Re: Cached NT/W2k passwords

From: Nicolas RUFF (lists) (ruff.lists@edelweb.fr)
Date: Mon May 24 2004 - 13:11:40 EDT


> Has anyone been able to decrypt the hash password from
> the cached login on NT or W2K ?
> We're is it located ? In the registry ? If so what's
> the key....
> I've been looking around the only thing I can find is
> how to disable this feature :(

        Hi,

If you're talking about the CachedLogonsCount registry key, there has been a thread 2 weeks ago on
FOCUS-MS :

http://www.securityfocus.com/archive/88/362946/2004-05-21/2004-05-27/0

Basically, storage is either in LSA Secrets or NL$ registry keys (depending on Windows version), and
there is no publicly available tool to decrypt the hash. The stored value is a salted hash : NTLM(
username + NTLM(password)). This is hard to crack by brute-force if password > 6 chars.

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
-----------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT