Hi Lance,
The Kerberos stuff is only a replacement for the venerable NTLM and even
more venerable Lanmanager. It is my impression that the SAM was still stored
in the same hashing manner in Win2K unless you use the strong encryption
option for the entire SAM (which is a pain). But remember, ANY hashing
algorithm is vulnerable to a guessing attack - l0phtcrack would work just as
well attacking SHA-1 passwords as MD4 or MD5. The only time delta would be
the speed of the encryption.
In any case, Kerberos is vulnerable to password guessing attacks as well -
take a look at the protocol. Kerberos does many good things, but removing
the need to use strong passwords is NOT one of them.
I initially had a hard time believing that L0phtcrack broke that password,
but when you do the numbers (as Chris did) it's obviously well within the
realms of possibility for a modern box.
My "secure" NT password philosophy still madates at least 14 characters with
some non-alphanums.
Obscure Gem: Under NT you can use non-printable / typable characters in your
passwords. You enter then with ALT+[NUM]. I'm not even sure L0phtcrack has
an option to try those, does it?
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Lance Ecklesdafer [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 21 December 2000 4:37
> To: Carl Ma; [EMAIL PROTECTED]
> Subject: Re: NT password encryption & name service
>
>
> Precisely why you should run Windows 2000 networks in native
> mode and use
> Kerberos V5 as the preferred authentication method. The mixed
> mode operation
> of this DC (In Windows 2000 there is no PDC or BDC .. all
> controllers are
> equal peers). You cannot run a Windows 2000 domain in native
> mode untill ALL
> domain controllers are converted to Windows 2000. The clients
> will all have
> to be able to do Kerberos authentication as well. The Windows 2000
> Professional Workstation software uses Kerberos V5 in a
> Wndows 2000 native
> mode domain. As long as you are running Windows NT 4.0
> servers as domian
> controllers on Windows 2000 domains, you have to run in mixed
> mode. The
> mixed mode operation of Windows 2000 domain has the same
> security weakness
> of the NTLM authentication method. If this were native mode
> Windows 2000
> ( I am assuming that it is not) the cracking attempt would
> have been much
> less successful.
>
> Lance
> ----- Original Message -----
> From: "Carl Ma" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 20, 2000 12:00 PM
> Subject: NT password encryption & name service
>
>
> > Hello all,
> >
> > After running password cracking program on our W2000 PDC server, 98%
> passwords
> > are cracked out, even some very complicate passwords like -
> X1#!h0a_.
> >
> > Is it attribute to the W2000 encryption method? I would
> like to persuade
> my boss
> > using LDAP as name service. Appreciate any information &
> idea! I will
> summarize.
> >
> > Thanks & Merry Christmas!
> >
> > carl
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
