Re: Cached NT/W2k passwords
From: Pedro Jota Calvorota (calvorota_at_ya.com)
Date: 05/25/04
- Previous message: Nicolas RUFF (lists): "Re: Cached NT/W2k passwords"
- In reply to: Kurt Grutzmacher: "Re: Cached NT/W2k passwords"
- Next in thread: Nicolas RUFF (lists): "Re: Cached NT/W2k passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 25 May 2004 12:45:33 +0200 To: "Kurt Grutzmacher" <grutz@jingojango.net>, "John Madden" <chiwawa999@yahoo.com>, pen-test@securityfocus.com
I have tried this particular trick dumping memory in a no SP4 Windwos
2000, and it definitly does not work ... lsass generates a 16 MB txt file
that, opened with a HEXviewir does not contain the particular "76 78 01
26" string...
Ive been googling but nothing found...
Any ideas?
>>
> For WindowsXP and some 2K (I think SP4 fixed this particular issue,
> memory dump the lsass process and search for the hex string "76 78 01
> 26". A little ways further down and voila, cleartext password for
> currently logged in user. It's in unicode format, btw.
>
> I think the latest rumor is that XP SP2 is going to clear this issue up
> so if anyone can find the hashes in the registry (ala lsadump for stored
> services passwords) then we'll be back in business after everyone starts
> patching.
>
> Need a tool to dump process memory? pmdump of course.
> http://ntsecurity.nu/toolbox/pmdump/
>
> Arne also has Pstoreview which may help you a little.
> http://www.ntsecurity.nu/toolbox/pstoreview/
>
>
>
-- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
- Previous message: Nicolas RUFF (lists): "Re: Cached NT/W2k passwords"
- In reply to: Kurt Grutzmacher: "Re: Cached NT/W2k passwords"
- Next in thread: Nicolas RUFF (lists): "Re: Cached NT/W2k passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
