Re: cached logon credentials

[despot <despot () CROSSWINDS NET>]

Hmmm...

> i'm curious about nt's cached logon credentials. i've got a copy
> of a registry and in it are keys HKLM\Security\Cache\NL$1 thru
> \ NL$10 which ms kb article q199071 indicates as being the
> cached logon credentials. is this data already in a format that
> can be run through a passwd cracker like l0pht? if not are
> there any ideas on how to convert it? a quick conversion to
> ascii shows what looks like account names.

HKLM\SECURITY\Policy\Secrets

There are many credentials cached here...password hashes of the last 10 users to login to the
machine (for your cracking pleasure)...plaintext computer account, service account, etc.
passwords (keep on converting). lsadump (lsadump2) is a nice tool that dumps local security
authority secrets info from the reg.

> i was also looking at another registry for an nt4 workstation
> sp6 that i have used cached credentials to logon with and i
> don't see the HKLM\Security\Cache key. where then are the cached
> logon credentials stored?

Should still be there...

HKLM\SECURITY\Policy\Secrets

SP6 and a post-SP5 hotfix added syskey encryption to secrets. If you have Admin access to the
machine that reg belongs to (simple given physical access), run lsadump2. It pulls out
interesting LSA info and bypasss any syskey encryption. This tool (along with many other tools
and interesting papers) can be found at razor.bindview.com.

-Andrew