Wrong statement in the second minute. A hash function is not compromised just because it has collisions. By definition, it will have collisions, as the input space is infinitely variant, while the output space is finite, indifferent to the actual length. The question is how easily are you able to find an input that matches the output you have.
*It has a practically computable collision. You see, this nitpick is very similar to another one that can be applied to what we say about computers in general. We assume computers are fully capable of solving every problem: "We can compute anything!" and then there's the halting problem. We say ECC-384 and RSA-2048 are cryptographically impenetrable, yet it isn't far-fetched to say their inverse problems can be easily calculated in the near future. I deemed it too obvious you can't map an infinitely large set onto a finite one without causing collisions. The finite set simply doesn't have enough alphabet power to contain the information from the infinite one, considering it has a certain finite length. For the very same reason, it's not possible to translate a number from a larger base to the smaller one, say, decimal to binary if we have a length limit on binary. Vastly oversimplified that.
The first line of the reply contains the correction. Cardinality is a much better word to describe that, but it seems you were able to understand precisely what I mean. Nobody taught me neither discrete maths nor set theory in the university and the language barrier does not help :P
Although disclaimers like this absolutely shouldn't be required, and "risky" videos like this should not be taken down for insane reasons, these disclaimers are always a sign that the video is gonna be *good!*
@@BrunoDantasS.5655 I'm don't like ai generated content like how tf are you able to sell ai art and the dog/cat whatever videos are just annoying the only one I like is text to speech Which is the only thing that works in ai
@@TheTR0Nalt as an artist myself, I really agree with you. AI generated shit is not the same thing as a person making that same video/music/painting/any form of art, so yeah, imo, AI is only worth it when it helps you in your homework, other than that, it just makes no sense at all.
The handling of passwords in a Microsoft OS is complex because they use passwords for many usages. The OS (or its domain controller) will store a hashed version of the password, but there are also values which are symmetrically encrypted with keys derived from the password or from the hash thereof. The authentication protocols do not include provisions for exchanging salts when some hashing must occur client side. It is difficult to alter the password processing algorithms without impacting a lot of subsystems and potentially breaking the backward compatibility, which is the driving force of the Windows ecosystem. It goes down to strategic priorities. Microsoft knows that altering password hashing and authentication protocols to include a salt will have some non-negligible costs which they would have to assume (by fixing all the components which are thus affected). On the other hand, not changing the password hashing is rather "free" for them, because a flaky hashing algorithm will not convince customers to switch to other non-Microsoft systems (the OS market is, in practice, a captive market); it takes a lot more to force potential customers to envision an OS switch which is very expensive. Also, password hashing can arguably be qualified as "defence in depth", a second layer which has any impact only once a breach already occurred; as such, it could be presented as being of secondary importance. Therefore, it is logical, if irritating, that Microsoft does not update its poor password processing practices. Historically, Microsoft did only one update, when they switched from NTLM v1 to v2, and it was kind of necessary because the older LM hash was so weak that it was beginning to be embarrassing. My guess is that it involved a lot of internal hassle and they are not eager to do it again.
It's worth keeping in mind users can change their passwords, thus whatever mechanisms are in place have to be able to handle this. Thus switching algorithms or adding a salt can't be too difficult since it could be done at the moment of a password change (which could be forced for all accounts when updating to a new version of Windows). The only problem I can think of is if you have accounts not intended for use by users but by software, changing those passwords would stop the software from working and the software may not have mechanisms in place to anticipate this and make it easy to get the software working again. But I would think this is a small concern.
11s login screen is just 10s with a fresh coat of paint that from 22000.65. 10d is fresh coat of paint from 8s and then 8s is fresh coat of paint from 7s and then vista. your 11 login screen is quite similar to 8.0. it has the same user account password. same welcome screen with same loading circle. i wouldn't be surprised. 8.0 development started before 2011. some parts of 11 login screen can be dated back to vista/xp
@theairaccumulator7144 they shouldn't but it's not good for ppl who use the same password in many places. a better hash function could prevent further damage.
ah yes, Mr Jaunt R. On himself. one of the wisest people known to mankind, it's a shame what happened to him on December 15th, 2015, the world will never recover
Compute an MD4 preimage for a difficult password and then post back here. See you in a few years. MD4 table lookup is a lame excuse for the video title. It's still not easy. The collision stuff is irrelevant
He's probably hoping TH-cam does take it down, especially with the false disclaimer, where while it's a felony to hack someone's computer in the USA, it's more patriotic in Russia.
It's probably fine. There are quite a few hackthebox walkthroughs that do worse things than this. This is educational, with the goal to show the security behind the OS, should be fine
When I was a teenager in my early days of computer enthusiasm, I was annoyed that websites would make me set a new password if I forgot it, rather than tell you what it is via email. However, now that I'm far more knowledgeable about this stuff, I actually like that way. Any website that tells you your password via email rather than making you set a new one is storing the passwords unhashed. If you encounter such a website, you should avoid it at all costs.
i like how gamebanana does it: giving you a temporary password to log into your account and change the password, i used gamebanana with the temp passwords for weeks.
Problem is you can't always do that and in my case only recently we got a venue to report these, as those show they fail their duty to protect personal data.
reminds me that one meme about a website where user attempted to login and password is incorrect with error like "Your password is wrong, its XXX's password which is "" try again with XXX account"
Man, I wish it wasn't. Windows is one of the better systems out there, security aside. And no, no amount of fanboy talk will ever convince anyone that MacOS or Linux are somehow better, where that pretty much isn't the case, and yet, users of those systems will always make claims saying otherwise.
