Security Advisories

Trustwave Press Releases

« DEF CON 20: French Fry, Pizza, or Rotten Apples? | Main | PTJ Undermines Your Blinky Light Box »

22 August 2012


Definitely it is well informative and impressive tool.I got beautiful idea to save the password and arranging it in a proper way.Because most of have used online service for exchanging data and share plan,ATM, e-banking.As result the importance of the password is too high.

Ahinson - Yeah, thanks for point of clarification on the encoding and why it's different. The blog post articulates the process I followed to get strings from the UTF16 content in my crude testing, which can be improved upon.

JayJay - Nice, like I said, "can be improved upon". Thanks!

Wanderer - Yeah, I had only done this testing on XP and Win8 before and had rarely set a hint for the user I was testing with. So the that key in the SAM was new to me as I noted above. Also, I had not seen that tool for erasing the hint before, I'll check that out. Thanks!

Terry - The focus here was grab this information automatically as a remote attacker in the post-exploitation phase. To me (to use your own words) it would seem like "watching someone walk all the way around the block just to go to their next door neighbors house" if they spent the time to copy and paste this out of the registry user by user then mapped that back to the user in the Names hive. But anyways, thanks for your comments.

irb(main):001:0> ['6D006F006E006B006500790020006500610074002E002E002E00'].pack('H*').unpack('v*').pack('C*')
=> "monkey eat..."

Are you serious?

You can open the SAM file in any damn Registry Viewer and see the password hint. The binary data will be viewed as Hex and ASCII.

Reading this article was like watching someone walk all the way around the block just to go to their next door neighbors house.

>>> we stumbled across a new key that we had not seen before

Kidding guys? The key was here since Windows Vista. Here's the program that diplays and removes Windows hints:

>>It's not ASCII, it's UTF-16, and I don't know Ruby but surely there's a simpler way of displaying a Unicode string?

The UTF encoding wasn't the problem, it was the conversion from binary to hex. Each byte in the byte array was converted to Hex then to its character equivalent.

The result is the hint string.

Janmoesen - I don't necessarily think this information needs to be encrypted. You are correct in that anyone who has physical access can guess a username and obtain the associated hint on a one by one basis. The focus of my additions were to obtain this information remotely as part of a post-exploitation process and steal all the hints on the system.

Woody - Thanks for the link, I'll check that out.

Franklinheath - Thanks, a couple others have brought that up too on the pull request after it was merged. I'll probably submit another pull request to tighten that code up in Metasploit when I get a chance.

Unixtippse - Nice find, perhaps someone could extend the Mac OSX hashdump modules to grab those hints too.

Out of interest: what encryption would you suggest for something which is publicly accessible? The password hints can be seen by anyone trying to log on to the machine, no?

Don't know if you saw the article, but there are more goodies stored in Windows 8, clear text. No Registry access required - a full list of the contacts cache is in a fixed location on local storage.

It's not ASCII, it's UTF-16, and I don't know Ruby but surely there's a simpler way of displaying a Unicode string?

FYI, listing ALL teh password hints on a MacOS system goes like this:

dscl . -readall /users AuthenticationHint

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Your Information

(Name is required. Email address will not be displayed with the comment.)