tag:blogger.com,1999:blog-9518042.post1800401267543040467..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Some more stuff...Unknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-64020711375063398632010-05-29T15:08:53.721-05:002010-05-29T15:08:53.721-05:00>there are a LOT of analysts out
>there who...>there are a LOT of analysts out <br />>there who think that <br />>the "Password Not Required" flag >in the SAM means that the account <br />>doesn't have a password . . <br /><br />Oops, forgot to comment. This is a widely held misconception, but the wording used by the tools to describe the output could stand a little adjustment. I'm also unsure of exactly what the MS explanation means. For example, I have an account that has a password, which must be entered to log on to Win 7. No minimum length is set (0), and complexity is not enabled. Registry Viewer reports "Password required=true," and RR does not report the "Password not required" remark. <br /><br />Maybe some testing is in order using different systems. Would it be better to phrase the output as "Password policy (not) in effect"? I also would assume that one could set a minimum length without complexity, but not the converse.Jimmy_Wegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-26996643186565668572010-05-29T14:39:13.534-05:002010-05-29T14:39:13.534-05:00>Nothing quite like freeware to
>get the jo...>Nothing quite like freeware to <br />>get the job done, eh?<br />ophcrack does indeed work very well and provides a couple of free tables. They often work within a minute. However, the complete set of ophcrack tables is about $1,000. I've had about a 20% success rate with the free set. <br /><br />Concerning the other blog, ophcrack accepts a hash set as LM:NTLM, so I suspect that's what Chris meant in his description when he referred to his NTLM hash. The NTLM hash actually is the second hash, which follows the colon. In Vista+, the LM is not used. <br /><br />One also can generate his or her own tables, using a free tool like Winrtgen. http://www.oxid.it/projects.html <br /><br />Tables aside, there are some incredible (free) tools that mount a brute force attack with amazing speeds. I use these after a table attack fails and often achieve results, albeit over several hours or a couple of days. Sometimes it's a matter of minutes. Most of these tools run on GPUs on NVIDIA CUDA or ATI cards. Some employ CPUs in additon or alone. I can usually run 100 to 500 million P/S, and a high end card ($350 - $650) can hit >1 billion on at least certain hash types. I suspect that you'll crack the average dictionary-crackable password faster than a well known name brand tool that's $$$. Moreover, you'll readily crack certain passwords that the $$$ tool likely will not crack within a reasonable time frame, if ever.Jimmy_Wegnoreply@blogger.com