I can't find any references to using rainbow tables on the cachedump hash.
Is this possible?
Printable View
I can't find any references to using rainbow tables on the cachedump hash.
Is this possible?
Well in the right corner of the AO home page there is a search feature
I suggest you try
password hash
password cache
both of which has turned up pages and pages of information
Unless you want me to read them for you too.... :rolleyes:
MLF
Could you read them for me? I'm to tired at the moment. ;) :)Quote:
Originally posted here by morganlefay
Unless you want me to read them for you too.... :rolleyes:
MLF
The cahce dump needs to be brute forced to retrieve the password.Quote:
Originally posted here by shakenbake
I can't find any references to using rainbow tables on the cachedump hash.
Is this possible?
Katmando
Quote:
Originally posted here by morganlefay
Well in the right corner of the AO home page there is a search feature
I suggest you try
password hash
password cache
both of which has turned up pages and pages of information
Unless you want me to read them for you too.... :rolleyes:
MLF
If you'd like to find a link with an answer to my question in it (as opposed to just mouthing off), please feel free.
Katmando, thank you.
I guess that means you want me to read them all for you...
Then provide the appropriate link...to the one that I feel will help you most...
Or a nice list indexed and highlighted for you
...yeah...thats gonna happen. :rolleyes:
Why dont you read some of the information...then come back and ask your questions
I gave you a perfectly good suggestion that has all the information you are requesting....
Do you want to be a little more specific...about what you looking for
My truck wont start...can you help me???
How about a link....
MLF
Would you like me to paint you a picture?
What can't you understand about the question? If you knew what rainbow tables are and what cachedump is, it's not terribly difficult to understand the question.
Katmando had no problem understanding the question ... Why do you think that is?
Why are you assuming that I've asked this question without searching for an answer first?
I think the issue here is that I've challenged your initial arrogant post, you've actually searched yourself in order to prove me wrong. You've found no thread with the information to mush back in my face and now you're asking me to be "more descriptive" to save your own face.
If you haven't got a clue what I'm talking about (or what you're talking about even) well then don't pollute the thread with shite talk to impress your peers in an attempt to belittle me. You've already made yourself look like a fool.
Now, toddle off away with you little man and get back to playing with superscan.
and I guess you have built you own rainbow table.....Quote:
What can't you understand about the question? If you knew what rainbow tables are and what cachedump is, it's not terribly difficult to understand the question.
Now want to use it agains a cache dump.
Wow...I am totally impressed....truly I am.
Quote:
Why are you assuming that I've asked this question without searching for an answer first?
Because your question was vague....did you try the search option I suggested???
I think Irongeek has some info for you???....
Quote:
Now, toddle off away with you little man and get back to playing with superscan.
Now....whos the little man...
Heres some reds to mush in your face.... :D
MLF
Well, i've read MLF 1st poster and went to AO search facility and typed "password hash"
4th result is: "Tutorial:Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003"
Voilá!
its a tutorial about cachedump and cracking using JTR.
So.. following the idea about using JTR , you can adapt it to use RT.
Veredict:
MLF was correct at first suggestion and you were very rude. Too bad for you.
If you think my question was vague, you're seriously delussional.
If you want to impress me, answer the question.
I've read Irongeeks paper, it's a very good read but it doesn't answer my question. Please direct me to the bit that does?
You see the bit I'm confussed over is that apparently cachedumps output is an MD4 hash, salted with the username. So I thought, if its possible that a table could at least be generated for the admin password, why doesn't one exist? Is their something specific to this algorithm/salt that prohibits its creation?
What's your expert opinion on it morganlefay?
Perhaps I was a little rude, I apologise for that everyone.Quote:
Originally posted here by cacosapo
Well, i've read MLF 1st poster and went to AO search facility and typed "password hash"
Veredict:
MLF was correct at first suggestion and you were very rude. Too bad for you.
I know nothing....nothing I tell ya!!!
I was just pointing you to a resource.....
What I wasnt going to do is research it for you.....
Plus I had read most of you other vague posts....
Figured you just wanted to be spoon feed...like before
Full yet
MLF
>> Full yet
No ... I'd still like an informed answer from somebody!!
