Re: [Full-Disclosure] Disabling Cached Logon Credentials

From: Nicolas RUFF (lists) (
Date: 12/31/03

  • Next message: Nick Duda: "[Full-Disclosure] RE: Disabling Cached Logon Credentials"
    Date: Wed, 31 Dec 2003 10:58:45 +0100


    Cached credentials are stored in a "hidden" (default permissions for SYSTEM account only) registry
    subkey : HKLM\SECURITY\Cache

    Each NL$x (x ranging from 0 to CachedLogonsCount) value is a cached logon.

    Cached logon are stored in some kind of "double hash" way ( LM(LM(password)) or NTLM(NTLM(password))
    ) - very difficult to break in a reasonable time, but still vulnerable to dictionnary attacks.
    However I do not know any publicly released tool able to retrieve and crack cached logon (even if I
    am working on it :-).

    You can use LSADUMP to get them, or change manually the permissions on the key, or attach a shell to
    a SYSTEM process, but you won't get any further in cracking the double hash.

    However the good news is that :
    - If you can get the credentials, it means you are SYSTEM on the box, so why do you bother ?
    - If you have physical access to the computer, it is not yours anymore (check the immuable laws of
    security). You have NTPASSWD, but also ERD Commander and plenty other tools to change local
    passwords, recover EFS encrypted files, edit the local registry, install rogue screen savers, and so on.

    I understand that if a domain admin logged in once onto the station, I might be tempting to retrieve
    the cached password. But it might be quicker to try other ways :
    - Local admin password is often the same inside the whole domain, so crack it locally and try to
    connect the domain admin workstation
    - If the domain admin logged in once, place a keylogger and make him log in twice
    - If the roaming profile is still cached locally, you might find interesting things (check for
    "passwords.xls" in "my documents").

    - Nicolas RUFF
    Security Consultant
    EdelWeb (
    Mail :

    Full-Disclosure - We believe in it.

  • Next message: Nick Duda: "[Full-Disclosure] RE: Disabling Cached Logon Credentials"