From: miguel.dilaj@pharma.novartis.com
Date: Wed Jan 05 2005 - 21:06:05 EST
Hi Nicolas,
Good to see that you're around here! Happy New Year to you as well!
Your explanation is quite interesting, but I see a conflict with the
information mentioned in:
"Windows Passwords: Everything You Need To Know"
http://202.181.238.2/hk/teched2004/ppt/Day_2_Rm402/WIN495(1500-1615).ppt
According to the above mentioned presentation, the information in the
cache is:
MD5(NTLM(password)+userID+Domain)
Can you provide any feedback on that?
Thanks a lot!
Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG
"Nicolas RUFF (listes)" <ruff.lists@edelweb.fr>
05/01/2005 18:15
To: pen-test@securityfocus.com
cc: Miguel Dilaj/PH/Novartis@PH, IndianZ <indianz@indianz.ch>,
pentest@oissg.org, Jean-Baptiste.Marchand@hsc.fr
Subject: Re: pwdump 2 & 3
Hello everybody !
Since I am quoted in this post, I feel compelled to clarify the
situation and give away much of my knowledge for free ... (I guess it is
Christmas effect :-)
[snip]
Cached values are generated as follow :
- Cached LM hash = MD4('LM hash' + Unicode lowercase username)
- Cached NTLM hash = MD4('NTLM hash' + Unicode lowercase username)
There are some noticeable differences between Windows NT4 and Windows
2000+ cache store:
- Windows NT4: cached passwords are stored separately as LSA secrets.
They are not encrypted. LM and NTLM values are generated.
- Windows 2000+: cached passwords are stored inside the
'HKLM\Security\Cache\NL$' registry keys. Those keys are visible only by
SYSTEM user, but as a local admin you can change permissions on those
keys. They are RC4-encrypted with a mix of per-key secret and NL$KM LSA
secret. Only NTLM values are generated.
Now you should be able to code your own tool, because I won't release
anything about this one. In fact I suspect such tools have been hanging
around since the release of Windows NT4, see the excellent
http://www.toolcrypt.org/ site, and especially :
http://www.toolcrypt.org/tools/cachebf/index.html.
> Well it is possible, that logon-information is not cached locally (I
mean,
> only in memory) for security reasons. Seems like you have to get the SAM
> (with all domain-users inside) from a domain-controller ;-)... Did you
> check for other SAM-files in the local filesystem (%windir%\repair)?
There are 3 very different things here :
- Logged-in user information, such as password, cached plaintext in
memory during the whole user session.
Hint : use PasswordReminder.
http://www.smidgeonsoft.prohosting.com/#PasswordReminder
- Last 10 domain logins cached in registry.
Hint : use LSADUMP2 + CACHEBF on Windows NT4, use your brain on Windows
2000.
- Local user accounts, stored in SAM database.
Hint : use PWDUMP as a local admin.
>>Does anyone knows if it is posible with pwdump to get the information
>>About a logged on user.
>>
>>For instance, If I log on my computer, I use a domain logon, and when I
>>execute pwdump I only see local user....
Well, unfortunately I suspect this is really a n00b question : if you
run PWDUMP locally, you will only get local SAM accounts *even if you
are logged in with a domain account*. To get domain accounts, you need
to run PWDUMP3+ against a domain controller using a domain admin
account. Otherwise if you are just interested in finding the currently
logged-in user password, use the aforementioned PasswordReminder utility.
Happy new year !
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:12 EDT