Full Disclosure mailing list archives
Re: Disabling Cached Logon Credentials
From: "Nicolas RUFF (lists)" <ruff.lists () edelweb fr>
Date: Wed, 31 Dec 2003 10:58:45 +0100
Hi,Cached credentials are stored in a "hidden" (default permissions for SYSTEM account only) registry subkey : HKLM\SECURITY\Cache
Each NL$x (x ranging from 0 to CachedLogonsCount) value is a cached logon.Cached logon are stored in some kind of "double hash" way ( LM(LM(password)) or NTLM(NTLM(password)) ) - very difficult to break in a reasonable time, but still vulnerable to dictionnary attacks. However I do not know any publicly released tool able to retrieve and crack cached logon (even if I am working on it :-).
You can use LSADUMP to get them, or change manually the permissions on the key, or attach a shell to a SYSTEM process, but you won't get any further in cracking the double hash.
However the good news is that : - If you can get the credentials, it means you are SYSTEM on the box, so why do you bother ?- If you have physical access to the computer, it is not yours anymore (check the immuable laws of security). You have NTPASSWD, but also ERD Commander and plenty other tools to change local passwords, recover EFS encrypted files, edit the local registry, install rogue screen savers, and so on.
I understand that if a domain admin logged in once onto the station, I might be tempting to retrieve the cached password. But it might be quicker to try other ways : - Local admin password is often the same inside the whole domain, so crack it locally and try to connect the domain admin workstation
- If the domain admin logged in once, place a keylogger and make him log in twice- If the roaming profile is still cached locally, you might find interesting things (check for "passwords.xls" in "my documents").
Regards, - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) Mail : nicolas.ruff () edelweb fr ----------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Disabling Cached Logon Credentials dwr3ck (Dec 30)
- Re: Disabling Cached Logon Credentials Nicolas RUFF (lists) (Dec 31)
- <Possible follow-ups>
- RE: Disabling Cached Logon Credentials Nick Duda (Dec 30)
- RE: Disabling Cached Logon Credentials dwr3ck (Dec 31)
- RE: Disabling Cached Logon Credentials Nick Duda (Dec 31)