From: miguel.dilaj@pharma.novartis.com
Date: Thu Dec 16 2004 - 04:39:17 EST
Hi!
Well... the facts first:
The logon credentials of the last 10 users that login into a particular
machine (that's true, you can see that the last 10 users that login into a
machine are able to login even when disconnected from the network, thanks
to the cached credentials) are cached somewhere in the local machine
(someone mentioned to me the LSA Secrets, but I'm not sure about this
location, can also be somewhere else in the protected section of the
registry. LSA itself is one of these protected sections. Please read on).
Take into account that the caching can be (and should be? ;-) disabled
with the following registry key:
HKLM\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT (change it to 1 to disable
the caching)
My guess is that this information is SYSKEYed or encrypted in some other
way.
Cain (http://www.oxid.it) has the ability to show the contents of the LSA Secrets, and you can
see, for example, all passwords for DUN there (under RASDialParams) and
the machine account, but you won't see any useful user cached logon
credentials, at least not in the clear.
lsadump2 (http://www.bindview.com/Support/RAZOR/Utilities/Windows/lsadump2_readme.cfm) produces exactly the same results as Cain.
If I suppose that they have really dumped anything, and I don't have any
reason to think otherwise, then the cached credentials are NOT in the LSA
Secrets.
On the other hand, there's a very suspicious location on the registry (I'm
accessing the registry as SYSTEM, I don't know if this location can be
accessed as administrator):
HKLM\Security\Cache
Guess what? There are 10 items there, NL$1 to NL$10 ;-)
Every one of them is a binary key, that doesn't look like plain-old hashes
or anything like that, but my guess is that this is the place to
investigate.
To have confirmation of the above, read: http://support.microsoft.com/default.aspx?scid=kb;en-us;199071
So far so good. Now to the bad news (extract from a post of Nicolas Ruff
in the full-disclosure list, http://seclists.org/lists/fulldisclosure/2003/Dec/0794.html):
"Cached logon are stored in some kind of "double hash" way (
LM(LM(password)) or NTLM(NTLM(password))
) - very difficult to break in a reasonable time, but still vulnerable to
dictionnary attacks.
However I do not know any publicly released tool able to retrieve and
crack cached logon (even if I
am working on it :-). "
So the point is that you can still modify an Open Source password cracking
tool like Lepton's Crack (I prefer this one because you simply have to
create a new module, and it will be heavily based on the LM and NTLM
modules already existing) to do the double operation mentioned above, and
check how to match the result with the information you obtained from the
registry...
The idea will be to hash a know plaintext (the password) to obtain the
BINARY hash (not the hex representation of it) and hash it again, you can
represent the result in hex.
Then you've to look for the hex string in the cached logons section.
Of course to do the test you'll use a know cached logon (get a snapshot of
your current cached credentials, create a new user with a know password,
logon as this user, and check what's new in the cached logon storage, this
will correspond to the know user+password).
For a manual test, doesn't sound too dificult.
IF IT WORKS (i.e., if you found the hex string corresponding to the
password), it will be better if someone creates a tool to dump only the
relevant bytes from HKLM\Security\Cache\NL$1 to NK$10 to a text file as
hex strings, then this file can be attacked with the modified password
cracker that does double hashing...
Perhaps it's not only the password that was double hashed, but also the
userID (remember that the items NL$1 to NL$10 don't show any plaintext, so
no userID, but it can also be that the userID is indicated by the numeric
ID, not the name...)
OK, who has time to test all the above? ;-)
Cheers,
Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG
PD: FYI, there's also pwdump4, it more or less combines pwdump2 and 3, and
also incorporates some extra functionality
(http://www.xfocus.net/tools/200309/549.html)
IndianZ <indianz@indianz.ch>
15/12/2004 20:41
To: pen-test@securityfocus.com
cc: (bcc: Miguel Dilaj/PH/Novartis)
Subject: Re: pwdump 2 & 3
Hi
Well it is possible, that logon-information is not cached locally (I mean,
only in memory) for security reasons. Seems like you have to get the SAM
(with all domain-users inside) from a domain-controller ;-)... Did you
check for other SAM-files in the local filesystem (%windir%\repair)?
GreetZ from IndianZ
mailto:indianz@indianz.ch
http://www.indianz.ch
On Wed, 15 Dec 2004 19:17:19 +0100
Guillaume Lavoix <glavoix@altadis.com> wrote:
> Hello,
>
> Does anyone knows if it is posible with pwdump to get the information
> About a logged on user.
>
> For instance, If I log on my computer, I use a domain logon, and when I
> execute pwdump I only see local user....
>
> Any idea ?
>
> Thanks for your help,
>
> Sincerely,
> Guillaume
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:11 EDT