Re: .pwl

staym@accessdata.com
Fri, 04 Dec 1998 11:38:18 -0700

• Next message: Adam Israel: "Re: .pwl"
• Previous message: Sunder: "Re: .pwl 2"
• In reply to: rumil: ".pwl 2"
• Next in thread: Adam Israel: "Re: .pwl"

PWL files encrypt multiple streams with the same RC4 stream. The RC4
stream is initialized with a 9-round MD5 of the password. A program
called "glide" (available on most hacker sites) can recover the first 56
bytes of the stream, revealing most passwords. There is a way you can
turn off password caching; I don't remember the details right now.
Anyone?

A simple API call (WNetGetCachedPasswords) will dump all the passwords
stored in the cache if someone is already logged on.

Also, the passwords protecting shared drives are stored with some
trivial obfuscation in the registry; if someone has read capability to
your windows directory, they can recover any write-allow passwords.

-- 
Mike Stay
Cryptographer / Programmer
AccessData Corp.
mailto:staym@accessdata.com

• Next message: Adam Israel: "Re: .pwl"
• Previous message: Sunder: "Re: .pwl 2"
• In reply to: rumil: ".pwl 2"
• Next in thread: Adam Israel: "Re: .pwl"