different machine. Check MWC's web page, and
you will see that they are promoting this kind of solution, they just
don't come out and say it directly.
Nobody should be worried about NT passwords being easier to crack, they
aren't (if the question is about whether or not they are crackable at
all, that is a different story). Bad passwords equal easy cracks, good
passwords equal the time to brute force the DES or MD4 key space (or for a
50% chance yield, the square root method suggested by Biham I believe).
What this should be is an example of what physical access can gain.
nihil