@@ChocoRainbowCornyeah I am sorry but no windows is not ''the best'' you have a pretty closed mind. What you mean to say is they are THE BIGGEST (in the pc market). Windows has a lot of issues with it and has gotten pretty clunky but they don't have to fix anything because they effectively have a monopoly.
@@ChocoRainbowCorn I run windows, but need linux for some dev stuff. Linux is just straight up better than windows, its smaller, faster, less resources heavy and more secure. The only real downside is that most software is Windows exclusive and that's not a os issue.
@@ChocoRainbowCorn I would say which one is better depends on the user. For me and my purposes, Linux is better. For you, Windows is better. I think that's fine. And I agree with you, I wish Windows security was better.
Man, I've heard a lot of stories of how NT/Windows are spaghetti at the extreme, Oracle DB levels of sapaghettiness, thats why I don't use it anymore, and now never again. This system is more than compromised.
It drives me nuts how much old NT code is still in Windows. And it isn't just Windows that has that issue. I was using Microsoft Access last week and found a graphic from Windows 9x.
To be fair, security is the biggest thing to worry about. Backwards compatibility with all this old code and software on the other hand though is incredibly useful to have. If people are getting so upset over backwards compatibility being available, even if it's kind of extreme, reaching back to some very old Windows versions, then I think you got other, far deeper and worse issues to worry about.
@@ChocoRainbowCorn Yes, it makes sense to be compatible with Windows 7, Even XP. But when you get into the NT, 95/98 era this is really concerning, the system has a good looking UI but behind it there is a outdated and unsafe mess of decades of coding.
@@Wkaelx There are ways to keep systems safe and compatible even with the oldest of software you know.. For one thing, dropping 16-bit support as a whole was an massive mistake on Microsoft's part. Sure, nobody uses that today but still. Age of code has nothing to do with how it's written, so also how secure or unsecure it is. It doesn't make any sense whatsoever to argue that there is no point in keeping backwards compatibility even with NT era of things and before/after. Again: If Microsoft doesn't want to bother with making sure Windows can stay compatible all the way throughout it's history but ensure that it's done in an safe manner, then that's not the problem of old, messy code - It's the problem of an lazy, greedy company that doesn't want to bother with things that can absolutely be done.
Wait... Can non-administrators access the sam/registry files? In theory, could they copy them from a "secure" corporate machine, to a USB and take it home, import the hives crack it at home? Most corporate PC's have one local admin account for remote IT or troubleshooting.
You need the administrator token + SeBackup privilege to access SAM. However, the SAM hive is simply a file in %windir%\system32\config, so you can dump it after booting using a USB stick or something along these lines...
@@Irongrip62 I meant for, hypothetically an attacker that wanted to access some confidential corporate data from the local machine. Local admin access is an entry point allowing you to extract the bitlocker key and browse all user profiles etc. ...In minecraft of course.
@@Kippykip Someone (of at least average IQ) who wants to attack and steal passwords from a high-profile corporation’s central system would probe it for weaknesses and, if needed, install either a rootkit or a backdoor to ensure uninterrupted activity. In a sane world where security is taken seriously, there would be several defense layers to deter, detect and trace any unauthorized attempts to hack their mainframe. … however, we do not live in a sane world… not anymore. If big corporations’ extreme cost cuttings bleed over to their server-side security, it’ll be only a matter of time before we see major leaks and significant damages.
There's plenty of policies to configure Kerberos in a domain setting. The threat model here is pretty limited; a stolen, powered off machine would ideally have bitlocker, which would first need to be compromised
@@markusTegelane i was curious and did some research, i found on the Wikipedia page for ntlm it says nt stands for new technology but does not provide a citation. the Wikipedia page for Windows nt has a citation under naming that points to a q&a with bill gates where he says "When we first released Windows NT in 1993...the letters stood for "New Technology." But the letters have long since lost any specific meaning. Today, 'NT' is just a designation for our high-end version of Windows." so yeah you're right it no longer officially has that meaning. still interesting to learn the history
Not really. I'd argue that in some cases RAS syndrome even sounds more natural than the alternative, and it can be used intentionally for emphasis or clarity. Think PIN number or ATM machine.
that was a very slick transition into the normal intro, i don't think i've ever seen someone use a previous section of their intro song to extend the intro backwards
I've no idea why TH-cam would take this down. Enderman, I'm new here, and in the first 4 minutes of your video you explained a hash in a much clearer way than I've ever seen it explained before. You've got a great voice for presentation and you do your best to communicate knowledge that is accurate given the information you have at the time it seems. This is educational and something you learn in network security courses so it's not like it's super secret stuff. I hope TH-cam doesn't delete anything . Knowledge is important and for those of us who seek it for pleasure; this video is a treasure. Now back to the video!
Thank you soo much, I got a hard drive from my campus, they are updating their classroom hardware, it has an original windows xp professional on it but I didnt get the password for it, wich means all I can do is what it was intended for (openning power points and other class related stuff), they told me I should just format it anyway but I'm sucker for windows xp and I'm not giving up on it.
Thank you for taking the time to create this content. The security weakness exposed in this video is intentionally left as-is. We understand that three-letter agencies prefer personal computers to lack strong access control, making it easier for them to monitor and conduct forensics. Microsoft willingly complies with that
Just by definition a hash function with variable input length like a password will have collisions if the output length is fixed. You have unlimited inputs but only limited outputs
while that is mathematically true, the entropy of sha256 is so insanely high that you will not be able to brute force a collision before the heat death of the universe for reference, the amount of outputs that the sha256 algorithm has is 115 quattuorvigintillion, or 1.15*10^77
@@jann4577 ah I see what you mean now. For the sake of this topic, I think the video is fine in its explanation even if it isn't entirely correct. It's a bit much to explain somewhat involved concepts from number theory and cryptography in what is only meant to be a brief introduction to hashes. That said, you aren't wrong.
