narkive is for sale. Interested? (dismiss)
Discussion:
To detect weak or blank password?
(too old to reply)
Vladimir Nechipurenko
2005-10-10 09:38:14 UTC
Permalink
Hi all

I've got the task to detect whether the user has the blank or weak password.
I know that Microsoft Baseline Security Analyzer (MBSA) can do that, but
what I need to know what API it uses. Could anybody help me?

Thanks
Vladimir Nechipurenko
2005-10-11 07:19:11 UTC
Permalink
Nobody knows? :(((((
Thanks
Larry Smith
2005-10-15 11:30:05 UTC
Permalink
Post by Vladimir Nechipurenko
Nobody knows? :(((((
The only function I know of is "NetValidatePasswordPolicy()" but it's good
for Win2003 only. Other options are to call "NetUserChangePassword()" (or
"NetUserSetInfo()" passing "USER_INFO_1033) and check for
"NERR_PasswordTooShort" which is returned if the password policy isn't met.
Depending on what you're doing, you may have to create a temporary (dummy)
account first and call it against that account which you can then delete
afterwards. It's ugly and may require certain administrator (or power user)
rights (you'll have to check) but I'm not sure if there's another way.
Johnny Liu
2005-10-17 17:06:06 UTC
Permalink
I'm not sure what you need for your task. does your described "password"
means the password for Windows logon? or the password is used by some web
application for security issue. And what time that you want to detect ?

If you want to verify weak or blank Windows logon password everytime when
user change or re-assign it, then you can write a password filter. Please
refer to
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/password_filters.asp

If your task is for web application, there are some documents focus on
security topic described on .NET web page.
Sam Hobbs
2005-10-18 16:51:49 UTC
Permalink
That sure is a good suggestion.

We are interested in the subject also, so I hope I may ask a question. Is it
possible to use the filter for the paswords that exist when the filter is
implemented? If that is answered in the documentation, then I will find it,
but any hints will be appreciated.
Post by Johnny Liu
I'm not sure what you need for your task. does your described "password"
means the password for Windows logon? or the password is used by some web
application for security issue. And what time that you want to detect ?
If you want to verify weak or blank Windows logon password everytime when
user change or re-assign it, then you can write a password filter. Please
refer to
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/password_filters.asp
If your task is for web application, there are some documents focus on
security topic described on .NET web page.
Johnny Liu
2005-10-19 05:35:02 UTC
Permalink
No, the password filter could not capture exist password of current logged on
user. And the concept for security of Win2K and WinXP will not export logon
password by any methods.

Windows 2000 has a security hole to open a back door to find the password of
current logged user. But this hole has been fixed on Windows XP, so I think
you should implement your program by regular method.

The only way to capture the password of current user for logon is write a
Gina stub to hook MSGina.dll (or any real gina which response for user
logon), when user intend to enter his password by Ctrl-Alt_Del, system will
call gina function WlxLoggedOutSas. If the username, password and domain are
correct for unique logon account, then WlxLoggedOutSas will return logon info
filled in the structure WLX_MPR_NOTIFY_INFO. The contains of this structure
is all you need.

Please remember, don't leave any security hole when you implement Gina stub,
Windows system has got too many security hole already. I suggest that when
your Gina stub get the contains of the structure WLX_MPR_NOTIFY_INFO, just
parse the password according to your password policy, and write a mark on
somewhere (registry or a file) if the password is weak or blank. Then your
application can highlight it to user depends on the mark. Don't copy the
structure by your Gina stub, it will increase risk of security.

Hope it is helpful for you.

Johnny
Sam Hobbs
2005-10-19 06:56:29 UTC
Permalink
Thank you, Johnny.

I certainly will be careful if I were to do something such as writing a Gina
stub.

I am not the person that posted the original question, but note that
Vladimir asked how MBSA detects a "blank or weak password". I believe you
that MBSA does not get the password. Therefore MBSA is somehow testing the
validity of various gueses, right? I don't know a lot about security, but I
have read enough about security (including many messages in this newsgroup)
to know that one of the most commonly used techniques to crack a password is
to simply try many possibilities but it is often unnecessary to compare the
actual password to determine if it is a match.

