Re: Differences between MSCacheV1 and MSCacheV2

["Liam Randall" <Liam.Randall () gigaco com>]

Adrian,

Tangently related but AD does have some settings to defend against this (on the workstation side... mobile not as well)

BTW- looking forward to meeting up with all you guys at Derbycon.

Liam Randall

<Wall_of_text>
---------------------------------------------------------------
Policy Name: Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Policy Path: Computer Configuration\Windows Settings\Local Policies\Security Options
Supported On: Windows XP SP2, Windows Server 2003 & higher
Registry Setting: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount 
Description: 
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
All previous users' logon information is cached locally so that, in the event that a domain controller is unavailable 
during subsequent logon attempts, they are able to log on . If a domain controller is unavailable and a user's logon 
information is cached, the user is prompted with a message that reads as follows:
Windows cannot connect to a server to confirm your logon settings. You have been logged on using previously stored 
account information. If you changed your account information since you last logged on to this computer, those changes 
will not be reflected in this session.
If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this 
message:
The system cannot log you on now because the domain <DOMAIN_NAME> is not available.
In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts.
Default: 10
---------------------------------------------------------------
Policy Name: Interactive logon: Require Domain Controller authentication to unlock workstation
Policy Path: Computer Configuration\Windows Settings\Local Policies\Security Options
Supported On: Windows XP SP2, Windows Server 2003 & higher
Registry Setting: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon
Description:

Interactive logon: Require Domain Controller authentication to unlock
Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines 
whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the 
computer using cached credentials. If this setting is enabled, a domain controller must authenticate the domain account 
that is being used to unlock the computer.
Default: Disabled.
Important
This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager 
tools on these computers.
---------------------------------------------------------------
Policy Name: Network access: Do not allow storage of credentials or .NET Passports for network authentication
Policy Path: Computer Configuration\Windows Settings\Local Policies\Security Options
Supported On: Windows XP SP2, Windows Server 2003
Registry Setting: MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
Description:

Network access: Do not allow storage of credentials or .NET Passports for network authentication
This security setting determines whether Stored User Names and Passwords saves passwords, credentials, or .NET 
Passports for later use when it gains domain authentication.
If it is enabled, this setting prevents the Stored User Names and Passwords from storing passwords and credentials.
Note: When configuring this security setting, changes will not take effect until you restart Windows.
For more information about Stored User Names and Passwords, see Stored User Names and Passwords.
Default: Disabled.
---------------------------------------------------------------
</Wall_of_text>



From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Adrian 
Crenshaw
Sent: Sunday, August 14, 2011 11:49 AM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Differences between MSCacheV1 and MSCacheV2

Hi all,
   Ok, I've been Googling this up and found no answer. My statements in this email may also be wrong, so double check. 

On WIndows boxes in a domain, the last 10 passwords are saved (by default) as a hash on the local box in case 
communications to the domain go down. The user name is used as a salt in these hashes. 

Windows before Visa: uses MSCacheV1 (AKA Domain Cached Credentials)
Windows Vista/7/2008: use MSCacheV2 

Cain can now dump and crack both, but at 70 attempts per sec with Cain on a newer i7, it's kind of pointless. 
Hashcat/cudaHashCat seems to be able to crack MSCacheV1 much faster than Cain, but only seems to support MSCacheV1 as 
far as I can tell. Anyone know what the real differences in algorithm are between the two MSCache versions?

As a side note: What do you use for dumping these hashes? I've been using Cain, but would love to hear if there is 
something better.

Thanks,
Adrian
-- 
"The ability to quote is a serviceable substitute for wit." ~ W. Somerset Maugham
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com