Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

To detect weak or blank password?

200 views
Skip to first unread message

Vladimir Nechipurenko

unread,
Oct 10, 2005, 5:38:14 AM10/10/05
to
Hi all

I've got the task to detect whether the user has the blank or weak password.
I know that Microsoft Baseline Security Analyzer (MBSA) can do that, but
what I need to know what API it uses. Could anybody help me?

Thanks


Vladimir Nechipurenko

unread,
Oct 11, 2005, 3:19:11 AM10/11/05
to
Nobody knows? :(((((
Thanks


Larry Smith

unread,
Oct 15, 2005, 7:30:05 AM10/15/05
to
> Nobody knows? :(((((

The only function I know of is "NetValidatePasswordPolicy()" but it's good
for Win2003 only. Other options are to call "NetUserChangePassword()" (or
"NetUserSetInfo()" passing "USER_INFO_1033) and check for
"NERR_PasswordTooShort" which is returned if the password policy isn't met.
Depending on what you're doing, you may have to create a temporary (dummy)
account first and call it against that account which you can then delete
afterwards. It's ugly and may require certain administrator (or power user)
rights (you'll have to check) but I'm not sure if there's another way.


Sam Hobbs

unread,
Oct 18, 2005, 12:51:49 PM10/18/05
to
That sure is a good suggestion.

We are interested in the subject also, so I hope I may ask a question. Is it
possible to use the filter for the paswords that exist when the filter is
implemented? If that is answered in the documentation, then I will find it,
but any hints will be appreciated.


"Johnny Liu" <John...@discussions.microsoft.com> wrote in message
news:D72335B8-0984-49D0...@microsoft.com...
> I'm not sure what you need for your task. does your described "password"
> means the password for Windows logon? or the password is used by some web
> application for security issue. And what time that you want to detect ?
>
> If you want to verify weak or blank Windows logon password everytime when
> user change or re-assign it, then you can write a password filter. Please
> refer to
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/password_filters.asp
>
> If your task is for web application, there are some documents focus on
> security topic described on .NET web page.


Johnny Liu

unread,
Oct 19, 2005, 1:35:02 AM10/19/05
to
No, the password filter could not capture exist password of current logged on
user. And the concept for security of Win2K and WinXP will not export logon
password by any methods.

Windows 2000 has a security hole to open a back door to find the password of
current logged user. But this hole has been fixed on Windows XP, so I think
you should implement your program by regular method.

The only way to capture the password of current user for logon is write a
Gina stub to hook MSGina.dll (or any real gina which response for user
logon), when user intend to enter his password by Ctrl-Alt_Del, system will
call gina function WlxLoggedOutSas. If the username, password and domain are
correct for unique logon account, then WlxLoggedOutSas will return logon info
filled in the structure WLX_MPR_NOTIFY_INFO. The contains of this structure
is all you need.

Please remember, don't leave any security hole when you implement Gina stub,
Windows system has got too many security hole already. I suggest that when
your Gina stub get the contains of the structure WLX_MPR_NOTIFY_INFO, just
parse the password according to your password policy, and write a mark on
somewhere (registry or a file) if the password is weak or blank. Then your
application can highlight it to user depends on the mark. Don't copy the
structure by your Gina stub, it will increase risk of security.

Hope it is helpful for you.

Johnny

Sam Hobbs

unread,
Oct 19, 2005, 2:56:29 AM10/19/05
to
Thank you, Johnny.

I certainly will be careful if I were to do something such as writing a Gina
stub.

I am not the person that posted the original question, but note that
Vladimir asked how MBSA detects a "blank or weak password". I believe you
that MBSA does not get the password. Therefore MBSA is somehow testing the
validity of various gueses, right? I don't know a lot about security, but I
have read enough about security (including many messages in this newsgroup)
to know that one of the most commonly used techniques to crack a password is
to simply try many possibilities but it is often unnecessary to compare the
actual password to determine if it is a match.

I am sorry I am not using the correct terminology but I hope you understand
what I mean. Also, if I knew what terminology to use in a search, I probably
can find what I need in previous answers in this newsgroup.


"Johnny Liu" <John...@discussions.microsoft.com> wrote in message

news:128D6C8E-D08E-4366...@microsoft.com...

Johnny Liu

unread,
Oct 19, 2005, 7:46:02 AM10/19/05
to
Hi Sam,

Seems I have misunderstanding with you and Vladimir's question.

