• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

User accounts have gone missing!

B

Bob I

Flightless Bird
On 8/7/2010 7:21 PM, Tom Del Rosso wrote:
> Parko wrote:
>>
>> I've used this quite successfully in the past. Fairly straightforward
>> to use.
>> http://pogostick.net/~pnh/ntpasswd/
>
> These things make me nervous, since neither the NTFS file system nor the SAM
> file format is documented. I wish they'd just read the file and tell me
> what the password is instead of changing it.
>

Some security that would be.
 
P

Parko

Flightless Bird
On Sat, 07 Aug 2010 20:21:19 -0400, Tom Del Rosso wrote:

> Parko wrote:
>>
>> I've used this quite successfully in the past. Fairly straightforward
>> to use.
>> http://pogostick.net/~pnh/ntpasswd/
>
> These things make me nervous, since neither the NTFS file system nor the
> SAM file format is documented. I wish they'd just read the file and
> tell me what the password is instead of changing it.

The password files are encrypted. It's called security.



--
Where's the cursor?
Where's the eraser?
Where's the cursor?
Where's the eraser?
G-O-H-O-H-O-9-O
G-O-H-O-H-O-9-O
G-O-H-O-H-O-9-O
H-O-9-O-G-O-H-O
 
T

Tom Del Rosso

Flightless Bird
Parko wrote:
> On Sat, 07 Aug 2010 20:21:19 -0400, Tom Del Rosso wrote:
>
>> Parko wrote:
>>>
>>> I've used this quite successfully in the past. Fairly
>>> straightforward to use.
>>> http://pogostick.net/~pnh/ntpasswd/
>>
>> These things make me nervous, since neither the NTFS file system nor
>> the SAM file format is documented. I wish they'd just read the file
>> and tell me what the password is instead of changing it.
>
> The password files are encrypted. It's called security.

No shit Sherlocks. And changing the password doesn't require cracking that
security?


--
Reply in group, but if emailing add one more
zero, and remove the last word.
 
B

Bob I

Flightless Bird
On 8/20/2010 6:05 PM, Tom Del Rosso wrote:
> Parko wrote:
>> On Sat, 07 Aug 2010 20:21:19 -0400, Tom Del Rosso wrote:
>>
>>> Parko wrote:
>>>>
>>>> I've used this quite successfully in the past. Fairly
>>>> straightforward to use.
>>>> http://pogostick.net/~pnh/ntpasswd/
>>>
>>> These things make me nervous, since neither the NTFS file system nor
>>> the SAM file format is documented. I wish they'd just read the file
>>> and tell me what the password is instead of changing it.
>>
>> The password files are encrypted. It's called security.
>
> No shit Sherlocks. And changing the password doesn't require cracking that
> security?
>
>

The password and account ARE secure, you won't be accessing the
account's encrypted files with a changed or flattened password.
 
T

Tom Del Rosso

Flightless Bird
Bob I wrote:
> The password and account ARE secure, you won't be accessing the
> account's encrypted files with a changed or flattened password.

So it puts the new password somewhere else? Where?

--

Reply in group, but if emailing add one more
zero, and remove the last word.
 
R

Rod Speed

Flightless Bird
Tom Del Rosso wrote
> Parko wrote
>> Tom Del Rosso wrote
>>> Parko wrote

>>>> I've used this quite successfully in the past. Fairly straightforward to use.
>>>> http://pogostick.net/~pnh/ntpasswd/

>>> These things make me nervous, since neither the NTFS file system nor the SAM file format is documented. I wish
>>> they'd just read the file and tell me what the password is instead of changing it.

>> The password files are encrypted. It's called security.

> No shit Sherlocks. And changing the password doesn't require cracking that security?

Nope, changing doesnt, telling you what the current password is does.
 
R

Rod Speed

Flightless Bird
Tom Del Rosso wrote
> Bob I wrote

>> The password and account ARE secure, you won't be accessing the
>> account's encrypted files with a changed or flattened password.

> So it puts the new password somewhere else?

Nope, it puts it in the same place, but encryption is a completely different process to decryption.

