RE: Cached Domain Password on Notebook, secure?

From: Rowan.Smith@csiro.au
Date: 02/24/02 

From: Rowan.Smith@csiro.au
To: focus-ms@securityfocus.com
Date: Mon, 25 Feb 2002 09:42:56 +1100

My philosphy is that until someone actually releases a tool to crack the cached passwords then they are reasonably secure as someone is going to have to go through a lot of effort to obtain the password including writing the algorithm to
crack it!

Does anyone know of any tools to brute force the "cached" passwords?

I have looked and have failed to find any tools to do this. I also wonder how computationally expensive the generation of the hash verifier is?

-Rowan

-----Original Message-----
From: Eric [mailto:ews@tellurian.net]
Sent: Wednesday, 20 February 2002 5:20 AM
To: Varga Daniel (QI/RZS4) *; 'focus-ms@securityfocus.com'
Subject: Re: Cached Domain Password on Notebook, secure?

It is not a 'cachedpassword' as the reg key name implies. It is an OWF
hash verifier of the password hash - it is not possible to reverse this
value to obtain either the LM or NTLM hashes, nor the clear-text password.

At 06:17 PM 2/18/2002 +0100, Varga Daniel (QI/RZS4) * wrote:
>Hi all,
>
>do you know, whether it is possible for an attacker to crack the cached
>credentials of a domain user on an offline notebook?
>
>I tried lsadump2 (http://razor.bindview.com/tools/desc/lsadump2_readme.html)
>but cannot judge whether this information is any useful for an attacker to
>get the cached password of a domain user. Does anyone of you?
>
>We plan to roll out EFS to secure our notebooks in case they get lost but as
>I see the security of EFS stands and falls with the security of the password
>of the user.
>
>Thanks,
>--
>Daniel