Re: Cached NT/W2k passwords

["Pedro Jota Calvorota" <calvorota () ya com>]

I have tried this particular trick dumping memory in a no SP4 Windwos  
2000, and it definitly does not work ... lsass generates a 16 MB txt file  
that, opened with a HEXviewir does not contain the particular "76 78 01  
26" string...

Ive been googling but nothing found...

Any ideas?


> >
> For WindowsXP and some 2K (I think SP4 fixed this particular issue,  
> memory dump the lsass process and search for the hex string "76 78 01  
> 26". A little ways further down and voila, cleartext password for  
> currently logged in user. It's in unicode format, btw.
>
> I think the latest rumor is that XP SP2 is going to clear this issue up  
> so if anyone can find the hashes in the registry (ala lsadump for stored  
> services passwords) then we'll be back in business after everyone starts  
> patching.
>
> Need a tool to dump process memory? pmdump of course.  
> http://ntsecurity.nu/toolbox/pmdump/
>
> Arne also has Pstoreview which may help you a little.  
> http://www.ntsecurity.nu/toolbox/pstoreview/



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/