Penetration Testing mailing list archives
Re: pwdump 2 & 3
From: Arnaud Pilon <pilon () lab b-care net>
Date: Tue, 11 Jan 2005 18:19:02 +0100
On Thu, 2004-12-16 at 10:39 +0100, miguel.dilaj () pharma novartis com wrote:
Hi! Well... the facts first: The logon credentials of the last 10 users that login into a particular machine (that's true, you can see that the last 10 users that login into a machine are able to login even when disconnected from the network, thanks to the cached credentials) are cached somewhere in the local machine (someone mentioned to me the LSA Secrets, but I'm not sure about this location, can also be somewhere else in the protected section of the registry. LSA itself is one of these protected sections. Please read on). Take into account that the caching can be (and should be? ;-) disabled with the following registry key: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT (change it to 1 to disable the caching)
Yes, administrator should change it to 1 to reduce the security impact of cached password.
On the other hand, there's a very suspicious location on the registry (I'm accessing the registry as SYSTEM, I don't know if this location can be accessed as administrator): HKLM\Security\Cache Guess what? There are 10 items there, NL$1 to NL$10 ;-) Every one of them is a binary key, that doesn't look like plain-old hashes or anything like that, but my guess is that this is the place to investigate. To have confirmation of the above, read http://support.microsoft.com/default.aspx?scid=kb;en-us;199071 So far so good. Now to the bad news (extract from a post of Nicolas Ruff in the full-disclosure list, http://seclists.org/lists/fulldisclosure/2003/Dec/0794.html): "Cached logon are stored in some kind of "double hash" way ( LM(LM(password)) or NTLM(NTLM(password)) ) - very difficult to break in a reasonable time, but still vulnerable to dictionnary attacks. However I do not know any publicly released tool able to retrieve and crack cached logon (even if I am working on it :-). "
Yes, Nicolas told us more about the caching method designed by Microsoft. So it's now time to disclose our open source tool, cachedump, developed in our intrustion testing lab. CacheDump, licensed under the GPL, demonstrates how to recover cache entry information: username and hashed password. Sysadmins and security consultants are welcomed to use this program; malicious users can't do anything with it as long as they do not have Administrator privileges. CacheDump does not rely on the dll-injection method used in pwdump or lsadump2; it creates a NT service on the fly in order to read the static LSA key from LSASS.EXE's process memory, and deciphers the cache entries to expose the password hashes. CacheDump's output is similar to pwdump's, with of course a different hash function; a plugin for john the ripper password cracker has been developed for offline dictionnary and bruteforce cracking. This plugin for John the Ripper should work on all architectures supported by the cracker. It will run on most unices. Under Microsoft Windows, it will only work under Cygwin. Links: http://www.cr0.net:8040/misc/cachedump.html http://www.cr0.net:8040/misc/patch-john.html Arnaud Pilon -- IT Security Consultant Thales Security Systems
Current thread:
- Re: pwdump 2 & 3 Geoffroy Raimbault (Jan 03)
- Re: pwdump 2 & 3 okrehel (Jan 03)
- <Possible follow-ups>
- Re: pwdump 2 & 3 Nicolas RUFF (listes) (Jan 05)
- Re: pwdump 2 & 3 miguel . dilaj (Jan 06)
- Re: pwdump 2 & 3 Nicolas RUFF (lists) (Jan 31)
- Re: pwdump 2 & 3 Arnaud Pilon (Jan 11)