I am sorry I am not using the correct terminology but I hope you understand
what I mean. Also, if I knew what terminology to use in a search, I probably
can find what I need in previous answers in this newsgroup.
Post by Johnny Liu
No, the password filter could not capture exist password of current logged on
user. And the concept for security of Win2K and WinXP will not export logon
password by any methods.
Windows 2000 has a security hole to open a back door to find the password of
current logged user. But this hole has been fixed on Windows XP, so I think
you should implement your program by regular method.
The only way to capture the password of current user for logon is write a
Gina stub to hook MSGina.dll (or any real gina which response for user
logon), when user intend to enter his password by Ctrl-Alt_Del, system will
call gina function WlxLoggedOutSas. If the username, password and domain are
correct for unique logon account, then WlxLoggedOutSas will return logon info
filled in the structure WLX_MPR_NOTIFY_INFO. The contains of this structure
is all you need.
Please remember, don't leave any security hole when you implement Gina stub,
Windows system has got too many security hole already. I suggest that when
your Gina stub get the contains of the structure WLX_MPR_NOTIFY_INFO, just
parse the password according to your password policy, and write a mark on
somewhere (registry or a file) if the password is weak or blank. Then your
application can highlight it to user depends on the mark. Don't copy the
structure by your Gina stub, it will increase risk of security.
Hope it is helpful for you.
Johnny
Johnny Liu
2005-10-19 11:46:02 UTC
Permalink
Hi Sam,

Seems I have misunderstanding with you and Vladimir's question.

I don't know how MBSA to do for weak password checking. But depend on my
limited and tiny knowledge of Windows system security, the password was
stored either in local security accounts manager (SAM) database or Active
Directory. please refer to this page
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/msv1_0_authentication_package.asp

Unfortunately, the SAM is a dark box. Microsoft said that we can't access
the SAM database directly by any method, but only through LSA system
interface. But LSA system is also a dark box, there are many of exported
functions without document released. And I think Microsoft's guy will not
open the secret to the world forever, because we don't know who is good guy
to write a program for enhance security and who is bad guy to write a program
for steal someone's password. If Microsoft open the secret, then Windows OS
will not be secured anymore.

I believe that MBSA has some secret to check weak password, may be handle
the database of SAM through un-documented API of LSA, or may be try to attack
each account by closet attack, who know. Unless, we write a program to filter
and capture the each function calls when MBSA doing on weak password.

Sorry for I can't help you for this topic, may be some of Microsoft's guy
who programming LSA or MBSA will know how to do.

Johnny
Post by Sam Hobbs
Thank you, Johnny.
I certainly will be careful if I were to do something such as writing a Gina
stub.
I am not the person that posted the original question, but note that
Vladimir asked how MBSA detects a "blank or weak password". I believe you
that MBSA does not get the password. Therefore MBSA is somehow testing the
validity of various gueses, right? I don't know a lot about security, but I
have read enough about security (including many messages in this newsgroup)
to know that one of the most commonly used techniques to crack a password is
to simply try many possibilities but it is often unnecessary to compare the
actual password to determine if it is a match.
I am sorry I am not using the correct terminology but I hope you understand
what I mean. Also, if I knew what terminology to use in a search, I probably
can find what I need in previous answers in this newsgroup.
Sam Hobbs
2005-10-19 15:44:03 UTC
Permalink
Thank you again, Johnny.

It helps to know that it is not easily obvious.
Post by Johnny Liu
Hi Sam,
Seems I have misunderstanding with you and Vladimir's question.
I don't know how MBSA to do for weak password checking. But depend on my
limited and tiny knowledge of Windows system security, the password was
stored either in local security accounts manager (SAM) database or Active
Directory. please refer to this page
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/msv1_0_authentication_package.asp
Unfortunately, the SAM is a dark box. Microsoft said that we can't access
the SAM database directly by any method, but only through LSA system
interface. But LSA system is also a dark box, there are many of exported
functions without document released. And I think Microsoft's guy will not
open the secret to the world forever, because we don't know who is good guy
to write a program for enhance security and who is bad guy to write a program
for steal someone's password. If Microsoft open the secret, then Windows OS
will not be secured anymore.
I believe that MBSA has some secret to check weak password, may be handle
the database of SAM through un-documented API of LSA, or may be try to attack
each account by closet attack, who know. Unless, we write a program to filter
and capture the each function calls when MBSA doing on weak password.
Sorry for I can't help you for this topic, may be some of Microsoft's guy
who programming LSA or MBSA will know how to do.
Johnny
Post by Sam Hobbs
Thank you, Johnny.
I certainly will be careful if I were to do something such as writing a Gina
stub.
I am not the person that posted the original question, but note that
Vladimir asked how MBSA detects a "blank or weak password". I believe you
that MBSA does not get the password. Therefore MBSA is somehow testing the
validity of various gueses, right? I don't know a lot about security, but I
have read enough about security (including many messages in this newsgroup)
to know that one of the most commonly used techniques to crack a password is
to simply try many possibilities but it is often unnecessary to compare the
actual password to determine if it is a match.
I am sorry I am not using the correct terminology but I hope you understand
what I mean. Also, if I knew what terminology to use in a search, I probably
can find what I need in previous answers in this newsgroup.
Valery Pryamikov
2005-10-20 18:20:26 UTC
Permalink
Hi,
You might want to check my old "passwords" blog articles:
http://www.harper.no/valery/PermaLink,guid,8cb9ada6-0f04-4ce0-a1b5-5b9a5f295df5.aspx
http://www.harper.no/valery/PermaLink,guid,9ca0efba-aaab-45db-b594-729b9caa9e52.aspx
http://www.harper.no/valery/PermaLink,guid,ecc09752-1942-4167-afae-040ab49ad9a4.aspx
http://www.harper.no/valery/PermaLink,guid,a66a5aa6-9bd5-44fc-bc78-cb38b957b377.aspx
http://www.harper.no/valery/PermaLink,guid,53a6777a-c110-4e3c-b0e3-3e2c1cf003e2.aspx
http://www.harper.no/valery/PermaLink,guid,bf9737ab-e247-496a-afd8-8358a45247d8.aspx

-Valery.
http://www.harper.no/valery
Post by Vladimir Nechipurenko
Hi all
I've got the task to detect whether the user has the blank or weak password.
I know that Microsoft Baseline Security Analyzer (MBSA) can do that, but
what I need to know what API it uses. Could anybody help me?
Thanks
Vladimir Nechipurenko
2005-11-08 15:39:55 UTC
Permalink
There is not way, except to change the passwords, but the performance is
very bad.
We asked customer to cancel this requirement :(

May be there is some not-documented function, but who knows, except MS guys

Thanks all for the participation
Vladimir Nechipurenko
Valery Pryamikov
2005-11-12 10:22:37 UTC
Permalink
If you inject code in LSASS (as it is done in pwdump2) then you have access
to password hashes (md4) and cached domain credentials (md5(domain ||
username || md4passwordhash)). after that you can do a simple check of weak
passwords - eg. by comparing with hashes of empty password, a couple of
hundreds of most often used password (as it was done in some of the viruses
about 5-6 years ago, don't recall that virus name) and some combination of
computername, user name, some dates and their combinations with couple of
hundreds most usual passwords. If you run something like 10000-20000 hash
comparisons - it will be acceptable performance and good accuracy of the
test.

-Valery.
http://www.harper.no/valery
Post by Vladimir Nechipurenko
There is not way, except to change the passwords, but the performance is
very bad.
We asked customer to cancel this requirement :(
May be there is some not-documented function, but who knows, except MS guys
Thanks all for the participation
Vladimir Nechipurenko
Sam Hobbs
2005-11-28 16:37:06 UTC
Permalink
Thank you, Valery. I don't know if Vladimir can use this; I hope Vladimir
can. I think I can use it.

I am not sure I can figure out how to inject code into LSASS but I am
confident I can figure it out. I have written system-wide hooks and I have
seen articles describing other methods of injecting code. I think it is
better to provide as little sample code as possible for things like that
because it is the kind of thing that is dangerous for beginners.

The hardest part is the list of passwords to check for, but your suggestion
to inject code into LSASS is enough to pont me to a good direction. I think
it is enough for me.
Post by Valery Pryamikov
If you inject code in LSASS (as it is done in pwdump2) then you have
access to password hashes (md4) and cached domain credentials (md5(domain
|| username || md4passwordhash)). after that you can do a simple check of
weak passwords - eg. by comparing with hashes of empty password, a couple
of hundreds of most often used password (as it was done in some of the
viruses about 5-6 years ago, don't recall that virus name) and some
combination of computername, user name, some dates and their combinations
with couple of hundreds most usual passwords. If you run something like
10000-20000 hash comparisons - it will be acceptable performance and good
accuracy of the test.
-Valery.
http://www.harper.no/valery
Post by Vladimir Nechipurenko
There is not way, except to change the passwords, but the performance is
very bad.
We asked customer to cancel this requirement :(
May be there is some not-documented function, but who knows, except MS guys
Thanks all for the participation
Vladimir Nechipurenko
Valery Pryamikov
2005-11-29 19:34:44 UTC
Permalink
you can download and check source code of pwdump2:
http://www.bindview.com/Services/razor/Utilities/Windows/pwdump2_readme.cfm

-Valery.
http://www.harper.no/valery
Post by Sam Hobbs
Thank you, Valery. I don't know if Vladimir can use this; I hope Vladimir
can. I think I can use it.
I am not sure I can figure out how to inject code into LSASS but I am
confident I can figure it out. I have written system-wide hooks and I have
seen articles describing other methods of injecting code. I think it is
better to provide as little sample code as possible for things like that
because it is the kind of thing that is dangerous for beginners.
The hardest part is the list of passwords to check for, but your
suggestion to inject code into LSASS is enough to pont me to a good
direction. I think it is enough for me.
Post by Valery Pryamikov
If you inject code in LSASS (as it is done in pwdump2) then you have
access to password hashes (md4) and cached domain credentials (md5(domain
|| username || md4passwordhash)). after that you can do a simple check of
weak passwords - eg. by comparing with hashes of empty password, a couple
of hundreds of most often used password (as it was done in some of the
viruses about 5-6 years ago, don't recall that virus name) and some
combination of computername, user name, some dates and their combinations
with couple of hundreds most usual passwords. If you run something like
10000-20000 hash comparisons - it will be acceptable performance and good
accuracy of the test.
-Valery.
http://www.harper.no/valery
Post by Vladimir Nechipurenko
There is not way, except to change the passwords, but the performance is
very bad.
We asked customer to cancel this requirement :(
May be there is some not-documented function, but who knows, except MS guys
Thanks all for the participation
Vladimir Nechipurenko
david-homer
2012-08-23 17:03:54 UTC
Permalink
Vladimir Nechipurenko wrote on 11/08/2005 10:39 ET
Post by Vladimir Nechipurenko
There is not way, except to change the passwords, but the performance i
very bad
May be there is some not-documented function, but who knows, except MS guy
Thanks all for the participatio
Vladimir Nechipurenk
Hi

Incase anyone is still looking MBSA uses a password change request. Th
following is from the MBSA manual..

Microsoft Baseline Security Analyzer does not attempt to crack passwords durin
this check, and instead attempts a password change request using each conditio
in the preceding list. Account lockout policy counts will be reset if in effec
on the scanned computer


Thanks

Davi

http://www.centrel-solutions.com/xiaconfiguration

Loading...