Re: Cached NT/W2k passwords
From: Nicolas RUFF (lists) (ruff.lists_at_edelweb.fr)
Date: 05/25/04
- Previous message: vertex: "Re: Wireless wep crackin on windows"
- Maybe in reply to: John Madden: "Cached NT/W2k passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 25 May 2004 17:17:11 +0200 To: pen-test <pen-test@securityfocus.com>
> Has anyone been able to decrypt the hash password from
> the cached login on NT or W2K ?
> We're is it located ? In the registry ? If so what's
> the key....
> I've been looking around the only thing I can find is
> how to disable this feature :(
Hi,
If you're talking about the CachedLogonsCount registry key, there has been a thread 2 weeks ago on
FOCUS-MS :
http://www.securityfocus.com/archive/88/362946/2004-05-21/2004-05-27/0
Basically, storage is either in LSA Secrets or NL$ registry keys (depending on Windows version), and
there is no publicly available tool to decrypt the hash. The stored value is a salted hash : NTLM(
username + NTLM(password)). This is hard to crack by brute-force if password > 6 chars.
Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
-----------------------------------
- Previous message: vertex: "Re: Wireless wep crackin on windows"
- Maybe in reply to: John Madden: "Cached NT/W2k passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
