Rairii

lkarlslund, 5 months ago to random

I've been tinkering with 8.7 billion passwords the last couple of weeks - and done lots of thinking, coding and debugging too. This resulted in a cool thing that I'm sharing today.

Here's the technical background: On the Windows platform your stored passwords are hashed as NTLM, which is basically just a Microsoft way of saying "MD4 sum of the UTF16 encoded password". As this was invented more than 25 years ago, this algorithm is simple.

Here's why this matters: When hackers break into your network, both configuration mistakes and weak passwords are in the very top of risks that enable a successful way for bad guys to get control over everything.

This is how you can remedy this: When I do Active Directory assessments, some of the time I also do a password audit, to find accounts that use the same password or highly privileged accounts with way too simple passwords. And I don't really care about regular users, but the ones that impact security do matter.

This is the challenge: To crack these passwords requires equipment and machine power, as going from an NTLM hash to a password is not something you can do by other means than throwing some GPU power after it. You simply try any password you can imagine, and compare it to the NTLM hash - it takes some time, and you don't get all passwords (complex ones survive these attacks).

And here's my solution: There is a faster way - maybe not providing you with exactly the same results - but it trades some of the precision with less time and hardware required. Because NTLM hashing is "unsalted", it means that the password 123456 will have the exact same hash on any system you encounter in the world. So why not just look the most obvious ones up in a database?

Now you can, because I coded up a specialized database, grabbed everything I could find from leaks, dictionaries and wordlists on the internet, and compiled it up for you.

It's free to use, there is no sign up required - and you can look up 1 password every second (batch look up 1000 in a few seconds every 15 minutes if you're in a hurry). It's even easy to use from command line using curl or PowerShell if you're into that.

Have fun, and I hope it can help make the world safer a little step at a time. If you like this, please re-share and spread the word (not the password!)

https://ntlm.pw/

whitequark, 6 months ago to random

placing my bicycle, upside down, closer to my working desk, booting my headmate's windows desktop, plugging a small $120 black box into the bike, and running extremely sketchy software to update and configure its firmware

where did my life go so wrong

Rairii, 5 months ago to random

so, the bugcheck on real hardware was because the cache invalidation in MmMapViewOfSection was causing things to blow up (an exception was taken inside a first level exception handler!)

I added some disc slot-LED blinking to the sdmc driver on activity just so I can get an idea if things have hung or not lol

Rairii, 5 months ago to random

just realised i was playing pinball on dolphin over RDP too so i'm doubly amazed that it was.kinda playable lol

Rairii, 5 months ago to random

>obscure undocumented DMA block in debug register area with custom hash required to use it

what's the more likely solution? attacker somehow figured it out by decapping and hardware reversing, or attacker managed to compromise apple or associated entity enough to get things like HDL, docs, test code, etc?

i can guess which one would be easier

...i wonder if that MMIO block has other interesting functionality

Rairii, 5 months ago to random

today i learned people have unironically ported modern chromium to NT4 for electron

they should try the hard mode version of that and port to NT PPC

Rairii, 5 months ago to random

if the USA national anthem is so good why is there no USB national anthem

Rairii, 4 months ago to random

so, if you had an .af domain, does that mean you just got tali-banned?

Rairii, 5 months ago to random

lol

guess what's clobbering the data structure

it's the truetype VM interpreter lol

Rairii, 5 months ago to random

somewhat related to the threads meta:

for the last few months i've been giving out the fake email "fuckzuck@fb.com" to marketing databases when required to enter something on a wlan captive portal

Rairii, 5 months ago to random

this mastodon draft PR looks interesting: "enable authorised fetch for any individual user who blocks remote domains" https://github.com/mastodon/mastodon/pull/28457

...would actually mean blocking, for example, facebook threads, as an individual user, from a server that does not block it, would actually be effective

Rairii, 5 months ago to random

another null deref in win32k

and judging by the dolphin logs, syssetup is actually running now?

Rairii, 4 months ago to random

// TODO: draw the rest of the fucking owl

Rairii, 6 months ago to random

meanwhile, I just saw this askubuntu post about the latest dbx update bricking a system: https://askubuntu.com/questions/1493537/ubuntu23-10-fwupd-secure-boot-dbx-371-bricked-my-pc

I just reversed its UEFI firmware and I'm not surprised.

There's some custom SMM module that tries to read and parse dbx, but if the dbx is too big and SmmAllocatePool() fails, it'll end up dereferencing NULL.

Rairii, 5 months ago to random

somehow i can play space cadet pinball with one hand better than i can play it with two? lol

https://youtu.be/d8BpUpr1h9U

Rairii, 5 months ago to random

The NetBIOS domain name for Nintendo of America is NOANT

I don't think this is what they had in mind.

(It boots much faster than on emulator)

Rairii, 5 months ago to random

current status: text setup finished, some arc firmware bugs fixed to get osloader to start running, and now osloader is failing early for some reason lol

funny, MS forgot a "goto fail" after one panic early in osloader, so it tries to continue, and panics again haha

Rairii, 5 months ago to random

current status: fast keymashing causes nt to freeze

...so, as it is now, bottoms can't use it :P

Rairii, 5 months ago to random

one stupid bug fix in iossdmc.sys later (wrong length variable causing heap overflow) and:

Rairii, 6 months ago to random

five nights at freddy's?

surely these days, five nights at florida is scarier

Rairii, 6 months ago to random

looking at shimano32.sys/shimano64.sys that @whitequark pointed me to

first interesting thing of note: NT device name is obfuscated, one round of floss later dumps the string "Htsysm4EFB"

...this smells of capcom.sys

Rairii, 5 months ago to random

how my NT on Wii debugging environment looks like

Rairii, 5 months ago to random

hmm

stroughtonsmith, 5 months ago to random

I think it’s very clear where the TestFlight leak came from…

Also a reminder to make sure your S3 bucket permissions don't allow arbitrary read access or indexing 😛