Penetration Testing mailing list archives
Re: Cached NT/W2k passwords
From: Kurt Grutzmacher <grutz () jingojango net>
Date: Sun, 23 May 2004 14:05:54 -0700
You can get the password of the currently logged in user with Cain It's the most easiest method to dump all the passwords in the system, Including the passwords in the protected storage component of windows.
Correct, but not complete. Abel (the remote part of Cain) only pulls the SAM table (pwdump) and LSA secrets (lsadump). It also requires that Abel be installed and running which can be a boundary issue from a tester/client relationship. I like its additional features but, IMHO, it's a bit more cumbersome to install. I'm not a big fan of losing control over installation (point-and-click)
If you're trying to keep things off of a client's machine that could be used by a separate party (like Abel) then you're better off doing something like this:
net use z: \\server\c$ pw /u:administrator copy lsadump2.exe c:\ copy dumplsa.dll c:\ psexec \\server c:\lsadump2 del z:\lsadump2.exe z:\dumplsa.dll pwdump3e serverYeah, you've got the admin password and it may have been insanely easy to get -- but you're not installing a listening package like Abel that could be controlled by an outsider. The only thing left on the remote machine is PSEXECSVC.EXE which can be done away with rather easily.
I think the original poster (and many others like us :-) want to find the cached Windows logon passwords. It used to be in lsass memory but an upcoming patch is going to "fix" it. It's got to be stored somewhere since XP/2003 must be backwards compatible.
Current thread:
- Cached NT/W2k passwords John Madden (May 21)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 23)
- RE: Cached NT/W2k passwords P G (May 24)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 24)
- Re: Cached NT/W2k passwords Pedro Jota Calvorota (May 25)
- RE: Cached NT/W2k passwords P G (May 24)
- Re: Cached NT/W2k passwords Nicolas RUFF (lists) (May 24)
- <Possible follow-ups>
- Re: Cached NT/W2k passwords TracingEmails (May 25)
- Re: Cached NT/W2k passwords Nicolas RUFF (lists) (May 25)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 23)