Nice suggestion, but it doesn't stop the "linux password changers" boot disks because most let you choose the user by the RID (hex value) and not just the name. Still a good idea to use though, another extra layer of security but not the complete solution.
Paul Sliwowski On Tue, 2003-02-18 at 13:37, dave wrote: > Simple ways to defeating password recovery boot-disk and password crackers, > on NT/2000 machines. > > I was bored and trying different characters that L0phtCrack and other > cracking programs could not detect. While doing so I discovered that by > using these same characters in user names you could prevent the Boot-disk > password changers from being able to change the Admin and other passwords. > > Possibly this is old news but I found it quite interesting. I am posting it > to see if anyone else has found similar results, and maybe even ways to > defeat this. > > 1. The character list: These are all ALT characters that L0phtCrack and > Advanced NT Security Explorer could not detect. I made the password 5 > characters long and added them to the custom character sets. For my test, > after testing all of them, I decided to use Alt-251 (v) it is the square > root symbol but shows as a small v in the cracking programs, or not at all > in the password recovery boot disks. > 1-32 > 127-130 > 132 > 134 > 135 > 142-146 > 148 > 153-159 > 164-255 > 0127 > 0131 > 0135 > 0149 > 0160-0167 > 0170-0172 > 0176-0178 > 0181-0183 > 0186-0189 > 0191 > 0196-0199 > 0201 > 0209 > 0214 > 0220 > 0223 > 0228-0231 > 0233 > 0241 > 0246 > 0247 > > 2. Defeating password crackers: Ok so now we make a user name "joev" > (without the quotes) and we make the password "1234v". Well I spent 3 days > and could not get the password cracked even after I added it to the custom > character sets; maybe I am just an amateur. So please let me know if I am > doing something wrong. Notice the username displays as joev in L0phtCrack > and the others. Also try using sid2user and other user information > utilities on it. Most will tell you the user does not exist, whether you > add the special character or put it as a small v. Even the W2000 Resource > Kit "showmbrs.exe" does not display the special character. > > 3. Ok so know we have to prevent the Password recovery boot disks from being > able to change the passwords. I had the "Linux password changer" and the > one from Win/sysinternals. > > 4. First, no matter what you change the name of the built-in administrator > account to you can always change the password with these tools, I am > assuming it is because the SID is always the same. You cannot disable it so > had to come up with a way to get around that. So I simply created a group > called "no access" added the built in administrator account to it. I added > deny logon locally and deny access this computer from the network > privileges, and took away all access to the drives, essentially disabling > it. > > 5. Ok now we made joev a member of the admin group. We boot to the > Password recovery disk. The users except for joev show normal he shows as > joe. Since we know his real username we try entering it that way, and the > way it displays, either way we get cannot find user. I could change any > password except for the joev. If we change the built in admin accounts > password all is great, of course we cannot log in as him. If we use one of > these Alt characters in all the usernames we essentially can prevent any of > the passwords (except the built in admin account) from being changed. > > 6. Well now I know there are other ways of editing the registry, installing > a separate installation of the OS etc. etc.. But I believe this is a pretty > cool way of thwarting the basic "hacker" that thinks he is going to walk up > to your system and boot to this disk and change the password and get in. > Further it is nice to know that there are passwords you can make that even > the common crackers cannot crack. > > Well this is my little discovery your thoughts and counter-thoughts are > greatly appreciated. I do not mean this to be an end-all way of defeating > these programs, but every little bit helps. > > > > > ______________________ > Dave Kleiman > [EMAIL PROTECTED] > www.netmedic.net > > > > -- Nothing More, For Me to Say, About my life, A Life of Dreams....
