Re: Cached NT/W2k passwords

From: Kurt Grutzmacher (grutz@jingojango.net)
Date: Fri May 21 2004 - 23:24:05 EDT

Next message: P G: "RE: Cached NT/W2k passwords"
Previous message: Andrew A. Vladimirov: "Re: Bluetooth, IR and wireless input device testing. (U)"
In reply to: John Madden: "Cached NT/W2k passwords"
Next in thread: P G: "RE: Cached NT/W2k passwords"
Reply: P G: "RE: Cached NT/W2k passwords"
Reply: Pedro Jota Calvorota: "Re: Cached NT/W2k passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

John Madden wrote:

>Hi All,
>
>Has anyone been able to decrypt the hash password from
>the cached login on NT or W2K ?
>
>We're is it located ? In the registry ? If so what's
>the key....
>
>I've been looking around the only thing I can find is
>how to disable this feature :(
>
>
For WindowsXP and some 2K (I think SP4 fixed this particular issue,
memory dump the lsass process and search for the hex string "76 78 01
26". A little ways further down and voila, cleartext password for
currently logged in user. It's in unicode format, btw.

I think the latest rumor is that XP SP2 is going to clear this issue up
so if anyone can find the hashes in the registry (ala lsadump for stored
services passwords) then we'll be back in business after everyone starts
patching.

Need a tool to dump process memory? pmdump of course.
http://ntsecurity.nu/toolbox/pmdump/

Arne also has Pstoreview which may help you a little.
http://www.ntsecurity.nu/toolbox/pstoreview/

Next message: P G: "RE: Cached NT/W2k passwords"
Previous message: Andrew A. Vladimirov: "Re: Bluetooth, IR and wireless input device testing. (U)"
In reply to: John Madden: "Cached NT/W2k passwords"
Next in thread: P G: "RE: Cached NT/W2k passwords"
Reply: P G: "RE: Cached NT/W2k passwords"
Reply: Pedro Jota Calvorota: "Re: Cached NT/W2k passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT