--
>> My questions are: A) is this as vulnerable as it
>> seems at first blush? B) how many password/hex pairs
>> would be needed to deduce the underlying algorithm?,
>> C) If one could deduce the algorithm, could the
>> attack be generalized so that it could be used
>> against other enterpris
the hex value stored is perhaps a hash, or even better, a salted hash,
or even better, a keyed salted hash which is then hex-encoded. any
discussion of unix password cracking will describe the first two.
(i think even the original doug mcilroy paper)
all are vulnerable to dictionary and brute for
My questions are: A) is this as vulnerable as it seems at first
blush? B) how many password/hex pairs would be needed to deduce the
underlying algorithm?, C) If one could deduce the algorithm, could
the attack be generalized so that it could be used against other
enterprises that use the sa
On Sat, Mar 03, 2007 at 04:09:36AM -0800, Allen wrote:
> On recent consulting gig, I came across what I think is a
> potential vulnerability and wanted to see how crazy my thinking is.
>
If you are not a security consultant hired to find and close this type
of vulnerability, and don't want to f
Hi gang,
On recent consulting gig, I came across what I think is a
potential vulnerability and wanted to see how crazy my thinking is.
Without mentioning the exact place or piece of software because
of NDAs, here is the basic scenario.
The tool stores the hex version of the remote access pa