June 2012

Password Audit of a Domain Controller

Some fantastic research has been carried out on the ntds.dit file over the last couple of years - it wasn't that long ago forensic recovery of such information was limited to getting a live running image of the host up and running, then executing fgdump or similar. Now however, other options do exist if you have an offline copy of the directory store, namely retrieval of the two main tables - the data table and the link table.

Adding a Pinch of Salt

Following the recent LinkedIn breach, the company has stated that their current production database contains salted passwords. Obviously this was not the case at the time of the breach (SHA1, unsalted), so a salt value must have been added to improve security. But how can you add a salt value to a password hash, if you don't know the password?

Firstly, let's consider the difference between a salted and unsalted password hash:
 

LinkedIn Breach Limited to just Passwords?

Yesterday news reports of a LinkedIn data breach started to circulate the Internet. Given the press coverage this morning on national television, this certainly is not breaking news anymore. To clarify, the dump (currently available here - http://www.mediafire.com/?n307hutksjstow3 - amongst other places), only contains password hashes. This does not change the impact of the breach, just the exposure. It is almost certain that the attacker obtained full email addresses and other sensitive information from the site.