lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3FF29DD5.6080805@edelweb.fr>
From: ruff.lists at edelweb.fr (Nicolas RUFF (lists))
Subject: Disabling Cached Logon Credentials

	Hi,

Cached credentials are stored in a "hidden" (default permissions for SYSTEM account only) registry 
subkey : HKLM\SECURITY\Cache

Each NL$x (x ranging from 0 to CachedLogonsCount) value is a cached logon.

Cached logon are stored in some kind of "double hash" way ( LM(LM(password)) or NTLM(NTLM(password)) 
) - very difficult to break in a reasonable time, but still vulnerable to dictionnary attacks. 
However I do not know any publicly released tool able to retrieve and crack cached logon (even if I 
am working on it :-).

You can use LSADUMP to get them, or change manually the permissions on the key, or attach a shell to 
a SYSTEM process, but you won't get any further in cracking the double hash.

However the good news is that :
- If you can get the credentials, it means you are SYSTEM on the box, so why do you bother ?
- If you have physical access to the computer, it is not yours anymore (check the immuable laws of 
security). You have NTPASSWD, but also ERD Commander and plenty other tools to change local 
passwords, recover EFS encrypted files, edit the local registry, install rogue screen savers, and so on.

I understand that if a domain admin logged in once onto the station, I might be tempting to retrieve 
the cached password. But it might be quicker to try other ways :
- Local admin password is often the same inside the whole domain, so crack it locally and try to 
connect the domain admin workstation
- If the domain admin logged in once, place a keylogger and make him log in twice
- If the roaming profile is still cached locally, you might find interesting things (check for 
"passwords.xls" in "my documents").

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff@...lweb.fr
-----------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