Category Archives: Lessons Learnt

The short answer is that it is a cryptographically hashed representation of a password.

The blank LM hash

The string “aad3b435b51404eeaad3b435b51404ee” is the LM hash for ‘no password’.  In other words, its empty.  Typically it could be seen at the top of a hash dump from windows and would look something like this:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:8118cb8789b3a147c790db402b016a08:::

(before anyone asks – no, that’s not a real administrator hash)

What format is a pwdump in?

That excerpt is from a pwdump file generated by a tool commonly used in penetration tests and other cyber security assessments. It is just text-based output and so is just about human readable. The pwdump file has the following format:

<Username>:<User ID>:<LM hash>:<NT hash>:<Comment>:<Home Dir>:

More details about the LM hash

The hash above indicates that there is no LM hash for that user, but that there is an NTLM hash.  Typically if you see lots of  “404ee” at the end of the LM part you are up against a Windows 2008 (or later) domain which never required backwards compatibility.  This is because LM hashes are very easy to crack and are now considered obsolete. For this reason they are disabled by default in newer installations.  The file format still has them for backwards compatibility.

You might have also noticed that these is some repitition in the LM hash:

aad3b435b51404eeaad3b435b51404ee

In the LM hash above there are two sets of “aad3b435b51404ee”. This repetition is present because in Microsoft systems, this hash is actually two different hashes concatenated together. The result of this repetition from a user’s perspective is that their password is split into two chunks at a maximum length of 7 characters each and only contains uppercase characters. Both of these qualities make LM hashes very easy to crack.

The blank NTLM hash

The following text is the same thing, but for the newer NTLM hash:

31d6cfe0d16ae931b73c59d7e0c089c0

The blank hash in a Linux shadow file

Similarly, on Linux the following shows a user account with a blank password in the shadow file:

guest:U6aMy0wojraho

Linux is much more capable that Microsoft Windows in this area and so the ways to represent a user with a blank password can vary.

More reading…

If you are still interested in this topic, you can find lots of detail in this Wikipedia article.

A little while ago a small web design company (E-rizon) I have dealings with called me when they stumbled upon a security vulnerability. In the beginning, it appeared to be incredibly serious. Over the years I have had a lot of conversations about Information Security Vulnerabilities and bless-em, they were really excited. 

Aside from being proud they thought they had found a vulnerability. They hadn’t a clue what to do next. As their friendly information security expert (read geek) I was apparently “the man” to turn to. 

We chatted for a little while. I got them to demonstrate the issue to me and sure enough, they had found something that at first glance looked incredibly serious.

The vulnerability was in the password reset functionality of 123-reg.co.uk. This is a fairly large domain name and hosting provider owned by Webfusion. 

It was staggeringly easy to execute too.

All you had to do was to go to the login prompt and click “Forgot Your Password?”, enter the username on the new form and click “Submit”.  It then takes you to a secret question form with a link at the bottom “Don’t remember your security question?”  On this last form, pop your username in the top and click submit at the bottom. Next, you get a form asking you which email address you want to send a new password to.  Enter any email address you want and press submit, a few seconds later you receive a new password!

Now, before you gasp – there is a catch. 

This email does contain a password, but it does not contain a username. Upon further testing, the password doesn’t actually link to the username you submitted the form for.

Still, this didn’t strike me as very good.

Individuals can use it to spam email addresses or conceivably even some sort of denial of service attack against 123-reg. 

Clearly, as an information security professional, I had to do something with this information. 

What to do with Security Vulnerabilities

The obvious place to start is to give the helpdesk a ring and ask for their IT team. I’ll be honest I wasn’t expecting them to respond very well. As I expected they refused to pass me to anyone who could deal with the situation.  A bit of research later I got lots of contact details of Webfusion and 123-reg.  I tried to ring all the phone numbers and emailed all the email addresses and got a combination of number not in use messages or bounce back email addresses.  Except for one email to a specific person at the Webfusion NOC (Network Operations Centre).  A few hours later I received a phone call from Webfusion. After describing and demonstrating the vulnerability they agreed with me and they promised to get the problem solved.

That was all about a month ago and after testing their password recovery mechanism earlier today I am happy to report that this vulnerability no longer applies.

I have to say I completely expect vulnerabilities discovered by “lay people” to go unreported and this incident seems to illustrate that nicely – even for an information security professional it wasn’t easy to find accurate contact details for someone responsible.  I guess ultimately the help desk either didn’t care or more likely, had no idea how to deal with my call.

Learn how your organisation can identify Security Vulnerabilities

Today has been fun.  Arriving early to work, I had to swing straight into the action with my “Incident Response” hat on.  Great swathes of customers were reporting problems accessing various parts of their Microsoft Windows infrastructure. All of them were complaining about strange error messages from their Anti-Virus software.  A message to the effect; “Access denied to shared resource”. The one thing they had in common – Sophos…

Sophos issue

I’ll be honest my first thoughts are that a very effective 0-day exploit is inside the Sophos stack. Upon further investigation, and a little bit of Googling revealed that actually Sophos themselves were the cause.

They had released a duff virus signature file. 

Said signature file was identifying all sorts of executable files as infected and quarantining them.  This ranged from bespoke applications, genuine software updates and even the Sophos executable files themselves!

I first stumbled upon a thread on the Sophos Community Forums when it had about 60 pages and thankfully the way to resolve the problem had been published.  Second up I found a post in the Sophos Knowledge Base.  Amusingly enough, several hours after we had finished fixing the problem we also received an email letting us know how to fix it…

This makes me wonder about the QA process that Sophos perform for their virus signatures, it also makes me wonder how many of those customers will want to renew as their subscriptions expire…