Disableing Hashes.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi

Not sure if this is the correct place to ask but ill try anyways. I have a friend that recently desicoved the world of hacking and proceeds to find ammusement in useing Cain to brute force our passwords from hashes threw network traffic. I am curious is there a way to disable hashes and the like so we dont have to worry about security comprimises. Or do we need to just beat him up :P

-Jeremy Dach
 
Hi,

Not sure if this is the correct place to ask but ill try anyways. I have a friend that recently desicoved the world of hacking and proceeds to find ammusement in useing Cain to brute force our passwords from hashes threw network traffic. I am curious is there a way to disable hashes and the like so we dont have to worry about security comprimises. Or do we need to just beat him up :P.

-Jeremy Dach
Click to expand...

Jeremy,

Keeping ahead of the bad guys, who can sniff our network traffic and "guess" our
passwords and other encrypted information, will always be a losing process for
us. :(

But you can make it harder for your "friend". How strong are your passwords?
Using the name of your favorite rock star, or your girlfriends birthday, won't
cut it. When you're in a compromised situation, something like a mixed combo of
alphas (mixed case), numbers, and special characters do much better. It'll
teach you to memorise too. "J9%y#4R&dI3$" is a bit better password then
"Motherf*****", isn't it?

Is this a wireless link that he's sniffing? If so, have you got WPA-PSK, with a
good strong PreShared Key, yet? That's a start.

In reality, there's really no way to prevent the bad guys from brute forcing
their way into our secrets. Short of beating them up, which will only get us a
visit to the local police station.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
Chuck

Oh thats terrible I was hopeing for more luck than this. Perhaps a MS programmer would know if there was a way to disable old stuff thats allowing him to get access to my hashes. Oh the network is copper 100/1000 segments

He was gloating the other day about how I can turn off registry entries which will disable hashes but I loose networking functionality on certain lvl's. Which isnt good because I use a wide variety of networking reasourse from peer to peer to streaming media

Otherwise the password issue was a tough one for him at least my last one was. I had a 14 character one it took him about 3-4 days to brute force it. But apparently windows apparently will break the password up into 7 characters so says he. Needless to say I was a bit dissapointed

Oh well thx for the assistance I really appreciate it

-Jeremy Dach
 
If your machines are all Win2K+ and on a domain you should be able to have
Kerberos security, and I suspect he'll have a hard time breaking that.

IPSEC is also an option.

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


a friend that recently desicoved the world of hacking and proceeds to find
ammusement in useing Cain to brute force our passwords from hashes threw
network traffic. I am curious is there a way to disable hashes and the like
so we dont have to worry about security comprimises. Or do we need to just
beat him up :P.
 
Ken,

Im on a workgroup but a domain isnt out of the question if I can keep him out of my system. All the workstations are Windows XP Pro, and Home all really purchased :D. Any other suggestions would be most appreciated.

Oh I should note he had trouble dealing with zone alarm which was unusal. Perhaps SP2 for XP new improved firewall be able to battle that correcty. Since I am hesitant to use zone alarm due to its resourse eating nature.

-Jeremy Dach
 
Im on a workgroup but a domain isnt out of the question if I can keep him
out of my system. All the workstations are Windows XP Pro, and Home all
really purchased :D. Any other suggestions would be most appreciated.
Oh I should note he had trouble dealing with zone alarm which was unusal.
Click to expand...
Perhaps SP2 for XP new improved firewall be able to battle that correcty.
Since I am hesitant to use zone alarm due to its resourse eating nature.

using firewall like ZA etc and their taken resources is SMALL price to pay
from extra security they bring in. ZA is not that big resorce hog, unless
you really run some 200mhz box. There are other firewalls also besides ZA,
like tiny etc... maybe look in to those?

Also, if you are having router etc. it might have NAT, and turning that on
helps because it's one step more between, or adding one "computer" between
WAN and LAN that would route traffic... etc.. many things to do.. simplest
are, use software firewall (mainly to see outbound connections), get
hardware firewall...
 
Hi,

Not sure if this is the correct place to ask but ill try anyways. I have a friend that recently desicoved the world of hacking and proceeds to find ammusement in useing Cain to brute force our passwords from hashes threw network traffic. I am curious is there a way to disable hashes and the like so we dont have to worry about security comprimises. Or do we need to just beat him up :P.

-Jeremy Dach
Click to expand...

Do you want to disable LAN Manger hashes and use NTLMv2 Authentication
instead? If so, see these web pages:

http://www1.umn.edu/oit/security/DisableLanMan.pdf
http://is-it-true.org/nt/nt2000/registry/rtips51.shtml
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
Steve

My thanks go out to you, this has stopped his hacking fenzy dead in its tracks. I have also enabled XP's personal firewall as well and made a far more difficult password to deal with. Question remains why doesnt MS have NT5.x+ boxes disable LANMAN and the sort to begin with? I know backwards compatability but you would think they would have the NT boxes upload directory services client to the 9x box and save us all the trouble

Anyways guys thx a million you have made my machine safer and ill be sure to spread this information to others

-Jeremy Dach
 
Steve,

My thanks go out to you, this has stopped his hacking fenzy dead in its tracks. I have also enabled XP's personal firewall as well and made a far more difficult password to deal with. Question remains why doesnt MS have NT5.x+ boxes disable LANMAN and the sort to begin with? I know backwards compatability but you would think they would have the NT boxes upload directory services client to the 9x box and save us all the trouble.

Anyways guys thx a million you have made my machine safer and ill be sure to spread this information to others.

-Jeremy Dach
Click to expand...

You're welcome, Jeremy. BTW, setting the minimum password length to
15 automatically turns off LAN Manager hashes, because the maximum
LANMAN password length is 14.

If users complain that they don't know any 15-character words to use
for passwords, tell them to use a phrase, consisting of multiple words
and symbols, such as "ILikeBeer+Pizza".
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
Hey

Small problem aparently CAIN get get NTLMv2 hashes and cracks them quite easily, we got any other options here

-Jeremy Dach
 
Back
Top