Re: [Full-Disclosure] Disabling Cached Logon Credentials

From: Nicolas RUFF (lists) (ruff.lists_at_edelweb.fr)
Date: 12/31/03

  • Next message: Nick Duda: "[Full-Disclosure] RE: Disabling Cached Logon Credentials"
    To: dwr3ck@hushmail.com
    Date: Wed, 31 Dec 2003 10:58:45 +0100
    
    

            Hi,

    Cached credentials are stored in a "hidden" (default permissions for SYSTEM account only) registry
    subkey : HKLM\SECURITY\Cache

    Each NL$x (x ranging from 0 to CachedLogonsCount) value is a cached logon.

    Cached logon are stored in some kind of "double hash" way ( LM(LM(password)) or NTLM(NTLM(password))
    ) - very difficult to break in a reasonable time, but still vulnerable to dictionnary attacks.
    However I do not know any publicly released tool able to retrieve and crack cached logon (even if I
    am working on it :-).

    You can use LSADUMP to get them, or change manually the permissions on the key, or attach a shell to
    a SYSTEM process, but you won't get any further in cracking the double hash.

    However the good news is that :
    - If you can get the credentials, it means you are SYSTEM on the box, so why do you bother ?
    - If you have physical access to the computer, it is not yours anymore (check the immuable laws of
    security). You have NTPASSWD, but also ERD Commander and plenty other tools to change local
    passwords, recover EFS encrypted files, edit the local registry, install rogue screen savers, and so on.

    I understand that if a domain admin logged in once onto the station, I might be tempting to retrieve
    the cached password. But it might be quicker to try other ways :
    - Local admin password is often the same inside the whole domain, so crack it locally and try to
    connect the domain admin workstation
    - If the domain admin logged in once, place a keylogger and make him log in twice
    - If the roaming profile is still cached locally, you might find interesting things (check for
    "passwords.xls" in "my documents").

    Regards,
    - Nicolas RUFF
    -----------------------------------
    Security Consultant
    EdelWeb (http://www.edelweb.fr/)
    Mail : nicolas.ruff@edelweb.fr
    -----------------------------------

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Nick Duda: "[Full-Disclosure] RE: Disabling Cached Logon Credentials"

    Relevant Pages

    • Re: System cannot log on - domain not available
      ... and it looks like the cachedlogonscount is still set to the default of 10. ... Open the registry and navigate to ... >> He's able to log in with the local user profile (changing the domain ... >> I've checked and neither Remote Assistance nor Remote Desktop are ...
      (microsoft.public.windows.server.networking)
    • Cant edit registry permissions
      ... I have an XP system that I need to modify some registry ... there is no option for permissions. ... the same OU of the same domain, with me (domain admin) ... the local admin account, ...
      (microsoft.public.windowsxp.security_admin)
    • Re: System cannot log on - domain not available
      ... have this registry key at all. ... > Michael - ... > and it looks like the cachedlogonscount is still set to the default of 10. ... >> Hi Dave, ...
      (microsoft.public.windows.server.networking)