Focus on Microsoft
Defeating password cracking Feb 18 2003 07:35PM
dave (dave netmedic net) (1 replies)
Simple ways to defeating password recovery boot-disk and password crackers,
on NT/2000 machines.

I was bored and trying different characters that L0phtCrack and other
cracking programs could not detect. While doing so I discovered that by
using these same characters in user names you could prevent the Boot-disk
password changers from being able to change the Admin and other passwords.

Possibly this is old news but I found it quite interesting. I am posting it
to see if anyone else has found similar results, and maybe even ways to
defeat this.

1. The character list: These are all ALT characters that L0phtCrack and
Advanced NT Security Explorer could not detect. I made the password 5
characters long and added them to the custom character sets. For my test,
after testing all of them, I decided to use Alt-251 (v) it is the square
root symbol but shows as a small v in the cracking programs, or not at all
in the password recovery boot disks.

2. Defeating password crackers: Ok so now we make a user name "joev"
(without the quotes) and we make the password "1234v". Well I spent 3 days
and could not get the password cracked even after I added it to the custom
character sets; maybe I am just an amateur. So please let me know if I am
doing something wrong. Notice the username displays as joev in L0phtCrack
and the others. Also try using sid2user and other user information
utilities on it. Most will tell you the user does not exist, whether you
add the special character or put it as a small v. Even the W2000 Resource
Kit "showmbrs.exe" does not display the special character.

3. Ok so know we have to prevent the Password recovery boot disks from being
able to change the passwords. I had the "Linux boot-disk password changer"
and the one from Win/sysinternals.

4. First, no matter what you change the name of the built-in administrator
account to you can always change the password with these tools, I am
assuming it is because the SID is always the same. You cannot disable it so
had to come up with a way to get around that. So I simply created a group
called "no access" added the built in administrator account to it. I added
deny logon locally and deny access this computer from the network
privileges, and took away all access to the drives, essentially disabling

5. Ok now we made joev a member of the admin group. We boot to the
Password recovery disk. The users except for joev show normal he shows as
joe. Since we know his real username we try entering it that way, and the
way it displays, either way we get cannot find user. I could change any
password except for the joev. If we change the built in admin accounts
password all is great, of course we cannot log in as him. If we use one of
these Alt characters in all the usernames we essentially can prevent any of
the passwords (except the built in admin account) from being changed.

6. Well now I know there are other ways of editing the registry, installing
a separate installation of the OS etc. etc.. But I believe this is a pretty
cool way of thwarting the basic "hacker" that thinks he is going to walk up
to your system and boot to this disk and change the password and get in.
Further it is nice to know that there are passwords you can make that even
the common crackers cannot crack.

Well this is my little discovery your thoughts and counter-thoughts are
greatly appreciated. I do not mean this to be an end-all way of defeating
these programs, but every little bit helps.

Dave Kleiman
dave (at) netmedic (dot) net [email concealed]

[ reply ]
Re: Defeating password cracking Feb 22 2003 12:56AM
neopara (neopara shaw ca)


Privacy Statement
Copyright 2010, SecurityFocus