RE: Threat vector of running a service using a domain account

I'm not sure...so I'm just spectulating...but

All service account passwords are stored locally in the LSA secrets
store.

Cachedump only works locally against the cached passwords, left in
MEMORY to facilitate service authentications. You can't get to the
truly stored hashes on the disk because they are protected by a secure
mechanism, so you have to get them in the memory cache area. I'm
guessing that the real hash is stored securely. When the service starts
up and uses a Kerberos account, the pre-auth hash is sent, and in memory
briefly. But after the pre-auth handshake, what is kept in memory is the
Kerberos token, which is now used for all future auth. needs for the
next 10 hours or more.

I could, and may be wrong.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
*Author of Windows Vista Security: Securing Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*****************************************************************


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Ramsdell, Scott
Sent: Friday, September 14, 2007 9:01 AM
To: Ali, Saqib; Jay
Cc: smanaois3@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Threat vector of running a service using a domain account

Saqib,

I believe you're right. Each time I've run cachedump for demonstration
I do not receive hashes for services logging in over the network, I only
receive hashes for interactive users.

Kind Regards,
Scott Ramsdell

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Ali, Saqib
Sent: Thursday, September 13, 2007 12:42 PM
To: Jay
Cc: smanaois3@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Threat vector of running a service using a domain account

If a server does cache these creditonals then these can be attacked
independant of the AD and its underlying security controls.


If a service uses domain credential, do those credentials get cached?
I thought only interactive logon credentials are cached.

saqib
http://security-basics.blogspot.com/

Relevant Pages

  • RE: Threat vector of running a service using a domain account
    ... Cachedumps are for local logon password dumps. ... Lsadumps retrieve the passwords in plaintext (each char. ... Cachedump, which again, doesn't work so well against the latest versions ... Threat vector of running a service using a domain account ...
    (Security-Basics)
  • [TOOL] CacheDump - Recovering Windows Password Cache Entries
    ... Get your security news from a reliable source. ... CacheDump will create a CacheDump NT Service to get SYSTEM right and make ... A John The ... such as the username size in the first 2 bytes. ...
    (Securiteam)
  • [REVS] Recovering Windows Password Cache Entries
    ... Get your security news from a reliable source. ... cache entries, ... these entries without using the LSA API. ... CacheDump, licensed under the GPL, demonstrates how to recover cache entry ...
    (Securiteam)
  • Re: pwdump 2 & 3
    ... > The logon credentials of the last 10 users that login into a particular ... > machine are able to login even when disconnected from the network, ... administrator should change it to 1 to reduce the security impact ... CacheDump, licensed under the GPL, demonstrates how to recover cache ...
    (Pen-Test)
  • RE: Threat vector of running a service using a domain account
    ... I've used cachedump to demonstrate why the Helpdesk shouldn't login to ... Threat vector of running a service using a domain account ... MEMORY to facilitate service authentications. ... so you have to get them in the memory cache area. ...
    (Security-Basics)