lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <653552211.20060527142704@SECURITY.NNOV.RU>
Date: Sat, 27 May 2006 14:27:04 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: feedb4ck@...k.org
Cc: bugtraq@...urityfocus.com
Subject: Re: LM hashes in a hot-desking environment


Dear feedb4ck@...k.org,

--Thursday, May 25, 2006, 5:46:43 PM, you wrote to bugtraq@...urityfocus.com:

fzo> Although it is a well known fact that Windows desktops and servers still
fzo> use LM Hashes and cache the last ten userids and passwords locally, just
fzo> in-case an Active Directory, Domain, or NDS tree are not available, has
fzo> anyone thought about the consequences of this issue in a hot-desking, or
fzo> flexible working environment?

Windows  doesn't  cache  passwords.  If I remember correctly, the cached
value  is  actually  MD5  from  NT  key and can not be used directly. LM
hashes     can     be     disabled    through    group    policy,    see
http://support.microsoft.com/?kbid=299656.   Local   SAM  doesn't  store
domain accounts.

fzo> Now, I know what everyone is saying, wait a minute, for PWDUMP to work you
fzo> need to be administrator to the local machine.   But think again, how
fzo> often is this the case?  Many companys only look to restrict network
fzo> access - as restricting local access may cause issues with applications
fzo> which need to access the local drive.

If  your users on shared hosts work with local administrators privileges
- you have no security at all. Forget about about PWDUMP, it's too hard.
Think   about   trojans  and  keyloggers  user  can  install  to  obtain
credentials  of  different  user. Even more: if you have shared computer
and  you  have  no  physical  security,  everyone  can  install hardware
keylogger.

Your problem is you have strange approach to security. Good approach is:

What should I protect?

-- 
~/ZARAZA
http://www.security.nnov.ru/



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