RE: Cached NT/W2k passwords

From: P G (easternerd_at_gmx.net)
Date: 05/23/04

  • Next message: securityfocus_at_arkam.it: "RE: Wireless wep crackin on windows" 
    To: <pen-test@securityfocus.com>
Date: Sun, 23 May 2004 23:32:42 +0530

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    You can get the password of the currently logged in user with Cain
    It's the most easiest method to dump all the passwords in the system,
    Including the passwords in the protected storage component of windows.

    Email Correspondence :
    easternerd@gmx.net
    easternerd@eml.cc
    Website :
    http://www.cryptography.tk
    http://www.securityrisk.org

    - -----Original Message-----
    From: Kurt Grutzmacher [mailto:grutz@jingojango.net]
    Sent: Saturday, May 22, 2004 8:54 AM
    To: John Madden; pen-test@securityfocus.com
    Subject: Re: Cached NT/W2k passwords

    John Madden wrote:

    >Hi All,
    >
    >Has anyone been able to decrypt the hash password from
    >the cached login on NT or W2K ?
    >
    >We're is it located ? In the registry ? If so what's
    >the key....
    >
    >I've been looking around the only thing I can find is
    >how to disable this feature :(
    >
    >
    For WindowsXP and some 2K (I think SP4 fixed this particular issue,
    memory dump the lsass process and search for the hex string "76 78 01
    26". A little ways further down and voila, cleartext password for
    currently logged in user. It's in unicode format, btw.

    I think the latest rumor is that XP SP2 is going to clear this issue up
    so if anyone can find the hashes in the registry (ala lsadump for stored
    services passwords) then we'll be back in business after everyone starts
    patching.

    Need a tool to dump process memory? pmdump of course.
    http://ntsecurity.nu/toolbox/pmdump/

    Arne also has Pstoreview which may help you a little.
    http://www.ntsecurity.nu/toolbox/pstoreview/

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3

    iQEVAwUBQLDnQuxhEq37a08BAQKxKgf9HimsdD3Uj0/gXO46zoN4ygvYMI2WoflP
    rs031IzsjIk17dHIkmkJwMtTlLUE04xDGHcxqQbRUHVGsFKjVO2iqQdo7PmYw8uc
    CiQ4ZsUyLHja1Px0aDKT/IKmdygMDXXGDROV5XbKsO1QsAA7oKWVT+FHw1K7/F/W
    NtnIqpAqfpqYOdlJ3wxiBNnvcSPxThAyZ+bSXt1Mv5DdCLx3fC8FjHo1CuHPVUVp
    pA3eWrJdm/QVst3dMCTgkBZo3cFYV7YJ3hRiwRrTqF+jx7MRC6yOZj7Hfl26r96w
    GCP7kR1cKEUd22ADetEIejLpWhC5Pth/BygEbyFVBGmsW3MnkQabpQ==
    =vkAe
    -----END PGP SIGNATURE-----

  • Next message: securityfocus_at_arkam.it: "RE: Wireless wep crackin on windows"

    Relevant Pages

    • Re: snding svc dumps
      ... Since the TEST data is Phoney, you are not exposing anything in the dump. ... If you are worried about passwords, set up a system on your Sandbox Image and use special Passwords that are only valid there. ... For IBM-MAIN subscribe / signoff / archive access instructions, ...
      (bit.listserv.ibm-main)
    • Re: Windows 2003 - Dumping Service Passwords
      ... I understand the passwords for the services are stored in the LSA and I would like to dump them. ... I would prefer to use something that does not need to be installed with an installer and does not require the server to be rebooted if that is possible. ... Cenzic Hailstorm finds vulnerabilities fast. ...
      (Pen-Test)
    • Windows 2003 - Dumping Service Passwords
      ... I understand the passwords for the services are stored in the LSA and I would like to dump them. ... Sponsored Link ... Cenzic Hailstorm finds vulnerabilities fast. ...
      (Pen-Test)
    • SAP Password Cracking
      ... I have a dump of just the username and password hashes from a SAP system. ... Does anyone know what type of hashes SAP uses to store the passwords? ...
      (Pen-Test)
    • Re: Password hashes
      ... NTLM hash as the key. ... There is however no locally stored NTLMV2 hash of passwords. ... Auditing and reviewing the security logs ... secure their network and data and the documentation to do such at TechNet ...
      (microsoft.public.windowsxp.security_admin)