Re: Cached NT/W2k passwords

From: Nicolas RUFF (lists) (ruff.lists_at_edelweb.fr)
Date: 05/25/04

  • Next message: Pedro Jota Calvorota: "Re: Cached NT/W2k passwords"
    Date: Tue, 25 May 2004 17:17:11 +0200
    To: pen-test <pen-test@securityfocus.com>
    
    

    > Has anyone been able to decrypt the hash password from
    > the cached login on NT or W2K ?
    > We're is it located ? In the registry ? If so what's
    > the key....
    > I've been looking around the only thing I can find is
    > how to disable this feature :(

            Hi,

    If you're talking about the CachedLogonsCount registry key, there has been a thread 2 weeks ago on
    FOCUS-MS :

    http://www.securityfocus.com/archive/88/362946/2004-05-21/2004-05-27/0

    Basically, storage is either in LSA Secrets or NL$ registry keys (depending on Windows version), and
    there is no publicly available tool to decrypt the hash. The stored value is a salted hash : NTLM(
    username + NTLM(password)). This is hard to crack by brute-force if password > 6 chars.

    Regards,
    - Nicolas RUFF
    -----------------------------------
    Security Consultant
    EdelWeb (http://www.edelweb.fr/)
    -----------------------------------


  • Next message: Pedro Jota Calvorota: "Re: Cached NT/W2k passwords"

    Relevant Pages

    • Re: Cached NT/W2k passwords
      ... > Has anyone been able to decrypt the hash password from ... If you're talking about the CachedLogonsCount registry key, there has been a thread 2 weeks ago on ... there is no publicly available tool to decrypt the hash. ...
      (Pen-Test)
    • Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)
      ... Subject: Cached NT/W2k passwords ... > Has anyone been able to decrypt the hash password from ... If you're talking about the CachedLogonsCount registry key, ... and there is no publicly available tool to decrypt the ...
      (Pen-Test)
    • RE: Problem while decrypting
      ... Decrypt will decrypt ANY GARBAGE ... in CBC mode a block error affects only two ... simple hash: attach the hash value of the original data at the end, ... > i was encrypting the data using the pass phrase. ...
      (microsoft.public.platformsdk.security)
    • Re: Simple Question: Always the same cyphertext?
      ... > encrypt a file twice with the same key and obtain the same ciphertext does ... > if you are going to decrypt the file later. ... >> whereby I would like to verify the integrity of a file using a hash. ... I will encrypt the file ...
      (sci.crypt)
    • Re:Basic Question
      ... You assume that there could exist a second key that ... would decrypt a message encrypted with another key into meaningful content? ... In that respect hash functions wouldn't help, ... you would have to find a meaningful message that gave you the collision. ...
      (talk.politics.crypto)