search

LFriede / eset-password-recovery

Can read the lock password hash of the ESET AV form the registry and cracks it via bruteforce.
9 stars 3 forks source link

possibility of false positives? #1

Open mike-code opened 5 years ago

mike-code commented 5 years ago

I encountered an issue where I got match (pass found) but it wasn't the actual password. How do exclude such situations?

LFriede commented 5 years ago

Since the algo is not more than CRC32 it is definately possible to have multiple passwords with the same hash. The question is if they will be accepted by eset or not. If they are not accepted there must be other checks by eset that I didn't saw while reversing that or there is a bug in my implementation. Can you send me an example (you can send it via email if you don't want to post it public) and your eset product version?

mike-code commented 5 years ago

My bad. The hash was 68DBAF89 which I see now that you have it in your algorithm implementation so I understand is some generic value? The AV was set up using on-site distributed systems (remote management) so I guess the password was stored on the master machine.