-
March 14th, 2006, 07:45 PM
#1
Junior Member
mscash to md4 ??
Hi
I found this somewhere:
MSCASH = MD4( MD4(password ) || lowercase(username) )
Can somebody please explain every step of generating an mscash hash (first generate the md4 hash of the plain text password.......)?
and is there any way to revert an mscash hash to an md4 hash, if the salt (=username) is known?
I'd be very grateful for a reply
-
March 14th, 2006, 10:05 PM
#2
Did you find that information here: http://www.securiteam.com/tools/5JP0I2KFPA.html It seems to explain it (kinda) well already.
Let ask this, what are you trying to accomplish. It may be easier to answer your question with that sort of information.
-Deeboe
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu, The Art of War
http://tazforum.**********.com/
-
March 14th, 2006, 10:31 PM
#3
Hi
I think this formula, whatever the "symbols" means, is incomplete[1].
However, I just crosschecked with the jtr-diff[2], so I may be slightly
wrong
The MSCASH is built as follows:
1. pad "username" to 64 unicode chars (128 byte)
There is no lowercasing of the username. However, it is made sure that
the order is little-endian. I think, but I am not completely sure, that this
was the confusion for the "lowercase-assumption".
2. take the MD4-hash of the unicoded password (16 unicode chars = 32 bytes)
3. Append the 128-byte tabbed unicoded username to "MD4(password)"
4. take the MD4-hash of the unicoded version of the construct in step 3.
Done.
As per your question:
is there any way to revert an mscash hash to an md4 hash, if the salt (=username) is known?
Not sure, whether I understand your question, but I would say: No.
MD4 is a one-way function, not the best one, but still a one-way function.
You cannot solve for the "argument" of the MD4-function knowing the
"result". Knowing the unicoded, little-endian ordered and tabbed username
helps to reduce the "candidate"-space, still, you would have to find ("brute-force")
MD4(password) (and then (poor approach however) find password from
knowing MD4(password)).
The role of the salt simply is to nullify the usage of pre-calculated rainbow-tables.
Cheers.
[1] http://www.securiteam.com/securityre...OP0N2KF6S.html
[2] http://www.openwall.com/john/contrib...cash-5.diff.gz
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
March 15th, 2006, 06:18 AM
#4
Banned
it looks like a way to check to see if the password and username are accepted in some login screen or something. My guess is that MSCASH is a sort of variable or possible access to a db file. The password you log in with is encrypted with the MD4 algorithm, paired with the lowercase(username), and either stored as the variable or checks the file MSCASH to see if it has that username/password combo
again, this is only a guess... a little more info would be necessary to accuratelly tell what it does such as what the file is called where the text came from, what language this is in, etc etc
-
March 15th, 2006, 07:44 AM
#5
Hi
[small rant]
Digoy, it is fine to assume, to guess and to think, but at least try to
make a little bit of research. You can provide yourself with the information
needed in this case. The MSCash is nothing wrapped in mystery, it is simply
the hashing mechanism of Microsoft to store Domain login credentials on the
local machine. An excerpt of Irongeek's excellent tutorial here on AO (one of the
most viewed once):
By default Windows 2000, XP and 2003 systems in a domain or Active Directory tree cache the
passwords and credentials of previously logged in users. This is done so that the users can still
login again if the Domain Controller or ADS tree can not be reached either because of Controller
failure or network problems. These cached passwords are stored as hashes in the local systems
registry at the values HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 though NL$10.
[/small rant]
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
March 15th, 2006, 02:35 PM
#6
Junior Member
Thanks for your help
-
March 15th, 2006, 04:58 PM
#7
MD4 is a hash function, which means there's no easy way back -- you're looking at brute-force (possibly through a reduced space if there are flaws in the algorithm).
Without context, it's hard to interpret that line -- does || mean a bitwise or, or concatenation, or something else?
-
March 16th, 2006, 12:42 PM
#8
Banned
Since MDx functions are "message digest" functions, the answer is that no, there is no way to get the original hash from the MSCACH hash, since MD4 (like the more common MD5) is a one-way hash type function.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|