Re: pwdump 2 & 3

From: Nicolas RUFF (listes) (ruff.lists@edelweb.fr)
Date: Wed Jan 05 2005 - 13:15:52 EST


        Hello everybody !

Since I am quoted in this post, I feel compelled to clarify the
situation and give away much of my knowledge for free ... (I guess it is
Christmas effect :-)

> The logon credentials of the last 10 users that login into a particular
> machine (that's true, you can see that the last 10 users that login into a
> machine are able to login even when disconnected from the network, thanks
> to the cached credentials) are cached somewhere in the local machine
> (someone mentioned to me the LSA Secrets, but I'm not sure about this
> location, can also be somewhere else in the protected section of the
> registry. LSA itself is one of these protected sections. Please read on).
> Take into account that the caching can be (and should be? ;-) disabled
> with the following registry key:
> HKLM\SOFTWARE\MICROSOFT\WINDOWS
> NT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT (change it to 1 to disable
> the caching)
> My guess is that this information is SYSKEYed or encrypted in some other
> way.
> ...
> So far so good. Now to the bad news (extract from a post of Nicolas
> Ruff in the full-disclosure list,
> http://seclists.org/lists/fulldisclosure/2003/Dec/0794.html):
> "Cached logon are stored in some kind of "double hash" way (
> LM(LM(password)) or NTLM(NTLM(password))
> ) - very difficult to break in a reasonable time, but still vulnerable
> to dictionnary attacks.
> However I do not know any publicly released tool able to retrieve and
> crack cached logon (even if I
> am working on it :-). "
> ...
> OK, who has time to test all the above? ;-)

Cached values are generated as follow :
- Cached LM hash = MD4('LM hash' + Unicode lowercase username)
- Cached NTLM hash = MD4('NTLM hash' + Unicode lowercase username)

There are some noticeable differences between Windows NT4 and Windows
2000+ cache store:

- Windows NT4: cached passwords are stored separately as LSA secrets.
They are not encrypted. LM and NTLM values are generated.

- Windows 2000+: cached passwords are stored inside the
'HKLM\Security\Cache\NL$' registry keys. Those keys are visible only by
SYSTEM user, but as a local admin you can change permissions on those
keys. They are RC4-encrypted with a mix of per-key secret and NL$KM LSA
secret. Only NTLM values are generated.

Now you should be able to code your own tool, because I won't release
anything about this one. In fact I suspect such tools have been hanging
around since the release of Windows NT4, see the excellent
http://www.toolcrypt.org/ site, and especially :
http://www.toolcrypt.org/tools/cachebf/index.html.

> Well it is possible, that logon-information is not cached locally (I mean,
> only in memory) for security reasons. Seems like you have to get the SAM
> (with all domain-users inside) from a domain-controller ;-)... Did you
> check for other SAM-files in the local filesystem (%windir%\repair)?

There are 3 very different things here :

- Logged-in user information, such as password, cached plaintext in
memory during the whole user session.

Hint : use PasswordReminder.
http://www.smidgeonsoft.prohosting.com/#PasswordReminder

- Last 10 domain logins cached in registry.

Hint : use LSADUMP2 + CACHEBF on Windows NT4, use your brain on Windows
2000.

- Local user accounts, stored in SAM database.

Hint : use PWDUMP as a local admin.

>>Does anyone knows if it is posible with pwdump to get the information
>>About a logged on user.
>>
>>For instance, If I log on my computer, I use a domain logon, and when I
>>execute pwdump I only see local user....

Well, unfortunately I suspect this is really a n00b question : if you
run PWDUMP locally, you will only get local SAM accounts *even if you
are logged in with a domain account*. To get domain accounts, you need
to run PWDUMP3+ against a domain controller using a domain admin
account. Otherwise if you are just interested in finding the currently
logged-in user password, use the aforementioned PasswordReminder utility.

Happy new year !
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:12 EDT