lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon Aug  8 21:11:05 2005
From: infosecmonitor at gmail.com (ISM)
Subject: UNICODE For Windows XP Password Strings (Keyboard
	or other Character Entry Method)

MS Windows XP supports High Order ASCII from the keyboard with an ALT
+ Numpad XXXX key combination (from 0128 - 0255) and in other MS Apps
(Word, etc) you can also use the same to produce UNICODE characters
(supported characters between 0-65535 for the character set under
consideration).

Programatically (in testing) we have generated 0-65535 1 character
passwords (net user xyz pass-string-here /ADD) and they generate 65535
unique NTLM hashes. So the backend Windows components seem to
understand and accept UNICODE input for password credentials.

Limitations on the input from the keyboard in this fashion seem to be
limited to that of either the language set selected or the
keyboard/kybd driver itself. We produce repeating character patterns
of 256 characters (ie, the same character is at ALT + 0640, ALT +
0896, ALT + 01152, ALT + 01408,...).

The XP command shell will reproduce the same repeating characters,
however if you cut and paste UNICODE characters (from Word or
whatever) Windows XP seems to accept the UNICODE character just fine
as a pasword string.

Does anyone know if there a way to open up potential to enter full
UNICODE character sets from the keyboard or from some other device
(smartcard reader, biometric, etc) that could generate those
characters for credentials at login? Can you create a custom character
set (ie, Control Panel - Regional and Language Options - English (US)
HighlyCustomized)? Is there ANY way to generate the characters from
the keyboard?

Using a number of sequential High Order ASCII is great as password
entropy can be increased remarkably (128 possible additional
characters x pw length) and they are not always displayable characters
using tools to view LSA Secrets (lsadump2, cain and abel, pmdump,
etc). Using UNICODE would be extremely cool as entropy could possibly
be extended to 65 thousand plus characters - or many many more than
simply High Order ASCII anyhow.

Any Ideas Appreciated,

 /ism

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