This is one of the good things that come with a Microsoft Account, you can set a PIN (which doesn't have to be just numbers, can just be a password) but it's stored in the TPM, so it's a pain to bypass if you also then turn off password authentication.
Fun fact: Mimikatz, instead of doing all of this, captures the NTLM hash that was already used in the session. Maybe that's why MSFT wants you to get an account instead of a local user, because it uses a different algo, instead of an unsalted MD4?
Hi Enderman, great video. I know what YT did to you, and you got 2 str-whatever. If YT t----- your channel, will you keep uploading on your “Andrew” account or just make a new YT account and just name it Enderman and just continue there? Just asking cause I love your channel. Just be sure to download your videos via YT studio to device (At least your 10 latest) so just incase anything happens, you have a little backup of videos. Just like to know. Love your channel. Have a good day❤
all hashs of N bits will have a collision every approximately 2^N bits. Collisions are impossible to avoid when text is longer than the hash length. But may be computationally impossible to find. (Small note on start)
Hahaha!! You made me laugh so hard when you were looking at printing the registry tree. "Why would anyone want to (print the registry tree)? This is useless". LOL
I still cant believe all the things youtube does in the names of protecting kids (just one example, not an umbrella accusation) and then just leaves the elsagate type of content up for all to see. its disgusting and I dont like it
@@TheTR0Nalt The part that gets me even more is the people who create videos talking about the disgusting videos getting taken down for the kind of content that the OTHER videos are showing from being highlighted. It's so backwards
This is done only for the basic Windows password on a local account right? And not for the Windows Hello PIN or (dare I mention it) a Microsoft account login? If not, that's probably why Microsoft hasn't fixed it. From their perspective they already have fixed it: just use a Microsoft account instead of a password.
@@throwaway6478Bitlocker is also quite bypassable for external TPMs if you can find the LPC pins on the motherboard, or with a USB debug cable on Intel-based systems.
Brilliant! Love the way you explain things. Someone once said - if you can’t explain it to a five year old then you don’t understand it. And that’s exactly how you explain things. So simply. That’s very rare in the IT world. My only negative is you said wallah instead of voila 12:54 😉
Much respect for you man. You made me learn something new to thi shitty windows world and definetly convincing me to pass to linux. Your channel is so underrated
That amazing, never thought about that print function in the registry, seen print button a million times but never thought once of pushing it and seeing what happens, very clever of windows to do that.
Microsoft have turned crap security into an art form - it has to be deliberate. I stopped using Windows in the 90s after realising how dreadful it was at its core, NT 3.5.1 notwithstanding. In the intervening years I'd assumed that Microsoft would have got its act together and that by now it's probably as secure as anything else. But when I see videos like this in 2024(!) I'm stunned at how pathetic the security still is. The rest of the world has solved these problems, and good security is now accessible to pretty much everyone...except at Redmond evidently. Thanks for this video - it's nice to get a glimpse into world of Windows' cutting edge security failures.
Everyone else for the last 15+ years: let's use computationally difficult functions with quality random salt Windows team: yo I just heard of this MD4 thing!
I heard years ago that if you have a password over 14 characters then Windows uses a different hashing algorithm or something, can't really remember the details.
@@RadioactiveBlueberry The parts of the key are stored in separate locations in the registry which are also the same for every Windows installation. Enderman even points this out at 8:25. So, what is your point? Edit: specified that the subkeys are stored in the registry.
@@RadioactiveBlueberry first of all the dude above is absolutely right. Second of all, yes, a dll or whatever is fine. For some reason linux doesn't have to go through all that bullshit because it actually uses a sane methodology. The password hashes are stored in /etc/shadow and use salt. You can read it only if you have root rights. It works. So your point would be?
@@mike_diz Isn't main difference here is salt? Because you can escalate to Trusted Installer priveleges by using external OS to tamper with hive. Same as you can use new Linux install to access file from another one. So it doesn't matter much where passwords are stored. Main issue is fact that hash is unsalted.
@@DimkaTsv that's pretty much exactly what I was saying. See my response to radioactiveblueberry. Windows not using salt is bad in the first place, I was pointing out that hiding a key in some insane barely accessible field for no good reason is incredibly weird.
I remember taking a course in IT security and as part of it, we extracted hashes from an XP computer using a special program. Think it got the password through the LM hash. It was a while ago now, maybe 15 years or so. Seems things haven't improved as much as it should, unfortunately.
Hi sorry if this is a noob question. if the password used is not in the massive database, acquiring the hash doesn’t mean your password can be acquired right?
It may be computed using bruteforce, as an example. Hash enough random passwords until the hash of the random password matches yours. Voila, that's the hash of your password.
not sure what good a niche use-case like this is; already logged in as admin on a machine is rarely an accident to someone who also has the ability to write a script to pull a hash. it's a clear demonstration of reverse engineering, with some interesting finds, but definitely impractical for the purposes of already being locked out of a bitlocker encrypted windows install.
