Penetration Testing mailing list archives

Re: pwdump 2 & 3

From: "Nicolas RUFF (listes)" <ruff.lists () edelweb fr>
Date: Wed, 05 Jan 2005 19:15:52 +0100

        Hello everybody !

Since I am quoted in this post, I feel compelled to clarify thesituation and give away much of my knowledge for free ... (I guess it isChristmas effect :-)

The logon credentials of the last 10 users that login into a particularmachine (that's true, you can see that the last 10 users that login into amachine are able to login even when disconnected from the network, thanksto the cached credentials) are cached somewhere in the local machine(someone mentioned to me the LSA Secrets, but I'm not sure about thislocation, can also be somewhere else in the protected section of theregistry. LSA itself is one of these protected sections. Please read on).Take into account that the caching can be (and should be? ;-) disabledwith the following registry key:HKLM\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT (change it to 1 to disablethe caching)My guess is that this information is SYSKEYed or encrypted in some otherway.

> ...
> So far so good. Now to the bad news (extract from a post of Nicolas
> Ruff in the full-disclosure list,
> http://seclists.org/lists/fulldisclosure/2003/Dec/0794.html):
> "Cached logon are stored in some kind of "double hash" way (
> LM(LM(password)) or NTLM(NTLM(password))
> ) - very difficult to break in a reasonable time, but still vulnerable
> to dictionnary attacks.
> However I do not know any publicly released tool able to retrieve and
> crack cached logon (even if I
> am working on it :-). "
> ...
> OK, who has time to test all the above? ;-)

Cached values are generated as follow :
- Cached LM hash   = MD4('LM hash' + Unicode lowercase username)
- Cached NTLM hash = MD4('NTLM hash' + Unicode lowercase username)

There are some noticeable differences between Windows NT4 and Windows2000+ cache store:

- Windows NT4: cached passwords are stored separately as LSA secrets.They are not encrypted. LM and NTLM values are generated.

- Windows 2000+: cached passwords are stored inside the'HKLM\Security\Cache\NL$' registry keys. Those keys are visible only bySYSTEM user, but as a local admin you can change permissions on thosekeys. They are RC4-encrypted with a mix of per-key secret and NL$KM LSAsecret. Only NTLM values are generated.

Now you should be able to code your own tool, because I won't releaseanything about this one. In fact I suspect such tools have been hangingaround since the release of Windows NT4, see the excellenthttp://www.toolcrypt.org/ site, and especially :http://www.toolcrypt.org/tools/cachebf/index.html.

Well it is possible, that logon-information is not cached locally (I mean,only in memory) for security reasons. Seems like you have to get the SAM(with all domain-users inside) from a domain-controller ;-)... Did youcheck for other SAM-files in the local filesystem (%windir%\repair)?


There are 3 very different things here :

- Logged-in user information, such as password, cached plaintext inmemory during the whole user session.


Hint : use PasswordReminder.
http://www.smidgeonsoft.prohosting.com/#PasswordReminder

- Last 10 domain logins cached in registry.

Hint : use LSADUMP2 + CACHEBF on Windows NT4, use your brain on Windows2000.


- Local user accounts, stored in SAM database.

Hint : use PWDUMP as a local admin.

Does anyone knows if it is posible with pwdump to get the information
About a logged on user.

For instance, If I log on my computer, I use a domain logon, and when I
execute pwdump I only see local user....

Well, unfortunately I suspect this is really a n00b question : if yourun PWDUMP locally, you will only get local SAM accounts *even if youare logged in with a domain account*. To get domain accounts, you needto run PWDUMP3+ against a domain controller using a domain adminaccount. Otherwise if you are just interested in finding the currentlylogged-in user password, use the aforementioned PasswordReminder utility.



Happy new year !
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------

Current thread:

Re: pwdump 2 & 3 Geoffroy Raimbault (Jan 03)
- Re: pwdump 2 & 3 okrehel (Jan 03)
- <Possible follow-ups>
- Re: pwdump 2 & 3 Nicolas RUFF (listes) (Jan 05)
- Re: pwdump 2 & 3 miguel . dilaj (Jan 06)
  - Re: pwdump 2 & 3 Nicolas RUFF (lists) (Jan 31)
- Re: pwdump 2 & 3 Arnaud Pilon (Jan 11)