Re: pwdump 2 & 3

[miguel.dilaj () pharma novartis com]

Hi Nicolas,

Good to see that you're around here! Happy New Year to you as well!
Your explanation is quite interesting, but I see a conflict with the 
information mentioned in:
"Windows Passwords: Everything You Need To Know"
http://202.181.238.2/hk/teched2004/ppt/Day_2_Rm402/WIN495(1500-1615).ppt

According to the above mentioned presentation, the information in the 
cache is:
MD5(NTLM(password)+userID+Domain)

Can you provide any feedback on that?
Thanks a lot!

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG






"Nicolas RUFF (listes)" <ruff.lists () edelweb fr>
05/01/2005 18:15

 
        To:     pen-test () securityfocus com
        cc:     Miguel Dilaj/PH/Novartis@PH, IndianZ <indianz () indianz ch>, 
pentest () oissg org, Jean-Baptiste.Marchand () hsc fr
        Subject:        Re: pwdump 2 & 3


                 Hello everybody !

Since I am quoted in this post, I feel compelled to clarify the 
situation and give away much of my knowledge for free ... (I guess it is 
Christmas effect :-)

[snip]

Cached values are generated as follow :
- Cached LM hash   = MD4('LM hash' + Unicode lowercase username)
- Cached NTLM hash = MD4('NTLM hash' + Unicode lowercase username)

There are some noticeable differences between Windows NT4 and Windows 
2000+ cache store:

- Windows NT4: cached passwords are stored separately as LSA secrets. 
They are not encrypted. LM and NTLM values are generated.

- Windows 2000+: cached passwords are stored inside the 
'HKLM\Security\Cache\NL$' registry keys. Those keys are visible only by 
SYSTEM user, but as a local admin you can change permissions on those 
keys. They are RC4-encrypted with a mix of per-key secret and NL$KM LSA 
secret. Only NTLM values are generated.

Now you should be able to code your own tool, because I won't release 
anything about this one. In fact I suspect such tools have been hanging 
around since the release of Windows NT4, see the excellent 
http://www.toolcrypt.org/ site, and especially : 
http://www.toolcrypt.org/tools/cachebf/index.html.


> Well it is possible, that logon-information is not cached locally (I 
mean, 
> only in memory) for security reasons. Seems like you have to get the SAM 

> (with all domain-users inside) from a domain-controller ;-)... Did you 
> check for other SAM-files in the local filesystem (%windir%\repair)?

There are 3 very different things here :

- Logged-in user information, such as password, cached plaintext in 
memory during the whole user session.

Hint : use PasswordReminder.
http://www.smidgeonsoft.prohosting.com/#PasswordReminder

- Last 10 domain logins cached in registry.

Hint : use LSADUMP2 + CACHEBF on Windows NT4, use your brain on Windows 
2000.

- Local user accounts, stored in SAM database.

Hint : use PWDUMP as a local admin.


> > Does anyone knows if it is posible with pwdump to get the information
> > About a logged on user.
> >
> > For instance, If I log on my computer, I use a domain logon, and when I
> > execute pwdump I only see local user....

Well, unfortunately I suspect this is really a n00b question : if you 
run PWDUMP locally, you will only get local SAM accounts *even if you 
are logged in with a domain account*. To get domain accounts, you need 
to run PWDUMP3+ against a domain controller using a domain admin 
account. Otherwise if you are just interested in finding the currently 
logged-in user password, use the aforementioned PasswordReminder utility.


Happy new year !
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------