From: Arnaud Pilon (pilon@lab.b-care.net)
Date: Tue Jan 11 2005 - 12:19:02 EST
On Thu, 2004-12-16 at 10:39 +0100, miguel.dilaj@pharma.novartis.com
wrote:
> Hi!
>
> Well... the facts first:
> The logon credentials of the last 10 users that login into a particular
> machine (that's true, you can see that the last 10 users that login into a
> machine are able to login even when disconnected from the network, thanks
> to the cached credentials) are cached somewhere in the local machine
> (someone mentioned to me the LSA Secrets, but I'm not sure about this
> location, can also be somewhere else in the protected section of the
> registry. LSA itself is one of these protected sections. Please read on).
> Take into account that the caching can be (and should be? ;-) disabled
> with the following registry key:
> HKLM\SOFTWARE\MICROSOFT\WINDOWS
> NT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT (change it to 1 to disable
> the caching)
Yes, administrator should change it to 1 to reduce the security impact
of cached password.
> On the other hand, there's a very suspicious location on the registry (I'm
> accessing the registry as SYSTEM, I don't know if this location can be
> accessed as administrator):
> HKLM\Security\Cache
> Guess what? There are 10 items there, NL$1 to NL$10 ;-)
> Every one of them is a binary key, that doesn't look like plain-old hashes
> or anything like that, but my guess is that this is the place to
> investigate.
> To have confirmation of the above, read
> http://support.microsoft.com/default.aspx?scid=kb;en-us;199071
>
> So far so good. Now to the bad news (extract from a post of Nicolas Ruff
> in the full-disclosure list,
> http://seclists.org/lists/fulldisclosure/2003/Dec/0794.html):
> "Cached logon are stored in some kind of "double hash" way (
> LM(LM(password)) or NTLM(NTLM(password))
> ) - very difficult to break in a reasonable time, but still vulnerable to
> dictionnary attacks.
> However I do not know any publicly released tool able to retrieve and
> crack cached logon (even if I
> am working on it :-). "
Yes, Nicolas told us more about the caching method designed by
Microsoft. So it's now time to disclose our open source tool, cachedump,
developed in our intrustion testing lab.
CacheDump, licensed under the GPL, demonstrates how to recover cache
entry information: username and hashed password. Sysadmins and security
consultants are welcomed to use this program; malicious users can't do
anything with it as long as they do not have Administrator privileges.
CacheDump does not rely on the dll-injection method used in pwdump or
lsadump2; it creates a NT service on the fly in order to read the static
LSA key from LSASS.EXE's process memory, and deciphers the cache entries
to expose the password hashes.
CacheDump's output is similar to pwdump's, with of course a different
hash function; a plugin for john the ripper password cracker has been
developed for offline dictionnary and bruteforce cracking.
This plugin for John the Ripper should work on all architectures
supported by the cracker. It will run on most unices. Under Microsoft
Windows, it will only work under Cygwin.
Links:
http://www.cr0.net:8040/misc/cachedump.html
http://www.cr0.net:8040/misc/patch-john.html
Arnaud Pilon
-- IT Security Consultant Thales Security Systems
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:12 EDT