Re: [Full-Disclosure] Disabling Cached Logon Credentials
From: Nicolas RUFF (lists) (ruff.lists_at_edelweb.fr)
To: email@example.com Date: Wed, 31 Dec 2003 10:58:45 +0100
Cached credentials are stored in a "hidden" (default permissions for SYSTEM account only) registry
subkey : HKLM\SECURITY\Cache
Each NL$x (x ranging from 0 to CachedLogonsCount) value is a cached logon.
Cached logon are stored in some kind of "double hash" way ( LM(LM(password)) or NTLM(NTLM(password))
) - very difficult to break in a reasonable time, but still vulnerable to dictionnary attacks.
However I do not know any publicly released tool able to retrieve and crack cached logon (even if I
am working on it :-).
You can use LSADUMP to get them, or change manually the permissions on the key, or attach a shell to
a SYSTEM process, but you won't get any further in cracking the double hash.
However the good news is that :
- If you can get the credentials, it means you are SYSTEM on the box, so why do you bother ?
- If you have physical access to the computer, it is not yours anymore (check the immuable laws of
security). You have NTPASSWD, but also ERD Commander and plenty other tools to change local
passwords, recover EFS encrypted files, edit the local registry, install rogue screen savers, and so on.
I understand that if a domain admin logged in once onto the station, I might be tempting to retrieve
the cached password. But it might be quicker to try other ways :
- Local admin password is often the same inside the whole domain, so crack it locally and try to
connect the domain admin workstation
- If the domain admin logged in once, place a keylogger and make him log in twice
- If the roaming profile is still cached locally, you might find interesting things (check for
"passwords.xls" in "my documents").
- Nicolas RUFF
Mail : firstname.lastname@example.org
Full-Disclosure - We believe in it.