RE: Cached Domain Password on Notebook, secure?

From: Rowan.Smith@csiro.au
Date: 02/25/02

• Previous message: Gino Genari: "RE: Cached Domain Password on Notebook, secure?"
• Maybe in reply to: Varga Daniel (QI/RZS4) *: "Cached Domain Password on Notebook, secure?"
• Next in thread: richard: "RE: Cached Domain Password on Notebook, secure?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Rowan.Smith@csiro.au
To: fh@rcs.urz.tu-dresden.de, focus-ms@securityfocus.com, mail226518@pop.net
Date: Tue, 26 Feb 2002 09:16:15 +1100

Frank Heyne wrote...

>Did you never before hear about l0phtcrack or the linux boot disk to reset
>passwords?

Sure I have, but as far as I can tell lophtcrack will not crack the "cached" hash verifiers stored in the registry key HKEY_LOCAL_MACHINE\Security\Cache\NL**

I have tried feeding them into l0phtcrack to no avail. As _I_ understand it these "cached passwords" are a hash of the NT Password Hash. So we get

        "Clear Text Password" -> "NT Hash" -> "Password Verifier Hash"

I have not been able to find a tool that brute-forces (or otherwise) the cached passwords. Sure all the algorithms and key parts etc are on the W2K machine but no one seems to have reverse engineered the generation of the "Password
Verifier Hash".

Please if someone can show me a way to do it I am listening.

Gino Genari wrote ....

> What exactly are you trying to protect against?

I was specifically referring to the original subject "Cached Domain Password on Notebook, secure?"

I believe the cached domain passwords are reasonably secure when coupled with a good domain password policy because it is apparently to computationally expensive to crack the cached "hash verifier". Additionally I have not been able to
find any tools to do this in the public domain that is not to say they do not exist.

> If someone lost their notebook, resetting their password on the domain would make cracking their
> cached password useless.

Agreed, however the notebook does not have to be lost or stolen, it could be "borrowed" for any number of legitimate reasons, and the hash extracted without the owners knowledge. For this reason I set the number of password to cache to
one.

> I have never tried to use EFS to encrypt the entire disk, so can not give
> you any information on that, or if ERD could still reset the ADMIN password
> with that setup.

Sure ERD can reset the Admin password, as can any number of tools reset any users password but if "syskey with password" is enabled then the EFS keys can not be accessed without the syskey password. See my post with subject "Security of
EFS (Was: cached Domain Password on Notebook, secure? )" for further info.

-Rowan

---

• Previous message: Gino Genari: "RE: Cached Domain Password on Notebook, secure?"
• Maybe in reply to: Varga Daniel (QI/RZS4) *: "Cached Domain Password on Notebook, secure?"
• Next in thread: richard: "RE: Cached Domain Password on Notebook, secure?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)