| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <000001c45993$a87a04d0$3200000a@alex> From: jkuperus at planet.nl (Jelmer) Subject: RE: COELACANTH: Phreak Phishing Expedition] One final addendum to this ongoing thread Drew Copley was kind enough to point out to me that can steal any user's windows password simply by having them view a specially prepared page using this exploit What basically happens is that the server sends an 8 byte challenge to the browser, the browser uses the lanman and nt password hashes to generate a response by appending some zero's to the hash and then using it as a des key to encode the message. This message explains it more thoroughly http://www.insecure.org/sploits/l0phtcrack.lanman.problems.html If you know the response and you know the challenge (obviously we do since we control what's being sent) you can crack it quite easily using l0phtcrack Amazing that that insecure lanman hash is still being sent after all that time Anyway great find Bitlance winter!! Updated demo at http://jelmer.homedns.org/test2.htm Updated (very messy) code at http://jelmer.homedns.org/code2.zip This page does a pretty good job at describing the ntlm protocol http://www.innovation.ch/java/ntlm.html
Powered by blists - more mailing lists