Vulnerability Development mailing list archives
cached logon credentials
From: David J Laumann <djl () MILLER CS UWM EDU>
Date: Fri, 5 Jan 2001 19:56:47 -0600
hi, i'm curious about nt's cached logon credentials. i've got a copy of a registry and in it are keys HKLM\Security\Cache\NL$1 thru \NL$10 which ms kb article q199071 indicates as being the cached logon credentials. is this data already in a format that can be run through a passwd cracker like l0pht? if not are there any ideas on how to convert it? a quick conversion to ascii shows what looks like account names. btw, i don't think syskey is installed as the key HKLM\System\CurrentControlSet\Control\Lsa\SecureBoot does not exist, nor do i think ntlmv2 is being used as the key HKLM\System\CurrentControlSet\control\LSA\LMCompatibilityLevel does not exist. i was also looking at another registry for an nt4 workstation sp6 that i have used cached credentials to logon with and i don't see the HKLM\Security\Cache key. where then are the cached logon credentials stored? thanks, dave
Current thread:
- cached logon credentials David J Laumann (Jan 05)
- <Possible follow-ups>
- Re: cached logon credentials despot (Jan 06)