Thats only true if you're using the ancient default Lan Manager type passwords. Kind of like using Linux without the shadow passwords, not a good idea. NTLM stores the password in a sinlge chunk, but was case insensitive, NTLMv2 is what you should be using, its 128bit, case sensitive, and not chunked. On an NT system you'll need to edit the registry (after making sure you have all the latest service packs) The password security comes in five levels:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA\lmcompatibilitylevel 0 Send LM and NTLM response, never use NTLMv2 1 Use NTLMv2 if negotiated 2 Send NTLM response only 3 Send NTLMv2 response only 4 Domain controllers refuse LM responses 5 Domain controllers refuse LM and NTLM responses See Q239869 for more detail on this process. I strongly recommend level 5. On win2k you also have to disable storage of LM hashes (a compatiblity feature) I'm not sure if this applies to NT, check out this how-to http://www.jsiinc.com/SUBI/tip4100/rh4176.htm and decide for yourself. >From: "Security" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Subject: RE: password cracking >Date: Thu, 26 Sep 2002 14:00:51 -0500 > >NT breaks its passwords into two - encrypting each half separately. >Unfortunately, this makes it really easy to hack NT passwords, even if >you think you are using a good one. > >-----Original Message----- >From: netsec novice [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, September 25, 2002 5:13 PM >To: [EMAIL PROTECTED] >Subject: password cracking > > >I recently began using Lopht to do password cracking on our own network >in >order to enforce our password standards. In watching the process, I now > >have questions regarding how the cracking works. I understand basic >dictionary and even brute force methods. What I'm confused about is how > >Lopht can determine individual characters without cracking the entire >password. >IE. ?????9pass >I should mention that this is auditing an NT system. My best analogy is >a >wall safe vs. a key? I would think that the only way the password could >be >cracked would be to input the entire string(key) and see if it opened >the >door. It appears though that it is treating the password as individual >characters and cracking one at a time like a combination lock. Can >someone >help me clear my fog on this issue? > >Thanks in advance... > > >_________________________________________________________________ >Join the world's largest e-mail service with MSN Hotmail. >http://www.hotmail.com Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "I have found the way, and the way is Perl." _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
