Hi nobody It's not standard MD2, MD4 or MD5, because this hash is longer than those standards. It's not NT, because NTLM is just MD4/Unicode, so still this hash is too long, and If I remember correctly, old LM hashes are the same lenght as NTLM. It's not SHA-1 or RIPEMD-160, again those are shorter than your example. It's definitely not Blowfish MD5, used today by Linux, and doesn't look like the good old crypt(3). (It's not even the Lotus Domino R4 hash, but I'll never expect that!) In my humble opinion, it's some kind of hash, but the algorithm used simply beats me, sorry. I can confirm that it's not an algorithm supported by our tool "Lepton's Crack", and I've never seen something similar in John The Ripper, but it have been some time since I used it... So far I think that's the same or less level of exposure of other encrypted passwords in the system. I'm not personally aware of any exploitable situation with the antivirus in the server. Silly question: Have you tried THAT as the password??? Kind regards, Miguel Dilaj aka Nekromancer nobody <pentesterat_private> 05/02/2003 23:00 To: pentest_list <pen-testat_private> cc: Subject: Symantec A/V - netscan password in registry All, recently installed Symantec A/V and looked at the registry in my PC. XP sp1 clear text entries for an NT server and the share name that it uses. An entry for a "netscanpassword" that looks encrypted ? 20AA9E1606F91E64ABF97162783AE5E059E48797D7F Questions ? 1. is this password encrypted via Windows ( lmhash ntlm) 2. some crypt function (ala the UNIX world) 3. some other algorithms ? MD4 MD5 etc? Can I cut and paste the above into John-the-ripper or the crypt function ? What I have in clear text is the NT machine, it's share name and the NT account (user) that it uses. All in the registry or event log. It does "phone home" every week - but I have yet to catch the packet traffic with Ethereal to see what type of authentication it is doing. Anyone else besides me think that this may present a security exposure ( inside our network - of course) ? It seems to me that placing this on every user's desktop is exposing the A/V server to more risk than is required ? if ? the account and password (if it can be cracked) can access the server in any manner not expected by the installer. Or - is this old news and already been spotted ? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 20:41:12 PST