After that post RoadClosed, all I can think about is WeirdAl's song "It's all about the Pentiums"...!
~AciD
Printable View
After that post RoadClosed, all I can think about is WeirdAl's song "It's all about the Pentiums"...!
~AciD
LOL, never heard it. Maybe I should piss off the RIAA and see if it's on P2P. I mean I would like to hear it but I am not going to go buy the CD for one song, the radio doesn't play it, MTV probably won't air it so how else could I be turned on to it and have a sample?
I am l337 P2P ha4or mofa
I realize what a brute force attack is, and unfortunately the Inbox is NOT neccesarily the logon name(in fact almost certainly is not) and cannot be enumerated from the exchange server w/o an authenticated user account (meaning you already have an account and if you want someone elses there are a of lot better ways like NetBIOS which you can try a dictionary attack on or locally cached stuff like LSA secrets) and if you DID have the user logon you wouldnt be brute forcing the exchange server but the domain authority which would be over a network (NTLMv2 is 128-bit with Kerberos that should only take a few thousand years) while also basically DOSing the domain controller with log-on attempts(Which I think someone would notice,eh?) In order to effectively brute force a NTLM account with any kind of speed a copy of the SAM must be available locally(And this is assuming you have the syskey,of course), allowing HUNDREDS of THOUSANDS if not MILLIONS of tries per second which somehow I dont see him doing over TCP/IP. In otherwords if you can brute force a NTLMv2 password over a network, I'll eat my ****ing keyboard. Even if NTLMv2 was NOT used he would have a better chance of success by sniffing packets for authentication handshakes from the depricated LANMAN(LM) auth/SMBsniffing which has widely known weaknesses(aka sux) and THEN brute forcing.Quote:
Originally posted here by mohaughn
Maestro- If you know the user name, and you use a brute force attack to guess the password, you will have gained the proper authentication. That is the purpose of a brute force attack, to get permissions for an account you know is valid, but do not know the password to.
-Maestr0
"These LMv2 and NTLMv2 encrypted pairs are quite strong and, although they can be captured from the network by LC4, they are essentially immune to either its dictionary or brute-force attacks" -@Stake
EDIT:
P.S. I'll only eat half my keyboard if strong password policy is not enforced :)
heh, by all means, piss off RIAA. Seems like nobody else is holding back when it comes to that ;)
Are you using active directory? I am just learning it and ALL my applications of Exchange are detailed in the active directory profile. Am I implementing things incorectly?Quote:
I realize what a brute force attack is, and unfortunately the Inbox is NOT neccesarily the logon name(in fact almost certainly is not)
I may be mistaking what you are asking, but Exchange 2000 is intertwined with Active Directory, even the schema. All the Exchange settings for users are now changed inside of Active Directory.Quote:
Originally posted here by RoadClosed
Are you using active directory? I am just learning it and ALL my applications of Exchange are detailed in the active directory profile. Am I implementing things incorectly?
-NeuTron
yes that is what I am saying, in active directory the user name is the same as the mailbox name. It has to be and if that isn't true then I am implementing things wrong. The inbox IS the same as the log in name under active directory.
I'm a little fuzzy on this but I'm pretty sure that you are able to name the mailbox for any user whatever you want. It doesn't have to be the username as far as I know. It's been a couple months since I touched an Exchange box but I seem to remember having control of the mailbax name. 90% sure I would say....
-NeuTron
Exactly. On a Domain controller there is no 'local' machine with users, its all in your AD and is managed thru the AD mmc concoles, Exchange will use these entries as well since all the required structures are already in place.Quote:
Originally posted here by NeuTron
I may be mistaking what you are asking, but Exchange 2000 is intertwined with Active Directory, even the schema. All the Exchange settings for users are now changed inside of Active Directory.
-NeuTron
-Maestr0
OK thanks all, active directory is hard to get used to a first; being in my domain controller/wins mind set versus Active Directory Objects and DNS. I love it though, so far. DNS caused me a sleepless night though. Old file shares stopped working and a slew of other issues. I love being able to set up a mail user and just adding exchange profiles right in the user console.