Penetration Testing mailing list archives
RE: Cached NT/W2k passwords
From: "P G" <easternerd () gmx net>
Date: Sun, 23 May 2004 23:32:42 +0530
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can get the password of the currently logged in user with Cain It's the most easiest method to dump all the passwords in the system, Including the passwords in the protected storage component of windows. Email Correspondence : easternerd () gmx net easternerd () eml cc Website : http://www.cryptography.tk http://www.securityrisk.org - -----Original Message----- From: Kurt Grutzmacher [mailto:grutz () jingojango net] Sent: Saturday, May 22, 2004 8:54 AM To: John Madden; pen-test () securityfocus com Subject: Re: Cached NT/W2k passwords John Madden wrote:
Hi All, Has anyone been able to decrypt the hash password from the cached login on NT or W2K ? We're is it located ? In the registry ? If so what's the key.... I've been looking around the only thing I can find is how to disable this feature :(
For WindowsXP and some 2K (I think SP4 fixed this particular issue, memory dump the lsass process and search for the hex string "76 78 01 26". A little ways further down and voila, cleartext password for currently logged in user. It's in unicode format, btw. I think the latest rumor is that XP SP2 is going to clear this issue up so if anyone can find the hashes in the registry (ala lsadump for stored services passwords) then we'll be back in business after everyone starts patching. Need a tool to dump process memory? pmdump of course. http://ntsecurity.nu/toolbox/pmdump/ Arne also has Pstoreview which may help you a little. http://www.ntsecurity.nu/toolbox/pstoreview/ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQEVAwUBQLDnQuxhEq37a08BAQKxKgf9HimsdD3Uj0/gXO46zoN4ygvYMI2WoflP rs031IzsjIk17dHIkmkJwMtTlLUE04xDGHcxqQbRUHVGsFKjVO2iqQdo7PmYw8uc CiQ4ZsUyLHja1Px0aDKT/IKmdygMDXXGDROV5XbKsO1QsAA7oKWVT+FHw1K7/F/W NtnIqpAqfpqYOdlJ3wxiBNnvcSPxThAyZ+bSXt1Mv5DdCLx3fC8FjHo1CuHPVUVp pA3eWrJdm/QVst3dMCTgkBZo3cFYV7YJ3hRiwRrTqF+jx7MRC6yOZj7Hfl26r96w GCP7kR1cKEUd22ADetEIejLpWhC5Pth/BygEbyFVBGmsW3MnkQabpQ== =vkAe -----END PGP SIGNATURE-----
Current thread:
- Cached NT/W2k passwords John Madden (May 21)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 23)
- RE: Cached NT/W2k passwords P G (May 24)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 24)
- Re: Cached NT/W2k passwords Pedro Jota Calvorota (May 25)
- RE: Cached NT/W2k passwords P G (May 24)
- Re: Cached NT/W2k passwords Nicolas RUFF (lists) (May 24)
- <Possible follow-ups>
- Re: Cached NT/W2k passwords TracingEmails (May 25)
- Re: Cached NT/W2k passwords Nicolas RUFF (lists) (May 25)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 23)