Cryptohaze.com

Please check my understanding.... are domain credentials in ms-cache v2 form pretty much beyond the ability of current technology to crack (in ones lifetime)?

If I understand it correctly, rainbow tables are useless (except perhaps for an account named administrator) because the password is salted with the users name.

Similarly, neither brute-forcing (nor dictionaries) will crack a reasonably secure password in any kind of useful time.

I've thought about suggesting a ms-cachev2 algorithim be added to the multiforcer...but if only the least secure passwords can be cracked, there are other tools (e.g. hashcat, cain & able) which can make a run at it.

So...do I have this all pretty much straight?

mayberryman wrote:Please check my understanding.... are domain credentials in ms-cache v2 form pretty much beyond the ability of current technology to crack (in ones lifetime)?

Depends - what is the quality of the password used? They're certainly tough. A distributed attack is the way to go for them, which my framework does support.

mayberryman wrote:If I understand it correctly, rainbow tables are useless (except perhaps for an account named administrator) because the password is salted with the users name.

Correct. Though Administrator tables are certainly useful...

mayberryman wrote:Similarly, neither brute-forcing (nor dictionaries) will crack a reasonably secure password in any kind of useful time.

Correct. A secure password is pretty well secure with mscachev2.

mayberryman wrote:I've thought about suggesting a ms-cachev2 algorithim be added to the multiforcer...but if only the least secure passwords can be cracked, there are other tools (e.g. hashcat, cain & able) which can make a run at it.

So...do I have this all pretty much straight?

Yes. It will get added eventually, with full support for some cool features I'm working on, but mscachev2 is a hard nut to crack.

mscachev2 is a nightmare for me during pentests. Even with GPUs the speed is absolutely horrible.

Picch wrote:mscachev2 is a nightmare for me during pentests. Even with GPUs the speed is absolutely horrible.

They're on the short list for support.

Personally, I'd rather see ntlmv2 support first (in fact, I'd kill for ntlmv2) instead of mscache2. ntlmv2 is seen far more during pentests because of the ability to ARP Spoof, NetBIOS Spoof, etc...

Noted. I'll see what I can do!

That would be great! I really appreciate it.

Could you get me a few sample exchanges with known passwords in whatever format is most common?

Yeah, I'll work on getting some samples. I believe there's 3 formats that are commonly seen.

Documented example would be pure awesome - unless you wanted to code up hash file classes for them, which would be even cooler!