Penetration Testing mailing list archives
Re: Cached NT/W2k passwords
From: "Nicolas RUFF (lists)" <ruff.lists () edelweb fr>
Date: Mon, 24 May 2004 19:11:40 +0200
Has anyone been able to decrypt the hash password from the cached login on NT or W2K ? We're is it located ? In the registry ? If so what's the key.... I've been looking around the only thing I can find is how to disable this feature :(
Hi,
If you're talking about the CachedLogonsCount registry key, there has been a thread 2 weeks ago on
FOCUS-MS :
http://www.securityfocus.com/archive/88/362946/2004-05-21/2004-05-27/0Basically, storage is either in LSA Secrets or NL$ registry keys (depending on Windows version), and there is no publicly available tool to decrypt the hash. The stored value is a salted hash : NTLM( username + NTLM(password)). This is hard to crack by brute-force if password > 6 chars.
Regards, - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) -----------------------------------
Current thread:
- Cached NT/W2k passwords John Madden (May 21)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 23)
- RE: Cached NT/W2k passwords P G (May 24)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 24)
- Re: Cached NT/W2k passwords Pedro Jota Calvorota (May 25)
- RE: Cached NT/W2k passwords P G (May 24)
- Re: Cached NT/W2k passwords Nicolas RUFF (lists) (May 24)
- <Possible follow-ups>
- Re: Cached NT/W2k passwords TracingEmails (May 25)
- Re: Cached NT/W2k passwords Nicolas RUFF (lists) (May 25)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 23)