All hash functions have collisions. They have to. When more than N objects are put into N slots, there must be at least one slot with more than one object. I.e. the Pigeon Hole Problem.
as Soon as i see the "This video does not condone or promote hacking or any other illegal activities." Screen i get flashbacks from when enderman couldnt post and had trouble with youtube xD
Enderman: THIS VIDEO IS MADE BY PROFFESIONALS AND SOLELY FOR EDUCATIONAL PURPOSES Me: WE ALL KNOW IS ENDERMAN A PROFFESIONAL WHY DO U SAY THIS????????? Edit: I mean Enderman is a legend♥
Of course they care - they have alternative hash methods - but they can’t change the NTLM hashes for compatibility - but it’s a good idea to turn them off if not needed anymore
1:35 I feel the need to nitpick here. A hash function is not considered "compromised" because it has collisions. They have a fixed length output and can take inputs of arbitrarily large size, so you have an infinite number of inputs and a finite number of outputs. It is not possible for a hash function to never collide, and SHA-256 is still cryptographically secure. There is no better approach than brute force, and it is completely infeasible with today's technology to reliably find collisions.
@@ZiedKammoun it works if you have a copy of the registry… or access to the disk or simply the guy is in a meeting and you use it meanwhile. Btw how often is the password used on pther devices as well?
Wrong statement in the second minute. A hash function is not compromised just because it has collisions. By definition, it will have collisions, as the input space is infinitely variant, while the output space is finite, indifferent to the actual length. The question is how easily are you able to find an input that matches the output you have.
*It has a practically computable collision.
You see, this nitpick is very similar to another one that can be applied to what we say about computers in general. We assume computers are fully capable of solving every problem: "We can compute anything!" and then there's the halting problem. We say ECC-384 and RSA-2048 are cryptographically impenetrable, yet it isn't far-fetched to say their inverse problems can be easily calculated in the near future.
I deemed it too obvious you can't map an infinitely large set onto a finite one without causing collisions. The finite set simply doesn't have enough alphabet power to contain the information from the infinite one, considering it has a certain finite length. For the very same reason, it's not possible to translate a number from a larger base to the smaller one, say, decimal to binary if we have a length limit on binary. Vastly oversimplified that.
@@Endermanch admit you are wrong, rather than using phrases like “alphabet power” to talk about the cardinality of sets *eyeroll*
The first line of the reply contains the correction. Cardinality is a much better word to describe that, but it seems you were able to understand precisely what I mean. Nobody taught me neither discrete maths nor set theory in the university and the language barrier does not help :P
@@JonnyPowell Get cooked 🫵😂
@@JonnyPowell Admit you are wrong also. ( I have no f*&?ing idea) about these things.
The disclaimer in the description LOL
Lmao.
"I DO NOT CONDONE NOR SUPPORT ANY OF THE OPINIONS EXPRESSED ON THIS CHATROOM" aah 😭
Although disclaimers like this absolutely shouldn't be required, and "risky" videos like this should not be taken down for insane reasons, these disclaimers are always a sign that the video is gonna be *good!*
Imagine if it still does get taken down..
FBI is calling...
You know Enderman is fighting for his life with TH-cam when he pulls out the longer intro with the disclaimer.
TH-cam would rather become magenta than ban the ACTUAL BAD CREATORS and ACTUALLY WATCH These Quality videos & approve them
@@TheTR0Nalt Yeah, AI is really shit and it should be banned in stuff like this.
@@BrunoDantasS.5655 I'm don't like ai generated content like how tf are you able to sell ai art and the dog/cat whatever videos are just annoying the only one I like is text to speech Which is the only thing that works in ai
@@TheTR0Nalt as an artist myself, I really agree with you. AI generated shit is not the same thing as a person making that same video/music/painting/any form of art, so yeah, imo, AI is only worth it when it helps you in your homework, other than that, it just makes no sense at all.
The handling of passwords in a Microsoft OS is complex because they use passwords for many usages. The OS (or its domain controller) will store a hashed version of the password, but there are also values which are symmetrically encrypted with keys derived from the password or from the hash thereof. The authentication protocols do not include provisions for exchanging salts when some hashing must occur client side. It is difficult to alter the password processing algorithms without impacting a lot of subsystems and potentially breaking the backward compatibility, which is the driving force of the Windows ecosystem.
It goes down to strategic priorities. Microsoft knows that altering password hashing and authentication protocols to include a salt will have some non-negligible costs which they would have to assume (by fixing all the components which are thus affected). On the other hand, not changing the password hashing is rather "free" for them, because a flaky hashing algorithm will not convince customers to switch to other non-Microsoft systems (the OS market is, in practice, a captive market); it takes a lot more to force potential customers to envision an OS switch which is very expensive. Also, password hashing can arguably be qualified as "defence in depth", a second layer which has any impact only once a breach already occurred; as such, it could be presented as being of secondary importance. Therefore, it is logical, if irritating, that Microsoft does not update its poor password processing practices.
Historically, Microsoft did only one update, when they switched from NTLM v1 to v2, and it was kind of necessary because the older LM hash was so weak that it was beginning to be embarrassing. My guess is that it involved a lot of internal hassle and they are not eager to do it again.
Cool
even if they fix it will just be targeted again and back to the same point
It's worth keeping in mind users can change their passwords, thus whatever mechanisms are in place have to be able to handle this. Thus switching algorithms or adding a salt can't be too difficult since it could be done at the moment of a password change (which could be forced for all accounts when updating to a new version of Windows). The only problem I can think of is if you have accounts not intended for use by users but by software, changing those passwords would stop the software from working and the software may not have mechanisms in place to anticipate this and make it easy to get the software working again. But I would think this is a small concern.
Hello ChatGPT!
@@𰻝 Not AI generated.