In fact when checking whether the password has been entered correctly when say logging
on, the password entered is encrypted and the encrypted form is compared with the stored
encrypted form of the original password and if they match, the password is correct. Thats
nothing like decrypting the stored form of the original password.

In fact it isnt even possible to reverse some forms of encryption at all, they are one way encryptions.

> Where?

Same place the original was stored.
 
B

Bob I

Flightless Bird
On 8/21/2010 5:48 PM, Tom Del Rosso wrote:
> Rod Speed wrote:
>> Tom Del Rosso wrote
>>> Bob I wrote
>>
>>>> The password and account ARE secure, you won't be accessing the
>>>> account's encrypted files with a changed or flattened password.
>>
>>> So it puts the new password somewhere else?
>>
>> Nope, it puts it in the same place, but encryption is a completely
>> different process to decryption.
>> In fact when checking whether the password has been entered correctly
>> when say logging on, the password entered is encrypted and the encrypted
>> form is
>> compared with the stored encrypted form of the original password and if
>> they match, the
>> password is correct. Thats nothing like decrypting the stored form of the
>> original password.
>>
>> In fact it isnt even possible to reverse some forms of encryption at
>> all, they are one way encryptions.
>
> Thanks. That's it then. I'm aware that there are non-reversible
> encryptions, but I didn't consider that possible, because years ago I used
> another password cracker (fee-based, from a commercial operation) to recover
> a password from a Win2k system. It required copying the sam file and
> emailing it to them. I guess they did it by brute force, until they found a
> password that created the same encrypted data. I had always assumed they
> decrypted it.
>
FWIW, a similar "cracking" method is used against MS Office documents,
brute force gets you some character string that provides the same
"hashcode", it opens the file but most likely wasn't the password
actually used.
 
A

Arno

Flightless Bird
In comp.sys.ibm.pc.hardware.storage Bob I <birelan@yahoo.com> wrote:


> On 8/21/2010 5:48 PM, Tom Del Rosso wrote:
>> Rod Speed wrote:
>>> Tom Del Rosso wrote
>>>> Bob I wrote
>>>
>>>>> The password and account ARE secure, you won't be accessing the
>>>>> account's encrypted files with a changed or flattened password.
>>>
>>>> So it puts the new password somewhere else?
>>>
>>> Nope, it puts it in the same place, but encryption is a completely
>>> different process to decryption.
>>> In fact when checking whether the password has been entered correctly
>>> when say logging on, the password entered is encrypted and the encrypted
>>> form is
>>> compared with the stored encrypted form of the original password and if
>>> they match, the
>>> password is correct. Thats nothing like decrypting the stored form of the
>>> original password.
>>>
>>> In fact it isnt even possible to reverse some forms of encryption at
>>> all, they are one way encryptions.
>>
>> Thanks. That's it then. I'm aware that there are non-reversible
>> encryptions, but I didn't consider that possible, because years ago I used
>> another password cracker (fee-based, from a commercial operation) to recover
>> a password from a Win2k system. It required copying the sam file and
>> emailing it to them. I guess they did it by brute force, until they found a
>> password that created the same encrypted data. I had always assumed they
>> decrypted it.
>>
> FWIW, a similar "cracking" method is used against MS Office documents,
> brute force gets you some character string that provides the same
> "hashcode", it opens the file but most likely wasn't the password
> actually used.

This is possible, BTW, because the people designing this system
did not have a clue and selected a too short hashcode.

The whole thing is derived from Unix password handling (which is
secure and works), but got broken in the process. No surprise when
looking at who did this....

