|
|
|
|
| |
| Password Appraiser (demo version), is a product by Quakenbush Consulting Inc. which is used to audit the strength of Windows NT passwords (see our article: Password Appraiser, NT password auditing tool). Apparently, Password Appraiser uses Quakenbush's remote "password server" to crack weak passwords. This in essence sends the password hashes over the Internet, allowing hackers/crackers to capture these passwords on their way to Quakenbush. |
| |
Credit:
The vulnerability was found by: Dr. Mudge.
About Password Appraiser: http://www.securiteam.com/securityreviews/Password_Appraiser__NT_password_auditing_tool.html
Quakenbush's home page can be found at:
http://www.quakenbush.com/Default.htm
For a comparison between L0phtcrack and Password Appraiser Professional:
http://www.quakenbush.com/compare.htm
To download a demo version of Password Appraiser:
http://www.quakenbush.com/download.htm
|
| |
The demo version doesn't break the password hashes on the local computer, but rather uses Quakenbush's password server to crack them, by sending the LANMAN hashes to the server. This server is contacted through the Internet in non-encrypted communication, making it possible for a malicious user to eavesdrop to the communication and retrieve the LANMAN hashes with very little difficulty. This communication uses the HTTP protocol making it possible for the product to pass through most configured Firewalls (unless a proxy server is used. In this case HTTP requests can be dropped by the Firewall).
By capturing the traffic to port 80 of pw.quakenbush.com the following information is exchanged:
Local client machine == [A]
Remote dictionary server [pw.quakenbush.com] == [B]
[
Example 1 - demonstrating vulnerability on Password Appraiser sending LANMAN hash and plain text equivalent from "weak" password
]
[A] -> [B]
GET /default.asp?cid=[*]&v=3086&pw=D85774CF671A9947AAD3B435B51404EE
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.00.8169
Host: pw.quakenbush.com
[*] Note - the cid is the verification mechanism so the server can ostensibly check that the client is indeed paid for. The number that was removed was the evaluation number that was automatically sent upon downloading the software. Its value is unimportant for this advisory.
[B] -> [A]
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 20 Jan 1999 23:51:14 GMT
Content-Type: text/html
Cache-control: private
Transfer-Encoding: chunked
12
::PW::FOOBAR::PW::
0
From this, one can see that password appraiser only works on the deprecated LANMAN hash which is, in this case : D85774CF671A9947AAD3B435B51404EE
The response shows that the password being checked was FOOBAR (case sensitivity is unknown as the program does not look at the NTLM hash).
The above can be witnessed during any stage in transit to the quakenbush server. The attacker now has the password.
[
Example 2 - demonstrating vulnerability on Password Appraiser sending LANMAN hash of a "strong" password
]
[A] -> [B]
GET /default.asp?cid=[*]&v=3086&pw=8F4272A6Fc6FDFDFAAD3B435B51404EE
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.00.8169
Host: pw.quakenbush.com
[B] -> [A]
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Thu, 21 Jan 1999 00:09:03 GMT
Content-Type: text/html
Cache-control: private
Transfer-Encoding: chunked
19
::PW::::PW::
0
Here, the LANMAN hash is : 8F4272A6FC6FDFDFAAD3B435B51404EE. We see from the response from Password Appraiser that it believes this password to be secure. Unfortunately, people sniffing the network who plug this hash into other tools take advantage of the weak design behind LANMAN [2] and retrieve the password of 'BOGUS!!' in under 1 minute.
|
|
|
|
|
|
|
