Penetration Testing mailing list archives

RE: Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)

From: "Cory Michal" <cmichal () exceedsecurity com>
Date: Thu, 10 Jun 2004 17:33:36 -0500

Try a program called DOMINO HASH BREAKER v1.0
It worked great for cracking hashes dumped from a lotus notes servers web
server. Not sure if the ID files are the same.

The hashes from the webserver look like this.
355E98E7C7B59BD810ED845AD0FD2FC4
06E0A50B579AD2CD5FFDC48564627EE7


Cory Michal, SSCP
Technical Operations Manager
cmichal () exceedsecurity com
920.203.2622

Exceed Security Systems LLC
www.exceedsecurity.com

-----Original Message-----
From: Romes, Randall J. [mailto:Rromes () larsonallen com]
Sent: Thursday, June 10, 2004 6:43 AM
To: pen-test () securityfocus com
Subject: Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)


Any one familiar with a means of recovering/cracking the password for lotus
notes which resides in the .id file?

Any one know how the password is encrypted/hashed?

Thanks
Randy

-----Original Message-----
From: Nicolas RUFF (lists) [mailto:ruff.lists () edelweb fr]
Sent: Tuesday, May 25, 2004 10:17 AM
To: pen-test
Subject: Re: Cached NT/W2k passwords

Has anyone been able to decrypt the hash password from
the cached login on NT or W2K ?
We're is it located ? In the registry ? If so what's
the key....
I've been looking around the only thing I can find is
how to disable this feature :(


        Hi,

If you're talking about the CachedLogonsCount registry key, there has been a
thread 2 weeks ago on FOCUS-MS :

http://www.securityfocus.com/archive/88/362946/2004-05-21/2004-05-27/0

Basically, storage is either in LSA Secrets or NL$ registry keys (depending
on Windows version), and there is no publicly available tool to decrypt the
hash. The stored value is a salted hash : NTLM( username + NTLM(password)).
This is hard to crack by brute-force if password > 6 chars.

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
-----------------------------------
--------------------------------------------------------

This message (including any attachments) may contain confidential client
information. The information is intended only for the use of the individual
or entity to whom it is addressed. If you are not the addressee or the
employee or agent responsible to deliver this e-mail to its intended
recipient, you are hereby notified that any review, use, dissemination,
distribution, disclosure, copying or taking of any action in reliance on the
contents of this information is strictly prohibited.

Current thread:

Lotus Notes .id file pw recover (Was Cached NT/W2k passwords) Romes, Randall J. (Jun 10)
- RE: Lotus Notes .id file pw recover (Was Cached NT/W2k passwords) Cory Michal (Jun 10)
- RE : Lotus Notes .id file pw recover (Was Cached NT/W2k passwords) Geoffroy Raimbault (Jun 11)
- Re: Lotus Notes .id file pw recover (Was Cached NT/W2k passwords) Peter Parker (Jun 12)
- Re: Lotus Notes .id file pw recover (Was Cached NT/W2k passwords) Kurt Grutzmacher (Jun 14)
- Re: Lotus Notes .id file pw recover (Was Cached NT/W2k passwords) emx (Jun 16)