none
VBScript to determine which hashing method used for storing password hashes RRS feed

  • Question

  • Hi there,

    is there a way to verify via VBScript, which method is used to generate a user password and whether salting is used or not?

    Thanks in advance!

    Wednesday, February 20, 2019 10:05 AM

Answers

  • You can't.  The results of the hash are encrypted which means they are random to all outside viewers.  That is the whole point of encryption.  You have to know the algorithm and key in advance. 

    Yes.  The encryption is not black box because it cannot be guessed by a data generator.   Even if you know it is MD4 you need the key.

    Also Windows passwords are one-way encryption.  The key is generated blindly internally by the system.

    Ha - found the page which is getting harder with the new documentation.  The one in my NT Internals book is a better explanation but this one works too.

    "A cryptographic hash must, for instance, be created in such a way that it is mathematically infeasible in a reasonable amount of time to infer the larger set of data from only the hash. Likewise, it is mathematically infeasible to find two sets of large data that generate the same hash."

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh994558(v=ws.10)


    \_(ツ)_/

    Thursday, February 21, 2019 10:08 AM

All replies

  • No.  That is the beauty of PW generators. They cannot be easily reverse engineered.


    \_(ツ)_/


    • Edited by jrv Wednesday, February 20, 2019 10:34 AM
    • Proposed as answer by BOfH-666 Thursday, February 21, 2019 10:19 AM
    Wednesday, February 20, 2019 10:34 AM
  • Maybe you understood me wrong. I don't want to reverse a hash, which is not possible by definition. I would like to check the method/function which is used to actually compute the hash values. I know, the default in Windows Server 2008 is MD4, unsalted. However, how can I check this, ideally using vbscript

    By the way if the method for generating the hashes would be black box, than, according to Kerckhoffs' principle, it would be very insecure. That's not quite beautiful :)

    Thursday, February 21, 2019 9:58 AM
  • You can't.  The results of the hash are encrypted which means they are random to all outside viewers.  That is the whole point of encryption.  You have to know the algorithm and key in advance. 

    Yes.  The encryption is not black box because it cannot be guessed by a data generator.   Even if you know it is MD4 you need the key.

    Also Windows passwords are one-way encryption.  The key is generated blindly internally by the system.

    Ha - found the page which is getting harder with the new documentation.  The one in my NT Internals book is a better explanation but this one works too.

    "A cryptographic hash must, for instance, be created in such a way that it is mathematically infeasible in a reasonable amount of time to infer the larger set of data from only the hash. Likewise, it is mathematically infeasible to find two sets of large data that generate the same hash."

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh994558(v=ws.10)


    \_(ツ)_/

    Thursday, February 21, 2019 10:08 AM
  • Here is an explanation of why you cannot determine salting from encrypted data.

    https://en.wikipedia.org/wiki/Salt_(cryptography)


    \_(ツ)_/

    Thursday, February 21, 2019 10:25 AM
  • I think we are talking at cross purposes :) I do _not_ want to infer the hash function and whether salting has been applied on the basis of the actual hash values (even though, for some hash values you can, with some probability infer which hash function was used to produce them).

    I would like to know which hash function (and whether salting has been applied) was actually used based on a configuration setting or official documentation.

    I found a way to do this: Using the event editor, if one looks at windows events with ID 4624 (windows logon events), there is one group of field "Detailed Authentication Information" which gives information "Logon process" and "Authentication Package". From there, one can infer whether NTMLv1, NTMLv2, Kerberos, etc. is used. For NTMLv1 the hash is computes has hash=MD4(password), without a salt. Not sure about NTMLV2, Kerberos though. might be the same.

    Also I found the utility "klist.exe" to give some infos about the used crypto primitives.

    NB.: MD4 does not need a key. Only so-called "keyed hash functions" like HMAC rely on keys. "Traditional" hash functions like MD5/SHA-1/2/3 only rely on some input message (and potentially some parameter as for SHA-3).

    Thursday, February 21, 2019 2:33 PM
  • You asked how to find the encryption from the encrypted string or that is how I was able to decode you question.  Your English is still giving me issues with understanding what you are asking.

    If you want to know what Windows does in a logon then that is a completely different discussion.  Yes. Windows has that information. 

    If you have read the link I posted you would know that the NT password is done one way and NTLM encryption is done in a different way.  You asked about passwords encryption or at least that is what it read like and you did use the word "password".  NTLM encryption has nothing to do with passwords so I cannot guess where that came from.

    The MD4(password)  means that an MD4 encryption hash is generated using the encrypted password to generate it.  It does not use the password. 

    If you want  more information post in the Security forum.  This is a scripting forum and your issue has nothing to do with scripting.  There is no way to know what password encryption is used  via VBScript.  YOu can find out what encryption was used to encrypt the NTLM communications used in a logon which is not what you asked.


    \_(ツ)_/

    Thursday, February 21, 2019 2:43 PM