I don't know how MBSA to do for weak password checking. But depend on my
limited and tiny knowledge of Windows system security, the password was
stored either in local security accounts manager (SAM) database or Active
Directory. please refer to this page
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/msv1_0_authentication_package.asp

Unfortunately, the SAM is a dark box. Microsoft said that we can't access
the SAM database directly by any method, but only through LSA system
interface. But LSA system is also a dark box, there are many of exported
functions without document released. And I think Microsoft's guy will not
open the secret to the world forever, because we don't know who is good guy
to write a program for enhance security and who is bad guy to write a program
for steal someone's password. If Microsoft open the secret, then Windows OS
will not be secured anymore.

I believe that MBSA has some secret to check weak password, may be handle
the database of SAM through un-documented API of LSA, or may be try to attack
each account by closet attack, who know. Unless, we write a program to filter
and capture the each function calls when MBSA doing on weak password.

Sorry for I can't help you for this topic, may be some of Microsoft's guy
who programming LSA or MBSA will know how to do.

Johnny

Sam Hobbs

unread,
Oct 19, 2005, 11:44:03 AM10/19/05
to
Thank you again, Johnny.

It helps to know that it is not easily obvious.


"Johnny Liu" <John...@discussions.microsoft.com> wrote in message

news:8D9614E2-866E-4FA5...@microsoft.com...

Valery Pryamikov

unread,
Oct 20, 2005, 2:20:26 PM10/20/05
to

Vladimir Nechipurenko

unread,
Nov 8, 2005, 10:39:55 AM11/8/05
to
There is not way, except to change the passwords, but the performance is
very bad.
We asked customer to cancel this requirement :(

May be there is some not-documented function, but who knows, except MS guys

Thanks all for the participation
Vladimir Nechipurenko


Valery Pryamikov

unread,
Nov 12, 2005, 5:22:37 AM11/12/05
to
If you inject code in LSASS (as it is done in pwdump2) then you have access
to password hashes (md4) and cached domain credentials (md5(domain ||
username || md4passwordhash)). after that you can do a simple check of weak
passwords - eg. by comparing with hashes of empty password, a couple of
hundreds of most often used password (as it was done in some of the viruses
about 5-6 years ago, don't recall that virus name) and some combination of
computername, user name, some dates and their combinations with couple of
hundreds most usual passwords. If you run something like 10000-20000 hash
comparisons - it will be acceptable performance and good accuracy of the
test.

-Valery.
http://www.harper.no/valery

"Vladimir Nechipurenko" <vlad...@ua.fm> wrote in message

news:Ox35woH5...@tk2msftngp13.phx.gbl...

Sam Hobbs

unread,
Nov 28, 2005, 11:37:06 AM11/28/05
to
Thank you, Valery. I don't know if Vladimir can use this; I hope Vladimir
can. I think I can use it.

I am not sure I can figure out how to inject code into LSASS but I am
confident I can figure it out. I have written system-wide hooks and I have
seen articles describing other methods of injecting code. I think it is
better to provide as little sample code as possible for things like that
because it is the kind of thing that is dangerous for beginners.

The hardest part is the list of passwords to check for, but your suggestion
to inject code into LSASS is enough to pont me to a good direction. I think
it is enough for me.


"Valery Pryamikov" <val...@harper.no> wrote in message
news:eZ1L1M35...@TK2MSFTNGP14.phx.gbl...

Valery Pryamikov

unread,
Nov 29, 2005, 2:34:44 PM11/29/05
to
you can download and check source code of pwdump2:
http://www.bindview.com/Services/razor/Utilities/Windows/pwdump2_readme.cfm

-Valery.
http://www.harper.no/valery

"Sam Hobbs" <sam...@social.rr.com_change_social_to_socal> wrote in message
news:u7Ib3nD9...@TK2MSFTNGP12.phx.gbl...

david-homer

unread,
Aug 23, 2012, 1:03:54 PM8/23/12
to
Hi,

Incase anyone is still looking MBSA uses a password change request. The
following is from the MBSA manual...

Microsoft Baseline Security Analyzer does not attempt to crack passwords during
this check, and instead attempts a password change request using each condition
in the preceding list. Account lockout policy counts will be reset if in effect
on the scanned computer.


Thanks,

David

http://www.centrel-solutions.com/xiaconfiguration
0 new messages