Arno

--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
 
D

David Brown

Flightless Bird
On 22/08/2010 00:48, Tom Del Rosso wrote:
> Rod Speed wrote:
>> Tom Del Rosso wrote
>>> Bob I wrote
>>
>>>> The password and account ARE secure, you won't be accessing the
>>>> account's encrypted files with a changed or flattened password.
>>
>>> So it puts the new password somewhere else?
>>
>> Nope, it puts it in the same place, but encryption is a completely
>> different process to decryption.
>> In fact when checking whether the password has been entered correctly
>> when say logging on, the password entered is encrypted and the encrypted
>> form is
>> compared with the stored encrypted form of the original password and if
>> they match, the
>> password is correct. Thats nothing like decrypting the stored form of the
>> original password.
>>
>> In fact it isnt even possible to reverse some forms of encryption at
>> all, they are one way encryptions.
>
> Thanks. That's it then. I'm aware that there are non-reversible
> encryptions, but I didn't consider that possible, because years ago I used
> another password cracker (fee-based, from a commercial operation) to recover
> a password from a Win2k system. It required copying the sam file and
> emailing it to them. I guess they did it by brute force, until they found a
> password that created the same encrypted data. I had always assumed they
> decrypted it.
>

Yes, these things are done by trial and error. Often such a company
will have large "rainbow" tables - they take tables of likely passwords
(such as common kids names, common pet names, misspellings of
"password", birthdays, etc.), dictionaries, etc., and run each one
through the password encryption algorithm. Then "cracking" the password
is as simple as looking it up in this table. If they get a match, they
have the original password. If not, then they need to run through
exhaustive searches.



If you ever have to break into a windows system again, it is a lot
easier to use a windows password reset live CD. These don't make any
attempt to identify the old password, but simply replace it with a known
(blank) one. It's a lot faster and cheaper than an external company.

If you actually need to recover the password rather than just change it
to something you know, there are again free tools for that.
 
A

Arno

Flightless Bird
In comp.sys.ibm.pc.hardware.storage David Brown <david@westcontrol.removethisbit.com> wrote:
> On 22/08/2010 00:48, Tom Del Rosso wrote:
>> Rod Speed wrote:
>>> Tom Del Rosso wrote
>>>> Bob I wrote
>>>
>>>>> The password and account ARE secure, you won't be accessing the
>>>>> account's encrypted files with a changed or flattened password.
>>>
>>>> So it puts the new password somewhere else?
>>>
>>> Nope, it puts it in the same place, but encryption is a completely
>>> different process to decryption.
>>> In fact when checking whether the password has been entered correctly
>>> when say logging on, the password entered is encrypted and the encrypted
>>> form is
>>> compared with the stored encrypted form of the original password and if
>>> they match, the
>>> password is correct. Thats nothing like decrypting the stored form of the
>>> original password.
>>>
>>> In fact it isnt even possible to reverse some forms of encryption at
>>> all, they are one way encryptions.
>>
>> Thanks. That's it then. I'm aware that there are non-reversible
>> encryptions, but I didn't consider that possible, because years ago I used
>> another password cracker (fee-based, from a commercial operation) to recover
>> a password from a Win2k system. It required copying the sam file and
>> emailing it to them. I guess they did it by brute force, until they found a
>> password that created the same encrypted data. I had always assumed they
>> decrypted it.
>>

> Yes, these things are done by trial and error. Often such a company
> will have large "rainbow" tables - they take tables of likely passwords
> (such as common kids names, common pet names, misspellings of
> "password", birthdays, etc.), dictionaries, etc., and run each one
> through the password encryption algorithm. Then "cracking" the password
> is as simple as looking it up in this table. If they get a match, they
> have the original password. If not, then they need to run through
> exhaustive searches.

The accepted countermeasure to Rainbow Tables is salting, i.e.
to add a non-secret random value. This increses the size of the
Rainbow Table to infesability. As Microsoft is not familiar with
salting, they do work there.

> If you ever have to break into a windows system again, it is a lot
> easier to use a windows password reset live CD. These don't make any
> attempt to identify the old password, but simply replace it with a known
> (blank) one. It's a lot faster and cheaper than an external company.

I second that. I did this several times with good success and
very reasonable effort.

> If you actually need to recover the password rather than just change it
> to something you know, there are again free tools for that.

Whether that works depends strongly on the individual password
scheme. MS is incompetent here (otherwise breaking would not
work at all for good passwords), but even they made improvements.

Here is an example illustratiung the "security mind-set" at Microsoft:
http://catless.ncl.ac.uk/risks/17.12.html
Scroll down to ''Microsoft "Bob" passwords''

Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
 
You must log in or register to reply here.
Top