I'm downloading this video before it gets taken down by TH-cam.
good idea
same!
But plz if really this video taken down then u upload it from ur yt channel
@@AadiLMughal Maybe
Same
MD4 was already known to be insecure in 1991 and got retired in 2011...
11s login screen is just 10s with a fresh coat of paint that from 22000.65. 10d is fresh coat of paint from 8s and then 8s is fresh coat of paint from 7s and then vista. your 11 login screen is quite similar to 8.0. it has the same user account password. same welcome screen with same loading circle. i wouldn't be surprised. 8.0 development started before 2011. some parts of 11 login screen can be dated back to vista/xp
11s login screen is basically based mostly on 8.0. it has ties to even vista/xp and even windows nt 4 login screen. wild.
ain't no one care about the security of your windows password, if an attacker got to that point you're already cooked
@theairaccumulator7144 they shouldn't but it's not good for ppl who use the same password in many places. a better hash function could prevent further damage.
@@theairaccumulator7144 yes
What the heck, MD4 AND unsalted??
As a wise man once said...
"WHAT!?? (pause.) WHAT THE F***"
ah yes, Mr Jaunt R. On himself. one of the wisest people known to mankind, it's a shame what happened to him on December 15th, 2015, the world will never recover
@@dogyX3 to pass export controls
Compute an MD4 preimage for a difficult password and then post back here. See you in a few years. MD4 table lookup is a lame excuse for the video title. It's still not easy. The collision stuff is irrelevant
Let's hope TH-cam doesn't take this video down.
Yeah
He's probably hoping TH-cam does take it down, especially with the false disclaimer, where while it's a felony to hack someone's computer in the USA, it's more patriotic in Russia.
@@soundspark Bruh 😂😂😂
It's probably fine. There are quite a few hackthebox walkthroughs that do worse things than this. This is educational, with the goal to show the security behind the OS, should be fine
This is giving me flashbacks to my family members losing their windows login passwords and making me retrieve them in high school
When I was a teenager in my early days of computer enthusiasm, I was annoyed that websites would make me set a new password if I forgot it, rather than tell you what it is via email. However, now that I'm far more knowledgeable about this stuff, I actually like that way. Any website that tells you your password via email rather than making you set a new one is storing the passwords unhashed. If you encounter such a website, you should avoid it at all costs.
i like how gamebanana does it: giving you a temporary password to log into your account and change the password, i used gamebanana with the temp passwords for weeks.
Problem is you can't always do that and in my case only recently we got a venue to report these, as those show they fail their duty to protect personal data.
even steam?
reminds me that one meme about a website where user attempted to login and password is incorrect with error like "Your password is wrong, its XXX's password which is "" try again with XXX account"
@@AffectionateLocomotive If they send you your password over email it means they know it, which they shouldn't. So yes, even Steam.
enderman: uses voice, puts calm music
also enderman: uses textbox and intense music
I liked the old style, got me hooked
Another day, another video of Enderman showing us why Windows security is mostly a joke.
*absolutely
Man, I wish it wasn't. Windows is one of the better systems out there, security aside. And no, no amount of fanboy talk will ever convince anyone that MacOS or Linux are somehow better, where that pretty much isn't the case, and yet, users of those systems will always make claims saying otherwise.
@@ChocoRainbowCornyeah I am sorry but no windows is not ''the best'' you have a pretty closed mind. What you mean to say is they are THE BIGGEST (in the pc market). Windows has a lot of issues with it and has gotten pretty clunky but they don't have to fix anything because they effectively have a monopoly.
@@ChocoRainbowCorn I run windows, but need linux for some dev stuff. Linux is just straight up better than windows, its smaller, faster, less resources heavy and more secure. The only real downside is that most software is Windows exclusive and that's not a os issue.
@@ChocoRainbowCorn I would say which one is better depends on the user. For me and my purposes, Linux is better. For you, Windows is better. I think that's fine.
And I agree with you, I wish Windows security was better.
Ah yes. Old NT code starting to bite back. Surely this can't get any worse, right? Right???
Man, I've heard a lot of stories of how NT/Windows are spaghetti at the extreme, Oracle DB levels of sapaghettiness, thats why I don't use it anymore, and now never again.
This system is more than compromised.
It drives me nuts how much old NT code is still in Windows. And it isn't just Windows that has that issue. I was using Microsoft Access last week and found a graphic from Windows 9x.
To be fair, security is the biggest thing to worry about. Backwards compatibility with all this old code and software on the other hand though is incredibly useful to have. If people are getting so upset over backwards compatibility being available, even if it's kind of extreme, reaching back to some very old Windows versions, then I think you got other, far deeper and worse issues to worry about.
@@ChocoRainbowCorn Yes, it makes sense to be compatible with Windows 7, Even XP.
But when you get into the NT, 95/98 era this is really concerning, the system has a good looking UI but behind it there is a outdated and unsafe mess of decades of coding.
@@Wkaelx There are ways to keep systems safe and compatible even with the oldest of software you know.. For one thing, dropping 16-bit support as a whole was an massive mistake on Microsoft's part. Sure, nobody uses that today but still. Age of code has nothing to do with how it's written, so also how secure or unsecure it is. It doesn't make any sense whatsoever to argue that there is no point in keeping backwards compatibility even with NT era of things and before/after. Again: If Microsoft doesn't want to bother with making sure Windows can stay compatible all the way throughout it's history but ensure that it's done in an safe manner, then that's not the problem of old, messy code - It's the problem of an lazy, greedy company that doesn't want to bother with things that can absolutely be done.
So glad for the disclaimer I wouldn't be able to support you if you were an illegal hacker.
Wait... Can non-administrators access the sam/registry files?
In theory, could they copy them from a "secure" corporate machine, to a USB and take it home, import the hives crack it at home?
Most corporate PC's have one local admin account for remote IT or troubleshooting.
You need the administrator token + SeBackup privilege to access SAM. However, the SAM hive is simply a file in %windir%\system32\config, so you can dump it after booting using a USB stick or something along these lines...
If you have physical access you can just remove the harddrive and image it.
@@Irongrip62 I meant for, hypothetically an attacker that wanted to access some confidential corporate data from the local machine. Local admin access is an entry point allowing you to extract the bitlocker key and browse all user profiles etc.
...In minecraft of course.
@@Kippykip
Someone (of at least average IQ) who wants to attack and steal passwords from a high-profile corporation’s central system would probe it for weaknesses and, if needed, install either a rootkit or a backdoor to ensure uninterrupted activity. In a sane world where security is taken seriously, there would be several defense layers to deter, detect and trace any unauthorized attempts to hack their mainframe.
… however, we do not live in a sane world… not anymore. If big corporations’ extreme cost cuttings bleed over to their server-side security, it’ll be only a matter of time before we see major leaks and significant damages.
@@Endermanch Ah I see, welp there goes the BitLocker bypass idea.
Do not use Windows, Linux, OS X or any X86/ARM/RISC/PPC OS. Do not use PC at all. It's bloat
Do not use a house. Homes are bloat, plus they usually come with windows.
@@GeekIWG try not signing up on earth, it's full of bloat and paywalls, it's bloat
An exception will be made for TempleOS.
do not let your mom give birth to you. You will have so many responsibilities and taxes in the future. It's not worth it
No I use macOS on a laptop
The computers at my school all have the password "0"
Yea very secure, i know
Arguably better than "password" or the classic "1234"
@@GarfieldtheDestroyer But but... What if I combine them together? "password1234" is safe riiiiiight? xD
@@marcusjohansson668Throw in a special character to make "p@ssword1234" and it’s the most secure password known to mankind !
IKR?
its school name but what data does it contain? to have such passwords. nothing. just ppts and programs
There's plenty of policies to configure Kerberos in a domain setting. The threat model here is pretty limited; a stolen, powered off machine would ideally have bitlocker, which would first need to be compromised
Officially, NT is short for Windows NT.
And the NT in Windows NT doesn't really mean anything according to Microsoft.
NT stands for "noobs team"
@@markusTegelane i was curious and did some research, i found on the Wikipedia page for ntlm it says nt stands for new technology but does not provide a citation. the Wikipedia page for Windows nt has a citation under naming that points to a q&a with bill gates where he says "When we first released Windows NT in 1993...the letters stood for "New Technology."
But the letters have long since lost any specific meaning. Today, 'NT' is just a designation for our high-end version of Windows."
so yeah you're right it no longer officially has that meaning. still interesting to learn the history
@@lmnk "Not even Tried"
Not really. I'd argue that in some cases RAS syndrome even sounds more natural than the alternative, and it can be used intentionally for emphasis or clarity. Think PIN number or ATM machine.
windows 2000? windows nt 3.1 is from 1991 and it means new tech. new tech from 1991. 😂
extended endermanch intro dropped
Song is called "Landscaping" by "Windows 96"
that was a very slick transition into the normal intro, i don't think i've ever seen someone use a previous section of their intro song to extend the intro backwards
hes done it before. i think on either sulfoxide or solaris he added a warning for flashing lights.
@@someidiot4311 He also used this identical "piracy discouraged" intro on Activating Windows 95 with ChatGPT.
@@someidiot4311 yes
I've no idea why TH-cam would take this down. Enderman, I'm new here, and in the first 4 minutes of your video you explained a hash in a much clearer way than I've ever seen it explained before. You've got a great voice for presentation and you do your best to communicate knowledge that is accurate given the information you have at the time it seems. This is educational and something you learn in network security courses so it's not like it's super secret stuff. I hope TH-cam doesn't delete anything . Knowledge is important and for those of us who seek it for pleasure; this video is a treasure.
Now back to the video!
She crack my password till I windows
i don get it
@@pundauoun, i think the last part should be like "till i windows" or something.
@@Player-fg4ub, gen alpha memes. Neither i understand it.
@@dadarkmatterdude same.
@@dadarkmatterdudeyou people are behaving like boomers, so miserable
bro didn't get hired 💀
😭
Thank you soo much, I got a hard drive from my campus, they are updating their classroom hardware, it has an original windows xp professional on it but I didnt get the password for it, wich means all I can do is what it was intended for (openning power points and other class related stuff), they told me I should just format it anyway but I'm sucker for windows xp and I'm not giving up on it.
Thank you for taking the time to create this content. The security weakness exposed in this video is intentionally left as-is. We understand that three-letter agencies prefer personal computers to lack strong access control, making it easier for them to monitor and conduct forensics. Microsoft willingly complies with that
Alright, bet that TH-cam will takedown one of the videos again, and we'll have the fiasco again. 💀
Just by definition a hash function with variable input length like a password will have collisions if the output length is fixed. You have unlimited inputs but only limited outputs
while that is mathematically true, the entropy of sha256 is so insanely high that you will not be able to brute force a collision before the heat death of the universe
for reference, the amount of outputs that the sha256 algorithm has is 115 quattuorvigintillion, or 1.15*10^77
@@0xGRIDRUNR shure but the quote in the video is misleading
@@jann4577 ah I see what you mean now. For the sake of this topic, I think the video is fine in its explanation even if it isn't entirely correct.
It's a bit much to explain somewhat involved concepts from number theory and cryptography in what is only meant to be a brief introduction to hashes.
That said, you aren't wrong.
This is one of the good things that come with a Microsoft Account, you can set a PIN (which doesn't have to be just numbers, can just be a password) but it's stored in the TPM, so it's a pain to bypass if you also then turn off password authentication.
Fun fact: Mimikatz, instead of doing all of this, captures the NTLM hash that was already used in the session.
Maybe that's why MSFT wants you to get an account instead of a local user, because it uses a different algo, instead of an unsalted MD4?
Hi Enderman, great video.
I know what YT did to you, and you got 2 str-whatever.
If YT t----- your channel, will you keep uploading on your “Andrew” account or just make a new YT account and just name it Enderman and just continue there? Just asking cause I love your channel. Just be sure to download your videos via YT studio to device (At least your 10 latest) so just incase anything happens, you have a little backup of videos. Just like to know.
Love your channel. Have a good day❤
Maybe I just haven’t seen an Enderman video in a while but I’ve never heard them voiced before
yeees voiceovers are back! thank you!!
At this point it's beyond safe to assume they're doing it intentionally
all hashs of N bits will have a collision every approximately 2^N bits. Collisions are impossible to avoid when text is longer than the hash length. But may be computationally impossible to find. (Small note on start)
A other enderman video? Christmas came early!
Haven’t seen the long landscaping intro in a while, it’s amazing lol
You know the videos good when it starts with “This video is for educational purposes only”
Enderman is so brave man like he got 2-3 strikes AND HE STILL DID THIS VIDEO
Lets hope TH-cam doesn’t take this down despite there being a warning
In the beginning I thought: "Hope they dont use MD5" Then you brought up MD4 🤦♂🤦♂
Hahaha!! You made me laugh so hard when you were looking at printing the registry tree. "Why would anyone want to (print the registry tree)? This is useless". LOL
TH-cam would rather be magenta and delete enderman's videos but wouldnt ban the elsagate content
I still cant believe all the things youtube does in the names of protecting kids (just one example, not an umbrella accusation) and then just leaves the elsagate type of content up for all to see. its disgusting and I dont like it
@@whamer100 I don't think anyone does as it is revolting I can't stand it without reporting it 5 times
@@TheTR0Nalt The part that gets me even more is the people who create videos talking about the disgusting videos getting taken down for the kind of content that the OTHER videos are showing from being highlighted. It's so backwards
@@whamer100 yeah like someone named themisterepic got taken down covering this content (it was censored I think) but the original videos are still up
@@TheTR0Nalt YEAH I REMEMBER THAT
This is done only for the basic Windows password on a local account right? And not for the Windows Hello PIN or (dare I mention it) a Microsoft account login? If not, that's probably why Microsoft hasn't fixed it. From their perspective they already have fixed it: just use a Microsoft account instead of a password.
Yep. It's also screwed if you have a syskey or Bitlocker.
No one sane in the corpoate segment would use login through a MS account. This is not an excuse.
@@lmnkCorporate is using AD with Kerberos.
The last password used to login to a MS account is saved to allow logging in when a system is offline.
Guess where that password is stored?
@@throwaway6478Bitlocker is also quite bypassable for external TPMs if you can find the LPC pins on the motherboard, or with a USB debug cable on Intel-based systems.
Brilliant! Love the way you explain things. Someone once said - if you can’t explain it to a five year old then you don’t understand it.
And that’s exactly how you explain things. So simply. That’s very rare in the IT world.
My only negative is you said wallah instead of voila 12:54 😉
I love how the intro screen is basically "TH-cam for the love of god dont take this down im not teaching people to hack the fbi"
Enderman once again breaking Windows and asking TH-cam not to take it down
Don’t keep complaining about Windows, he needs to create his own OS at this point
When the long intro rolled, i already knew it was good.
btw, the nostalgia when the intro rolled....
I loooove your videos, nice that you are restoring the vid schedule 🔥🔥 Keep it up! ❤
Much respect for you man. You made me learn something new to thi shitty windows world and definetly convincing me to pass to linux. Your channel is so underrated
"Security is not about preventing every attack, but about delaying attackers long enough for you to react."
That amazing, never thought about that print function in the registry, seen print button a million times but never thought once of pushing it and seeing what happens, very clever of windows to do that.
Microsoft have turned crap security into an art form - it has to be deliberate. I stopped using Windows in the 90s after realising how dreadful it was at its core, NT 3.5.1 notwithstanding. In the intervening years I'd assumed that Microsoft would have got its act together and that by now it's probably as secure as anything else. But when I see videos like this in 2024(!) I'm stunned at how pathetic the security still is. The rest of the world has solved these problems, and good security is now accessible to pretty much everyone...except at Redmond evidently.
Thanks for this video - it's nice to get a glimpse into world of Windows' cutting edge security failures.
Everyone else for the last 15+ years: let's use computationally difficult functions with quality random salt
Windows team: yo I just heard of this MD4 thing!
Insightful! Great explanation 👍
you know a video's gonna be good when it has the extended intro
really interesting video, also lmao so many disclaimers, hope u won't get banned again
if one singular person hits that report button this video will 100% be no more
just realized there's a small "easter egg" in VMware window at 11:49, there's a VM called "Windows 12" :p
Its from April 1st video
YOUR CHESS ELO IS 2000!?!?
I heard years ago that if you have a password over 14 characters then Windows uses a different hashing algorithm or something, can't really remember the details.
Well, you know what they say: "Windows security keeps only the honest people out"...
Hiding the key in the registry is like... Just what? This is like a crutch of crutches. Who is that even for? What does it protect? From whom?
Where would you hide it instead? On a DLL that's same for every installation?
@@RadioactiveBlueberry
The parts of the key are stored in separate locations in the registry which are also the same for every Windows installation. Enderman even points this out at 8:25. So, what is your point?
Edit: specified that the subkeys are stored in the registry.
@@RadioactiveBlueberry first of all the dude above is absolutely right. Second of all, yes, a dll or whatever is fine. For some reason linux doesn't have to go through all that bullshit because it actually uses a sane methodology. The password hashes are stored in /etc/shadow and use salt. You can read it only if you have root rights. It works. So your point would be?
@@mike_diz Isn't main difference here is salt?
Because you can escalate to Trusted Installer priveleges by using external OS to tamper with hive.
Same as you can use new Linux install to access file from another one.
So it doesn't matter much where passwords are stored. Main issue is fact that hash is unsalted.
@@DimkaTsv that's pretty much exactly what I was saying. See my response to radioactiveblueberry. Windows not using salt is bad in the first place, I was pointing out that hiding a key in some insane barely accessible field for no good reason is incredibly weird.
I remember taking a course in IT security and as part of it, we extracted hashes from an XP computer using a special program. Think it got the password through the LM hash. It was a while ago now, maybe 15 years or so. Seems things haven't improved as much as it should, unfortunately.
Ridiculous. Thanks for sharing.
I like the glitch transitions in your edit.
Great Video And Interesting. I hope TH-cam Doesn't Take It Down
Would it be possible for you to add subtitles to these videos? TH-cam will automatically use subtitles that you add in your video editor, iirc
Hi sorry if this is a noob question. if the password used is not in the massive database, acquiring the hash doesn’t mean your password can be acquired right?
It may be computed using bruteforce, as an example. Hash enough random passwords until the hash of the random password matches yours. Voila, that's the hash of your password.
Don't salt hashies. It does not taste nice.
Not salting passwords in 2024 is wild. Not using a kdf or password specific hashing function too.
i too love cracking passwords legally!
not sure what good a niche use-case like this is; already logged in as admin on a machine is rarely an accident to someone who also has the ability to write a script to pull a hash. it's a clear demonstration of reverse engineering, with some interesting finds, but definitely impractical for the purposes of already being locked out of a bitlocker encrypted windows install.
4:25 i can imagine there arent exactly technicians who love their jobs working there
All hash functions have collisions. They have to. When more than N objects are put into N slots, there must be at least one slot with more than one object. I.e. the Pigeon Hole Problem.
as Soon as i see the "This video does not condone or promote hacking or any other illegal activities." Screen i get flashbacks from when enderman couldnt post and had trouble with youtube xD
yo Andrew, did you ever think abt going to linux or ever did?
Enderman: THIS VIDEO IS MADE BY PROFFESIONALS AND SOLELY FOR EDUCATIONAL PURPOSES
Me: WE ALL KNOW IS ENDERMAN A PROFFESIONAL WHY DO U SAY THIS?????????
Edit: I mean Enderman is a legend♥
that class name trick is insane lol. security through obscurity and not through, yknow, actual security
"Nobody stores passwords in plain text". Hahaha, I wish.
bro really said: "Yeah Im not getting another strike, Im going all in on the disclaimers" 😂
disclaimer, dah
need save a pc with a idiot password installed on it from your little brother/friend/any family member(actual situation of many users)
Uh...what about the sethc bug? Weren't it like, easier i suppose?
Bro has been change the title in the thumbnail to something else
TH-cam doesn't cabinet is a crime 😂
Lol 😂
Of course they care - they have alternative hash methods - but they can’t change the NTLM hashes for compatibility - but it’s a good idea to turn them off if not needed anymore
Ah yes, feeling Kirky, when I wish to boldy go where no one has gone before!
1:35 I feel the need to nitpick here. A hash function is not considered "compromised" because it has collisions. They have a fixed length output and can take inputs of arbitrarily large size, so you have an infinite number of inputs and a finite number of outputs. It is not possible for a hash function to never collide, and SHA-256 is still cryptographically secure. There is no better approach than brute force, and it is completely infeasible with today's technology to reliably find collisions.
Agreed - this can be demonstrated with the pigeon hole principle: you can't fit n+1 objects into n holes without repeating at least one
Hacking isn't illegal, breaching system which you're not authorized to is.
So , you can't crack the password ONLY if you are logged to the owner's computer , so what's so special ?
@@ZiedKammoun it works if you have a copy of the registry… or access to the disk or simply the guy is in a meeting and you use it meanwhile. Btw how often is the password used on pther devices as well?
Babe wake up new Enderman upload.
Bing bong enderman gone
thats very interesting, I've always wondered if it was possible to crack windows passwords but i did NOT anticipate MD4 of all things...
Does this work if the account has a PIN or are PINs stored differently?
nah it doesn't work with microsoft account
Does this work with Microsoft accounts too? Or just local accounts
Hacking is not inherently illegal. Do not refer to it as an illegal activity.
Me who forgot my password: this is very useful information
Thats how you know MS is full of air and 100% of devs work in advertizment department.
I love videos in which you explain things like these to us!
This is why i have no friends.
0:20 i realy like the video tilting
Excellent content.
this same experiment with unix-based operating systems would be interesting