Re: Cached NT/W2k passwords

From: Pedro Jota Calvorota (calvorota@ya.com)
Date: Tue May 25 2004 - 06:45:33 EDT


I have tried this particular trick dumping memory in a no SP4 Windwos
2000, and it definitly does not work ... lsass generates a 16 MB txt file
that, opened with a HEXviewir does not contain the particular "76 78 01
26" string...

Ive been googling but nothing found...

Any ideas?

>>
> For WindowsXP and some 2K (I think SP4 fixed this particular issue,
> memory dump the lsass process and search for the hex string "76 78 01
> 26". A little ways further down and voila, cleartext password for
> currently logged in user. It's in unicode format, btw.
>
> I think the latest rumor is that XP SP2 is going to clear this issue up
> so if anyone can find the hashes in the registry (ala lsadump for stored
> services passwords) then we'll be back in business after everyone starts
> patching.
>
> Need a tool to dump process memory? pmdump of course.
> http://ntsecurity.nu/toolbox/pmdump/
>
> Arne also has Pstoreview which may help you a little.
> http://www.ntsecurity.nu/toolbox/pstoreview/
>
>
>

-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT