Penetration Testing mailing list archives
Re: pwdump 2 & 3
From: miguel.dilaj () pharma novartis com
Date: Thu, 6 Jan 2005 03:06:05 +0100
Hi Nicolas, Good to see that you're around here! Happy New Year to you as well! Your explanation is quite interesting, but I see a conflict with the information mentioned in: "Windows Passwords: Everything You Need To Know" http://202.181.238.2/hk/teched2004/ppt/Day_2_Rm402/WIN495(1500-1615).ppt According to the above mentioned presentation, the information in the cache is: MD5(NTLM(password)+userID+Domain) Can you provide any feedback on that? Thanks a lot! Miguel Dilaj (Nekromancer) Vice-President of IT Security Research, OISSG "Nicolas RUFF (listes)" <ruff.lists () edelweb fr> 05/01/2005 18:15 To: pen-test () securityfocus com cc: Miguel Dilaj/PH/Novartis@PH, IndianZ <indianz () indianz ch>, pentest () oissg org, Jean-Baptiste.Marchand () hsc fr Subject: Re: pwdump 2 & 3 Hello everybody ! Since I am quoted in this post, I feel compelled to clarify the situation and give away much of my knowledge for free ... (I guess it is Christmas effect :-) [snip] Cached values are generated as follow : - Cached LM hash = MD4('LM hash' + Unicode lowercase username) - Cached NTLM hash = MD4('NTLM hash' + Unicode lowercase username) There are some noticeable differences between Windows NT4 and Windows 2000+ cache store: - Windows NT4: cached passwords are stored separately as LSA secrets. They are not encrypted. LM and NTLM values are generated. - Windows 2000+: cached passwords are stored inside the 'HKLM\Security\Cache\NL$' registry keys. Those keys are visible only by SYSTEM user, but as a local admin you can change permissions on those keys. They are RC4-encrypted with a mix of per-key secret and NL$KM LSA secret. Only NTLM values are generated. Now you should be able to code your own tool, because I won't release anything about this one. In fact I suspect such tools have been hanging around since the release of Windows NT4, see the excellent http://www.toolcrypt.org/ site, and especially : http://www.toolcrypt.org/tools/cachebf/index.html.
Well it is possible, that logon-information is not cached locally (I
mean,
only in memory) for security reasons. Seems like you have to get the SAM
(with all domain-users inside) from a domain-controller ;-)... Did you check for other SAM-files in the local filesystem (%windir%\repair)?
There are 3 very different things here : - Logged-in user information, such as password, cached plaintext in memory during the whole user session. Hint : use PasswordReminder. http://www.smidgeonsoft.prohosting.com/#PasswordReminder - Last 10 domain logins cached in registry. Hint : use LSADUMP2 + CACHEBF on Windows NT4, use your brain on Windows 2000. - Local user accounts, stored in SAM database. Hint : use PWDUMP as a local admin.
Does anyone knows if it is posible with pwdump to get the information About a logged on user. For instance, If I log on my computer, I use a domain logon, and when I execute pwdump I only see local user....
Well, unfortunately I suspect this is really a n00b question : if you run PWDUMP locally, you will only get local SAM accounts *even if you are logged in with a domain account*. To get domain accounts, you need to run PWDUMP3+ against a domain controller using a domain admin account. Otherwise if you are just interested in finding the currently logged-in user password, use the aforementioned PasswordReminder utility. Happy new year ! - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) Mail : nicolas.ruff (at) edelweb.fr -----------------------------------
Current thread:
- Re: pwdump 2 & 3 Geoffroy Raimbault (Jan 03)
- Re: pwdump 2 & 3 okrehel (Jan 03)
- <Possible follow-ups>
- Re: pwdump 2 & 3 Nicolas RUFF (listes) (Jan 05)
- Re: pwdump 2 & 3 miguel . dilaj (Jan 06)
- Re: pwdump 2 & 3 Nicolas RUFF (lists) (Jan 31)
- Re: pwdump 2 & 3 Arnaud Pilon (Jan 11)