Retrieving passwords from LSA cached logon credentials

From: cyril.perrault@fr.pwcglobal.com
Date: 12/28/01 

Date: 28 Dec 2001 18:19:05 -0000
From: <cyril.perrault@fr.pwcglobal.com>
To: focus-ms@securityfocus.com
('binary' encoding is not supported, stored as-is)

Hi,

LSA secrets has already been widely be debated:
http://www.securityfocus.com/cgi-bin/archive.pl?
id=82&start=2001-12-25&end=2001-12-
31&mid=154697&threads=1
http://www.securityfocus.com/cgi-bin/archive.pl?
id=88&start=2001-12-25&end=2001-12-
31&threads=1&tid=240634
...

But I haven't found anywhere a response to this
question: how to recover a password from the
cached hashes contained in the LSA ?


*** Details ***
(SYSKEY not enabled on the lsadumped NT4 SP5
computer)

1/ The NL$2 user password is 'password' and
lsadump2 gives me:
NL$2
 06 13 CA 28 8A CA D1 52 11 CA 86 78 FA A0 A5
1F ...(...R...x....
 F3 32 1C A2 4D 0F 76 65 90 00 B1 CF B9 F6 67
A4 .2..M.ve......g.
 01 01 CE ...

If I'm not wrong, the first Hex line is for the LanMan
hash and the second one for the NTLM hash. So I
tried to import the following in LC3 (formerly
L0phtCrack):
test:7404:0613CA288ACAD15211CA8678FAA0A51F:
F3321CA24D0F76659000B1CFB9F667A4:::
But I can't retrieve my password ('password') !

2/ Moreover the HKLM\Security\Policy\Secrets\NL$2
\CurrVal doesn't match with the lsadumped value (60
bytes against 35 bytes). How to get from one value to
another ?

3/ And finally, do you know what is the
$MACHINE.ACC (machine account password
according to Microsoft q199071)?

*** End of details ***


Thanks in advance and happy new year !

Cyril Perrault