Well, i maybe wrong (as usual) but cached passswords dumped by cachedump are current user password (hashed by MD4( password|U(username)). And this is the format that JTR use as input.Quote:
You see the bit I'm confussed over is that apparently cachedumps output is an MD4 hash, salted with the username.
So i can imply if JTR is able to crack, a rainbow table will do the same job, right? :confused:
Hi
Certainly, cacosapo is right :)
Perform the following experiment:
a) get cachedump[1]
extracts username:mscash.Code:cachedump -v
b) get passwordspro[2]
Tools -> Hash Generator. Insert your password in "Text"
and add your username in the User name field.
Do the MScashs agree?
Now, how difficult would it be to create a table with a fixed salt, ie.
a fixed username? ...
Hence, there might be an advantage to rename the default administrator
name?
Cheers :)
[1] http://www.off-by-one.net/misc/cachedump-1.2.zip
[2] http://www.insidepro.com/eng/passwordspro.shtml
Shakenbake,Quote:
Originally posted here by shakenbake
>> Full yet
No ... I'd still like an informed answer from somebody!!
I am of the thought that if I see a stupid post I just ignore it. It makes more since to me to spend less of my time by ignoring it than spend more time and effort cutting the poster down. But that is just me.
With that said you mentioned you read Irongeeks paper and maybe you missed this but this is what he has to say.
------------------------------------------------
Taken from http://www.irongeek.com/i.php?page=security/cachecrack
Fortunately from a security standpoint the way Microsoft hashes cached passwords is much more secure than the way they store local passwords in the SAM file. Since each cached hash has its own salt (a set of more or less random bits figured into the hash algorithm to help foil pre-computed attacks) cached passwords hashes take much longer to crack than LM (LAN Manager) hashes which don't salt the same way, are case insensitive and are split into seven character chunks.
------------------------------------------------
So it appears to me that the way MS salts this cache would make it difficult to create a precompute table (like rainbow table). What I am not sure about is if that difficulty is more or less not possible. What I mean is everything is possible but maybe beyond the time and effort required to it. One can brute force anything but it may take them 100 liftimes.
Good luck in your searches let us know if find any thing different.
Katmando
Hi
Katmando,
while it is true that MSCash is harder to crack, because one
cannot blindly use rainbow tables as for the (depreciated!)
LM-hashes[1],
it is not true, at least as far as my understanding of the MSCash[2]
goes, that the salt consists of a set of more or less random bits
(sorry irongeek). The salt is predefined, otherwise I would not have
obtained the same MSCash in my above mentioned experiment.
Hence, it is possible to create a rainbow table - however, one each for
every user. But on how many machines, the administrator is called
"administrator" in the workgroup "WORKGROUP"?
The required time to calculate twice an MD4 is not an obstacle to build
a rainbow table. The idea of the salt is to make it unfeasible to re-use
the same table over and over again, eg. for all usernames.
Cheers
[1] http://www.antionline.com/showthread...r=1#post828847
[2] http://www.antionline.com/showthread...r=1#post892906
Sec_ware,Quote:
Originally posted here by sec_ware
[B]Hi
Katmando,
it is not true, at least as far as my understanding of the MSCash[2]
goes, that the salt consists of a set of more or less random bits
(sorry irongeek). The salt is predefined, otherwise I would not have
obtained the same MSCash in my above mentioned experiment.
Hence, it is possible to create a rainbow table - however, one each for
every user. But on how many machines, the administrator is called
"administrator" in the workgroup "WORKGROUP"?
Thanks for the input, very interesting.
So it seems plausible for certain usernames and domains (EX administrator/workgroup). But correct me if I am wrong grabbing the the cache is really only useful when a domain is used. Otherwise one would just grab the SAM. If it is only useful in a domain environment how many people actually use the default domain name in a production environment?
Also in Irongeeks defense he said it was harder not impossible.
But anyway it is interesting I would like to look into this further.
Thanks for the information and banter gentleman, the last few posts were much more like it.
I also apologise again for being a rude *****, yesterday was a particularly stressful one !