A Swiss researcher has developed a technique that can
break a Windows password in a matter of seconds. Standard
approaches used by hackers can take several hours.
Philippe Oechslin, a lecturer and senior researcher at EPFL, the
Swiss Federal Institute of Technology, used a technique known as
advanced time memory trade-off to crack Windows passwords. The
technique relies on the fact that the seed data used to encrypt all
passwords on a Windows server is not random. As a result of
this, Oechslin claimed he was able to build a table of passwords in
advance.
On a typical network users' passwords are checked on a single
password table stored on a Windows server. The password file is
normally only available to system administrators. But if a hacker
can gain access to the server and crack the password table they can
gain access to all the information on the network.
As it would take terabytes of storage to generate all possible
passwords, Oechslin has found a way to reduce the storage overhead.
As a result, he said, he was able to crack a Windows password table
in five seconds using a PC configured with a 2.5 Gigahertz- Athlon
processor and 1.5 gigabytes of memory.
Security experts have been astonished by the speed of the
password technique used by Oechslin. DK Matai, executive director
at security consultancy mi2g said, "I'm impressed by the
timescales. This is testimony to the processing power available
today: hackers no longer need to rely on millions of pounds of
computer power to crack encrypted passwords."
Richard Brain, technical director at independent security
specialist Procheckup, said, "This is much faster than L0pht, the
popular password cracking program used by hackers, which would take
from a couple of hours to a couple of days to break a password
file. It is about time Microsoft started to employ experts in
crypto-analysis."
While access to the password file is only available to users who
have system administration privileges on Windows, Brain said that a
hacker could use a known exploit to break into an unpatched Windows
server to gain system-wide access.
Once access to the server had been achieved, Brain said, "The
hacker could then run the Windows rdisk utility remotely to create
an up-to-date copy of the password file. It would then be possible
to use Oechslin's password cracking technique to discover all the
system passwords for the server.”