Penetration Testing mailing list archives

Re: Cached NT/W2k passwords

From: "Nicolas RUFF (lists)" <ruff.lists () edelweb fr>
Date: Tue, 25 May 2004 17:17:11 +0200

Has anyone been able to decrypt the hash password from
the cached login on NT or W2K ?
We're is it located ? In the registry ? If so what's
the key....
I've been looking around the only thing I can find is
how to disable this feature :(


        Hi,

If you're talking about the CachedLogonsCount registry key, there has been a thread 2 weeks ago on
FOCUS-MS :

http://www.securityfocus.com/archive/88/362946/2004-05-21/2004-05-27/0

Basically, storage is either in LSA Secrets or NL$ registry keys (depending on Windows version), and
there is no publicly available tool to decrypt the hash. The stored value is a salted hash : NTLM(
username + NTLM(password)). This is hard to crack by brute-force if password > 6 chars.

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
-----------------------------------

Current thread:

Cached NT/W2k passwords John Madden (May 21)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 23)
  - RE: Cached NT/W2k passwords P G (May 24)
    - Re: Cached NT/W2k passwords Kurt Grutzmacher (May 24)
  - Re: Cached NT/W2k passwords Pedro Jota Calvorota (May 25)
- Re: Cached NT/W2k passwords Nicolas RUFF (lists) (May 24)
- <Possible follow-ups>
- Re: Cached NT/W2k passwords TracingEmails (May 25)
- Re: Cached NT/W2k passwords Nicolas RUFF (lists) (May 25)