wirepair wrote: > while doing a pen-test I noticed after stealing launch.ica files from a > users IE cache directory, they have a different ClearPassword= field. You can also get at the .ica files by selecting application icons from the nfuse application list and save them to a file. Bugtraq 3926 suggests a way to get at them. > Domain=\25A43DEFACEDCODE (16 bytes, hash) > ClearPassword=D4239AF390DB09 (16 bytes, hash..) Never seen 16 bytes myself, only 14 hex digits, corresponding to 7 bytes of data. > This obviously is an issue, the ClearPassword worries me, unfortunately > I'm not a cipher kid so I'm not exactly > sure what type of hash this is, or how it was created. The name 'ClearPassword' is probably kept for historical reasons, from the time these used to be static passwords. These days, more secure practices are followed: if you try 'Save As...' on applications icons, you'll see that the ClearPassword changes quite frequently. It can, if I remember, even be set up to be one-time use only. Probably a ticket ID. You may be able to mount a password-guessing attack using the account name 'test', but you probably have tried that already. You may want to check error messages from entering very long usernames. There used to be some oddities here, though I never checked them out very closely. -- Anders Thulin anders.thulinat_private 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden ---------------------------------------------------------------------------- <Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does.</Pre> <A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core>
This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 10:27:00 PST