>> My win2k box shows that three user-accounts on my windows 2000 machine
>> report as being *empty*, <8 and 2 of the three share a NULL password LM
>> Hash
>> of AAD3B435B51404EEAAD3B435B51404EE. The third hash is different and I do
>> not wish to report it here for what id deem obvious reasons.

This hash means there is no LM hash store which is good. This means the
NOLMhash key exists.

The one that does show a different one just change the password, it only
takes effect once the password is changed. It then should show
AAD3B435B51404EEAAD3B435B51404EE like the others.

Dave

>> The three accounts include Administrator and two other users. The
>> passwords
>> are known and have been fed into a wordlist. Running LC3 repeats these
>> results.
>>
>> The Administrator account is most definitely not NULL, and the other two
>> accounts are not guest users. Attempting login with null password is
>> denied
>> for all three accounts. LC3 is being run on the local machine.
>>
>> 1. Should I treat the box as compromised? Highly unlikely as there are
>> enough alarms in place
>> 2. Should I report my findings to @Stake, in the belief LC has a flaw?
>>
>> Much appreciated,
>>
>> Chris Mawer
>>
>> _________________________________________________________________
>> MSN Messenger - fast, easy and FREE! http://messenger.msn.co.uk
>>

[ reply ]