The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Recovering Windows Password Cache Entries
------------------------------------------------------------------------
SUMMARY
Users authenticate themselves on a Domain Controller (DC) using
NTLM/NTLMv2. However the DC sometimes goes offline or the network cable is
unplugged; in this situation, the Local Security Authority System Service
(LSASS) uses password cache entries from the registry to perform offline
logon.
This whitepaper explains the technical issues underneath Windows password
cache entries, which are undocumented by Microsoft. This paper aims at:
* Helping pentesters or security bso retrieving the password cache
entries (hash value) for auditing purposes;
* Providing more compatibility for programs that may require access to
these entries without using the LSA API.
DETAILS
Description of the Authentication Process
The WINLOGON process displays the msgina dialog and prompts for the
username, password and domain. The authentication process itself is
handled by LSASS:
WinLogon ---> LSASS ---> LSASRV -> MSV1_0 -> [Registry Cache Entries]
||
MSGina
The most important part of the authentication process happens in
MSV1_0.dll. LSASS calls the LSAApLogonUserEx2 function which first checks
if the DC is unavailable; in this case, it attempts to match the password
entered by the user against the cached password.
The cache entries do not include the authentication credentials in the
clear:
a LSA key is used to decrypt them. Credentials are stored in
HKLM\SECURITY\CACHE\NL$n with n ranging between 1 and 10. The default ACL
does not allow Administrators to read these registry values, which can
only be accessed with SYSTEM privileges.
The size of these values may differ but they are roughly composed of 4
parts:
MD CH T EDATA
NL$ = [ metadata in the clear ][ Text ][ Text ][ Encrypted Data ]
64 bytes 16 Bytes 16 bytes > 100 bytes
* MD contains several informations about elements of the cache entry
structure, such as the username size in the first 2 bytes.
* CH is an array of 16 random(?) bytes used to generate a RC4 key.
* EDATA contains encrypted authentication credential: username (Unicode),
domain name (Unicode), NT-hash, LM-hash (optional). It can be decrypted
using the decrypted LSA secret NL$KM. specific to each computer.
EDATA is decrypted by performing these steps:
0. LSA keyB = DES( NL$KM, static in-memory LSA keyA )
1. RC4 keyC = HMAC_MD5( LSA keyB, CH )
2. DATA = RC4( EDATA, RC4 keyC );
DATA contains the following informations:
* [ 96, 102 ] : MSCASH = MD4( MD4(password ) || lowercase(username) )
* [ 168, 168 + username_length * 2 ] : username
* [ 168 + username_length * 2 + 2, ... ] : domain name
The password hash is salted with the Unicode username.
The CacheDump Tool
CacheDump, licensed under the GPL, demonstrates how to recover cache entry
information: username and MSCASH. Administrators or security consultants
are welcomed to use this program; malicious users can't do anything with
it as long as they do not have Administrator privileges.
CacheDump does not rely on the dll-injection method used in pwdump or
lsadump2; it creates a NT service on the fly in order to read the static
LSA key from LSASS.EXE's process memory, and deciphers the cache entries
to expose the MSCASH values.
CacheDump's output is similar to pwdump's, with of course a different hash
function; a plugin for john the ripper password cracker has been developed
for offline dictionary and bruteforce cracking.
These flags are helpful for troubleshooting:
-v : Verbose mode;
-vv : Very Verbose mode - displays every step of the dump process;
-K : Kill and remove the service, in case a previous run of CacheDump
died unexpectedly.
Bug reports are welcomed. CacheDump is still in development stage, so
please report any bug you encounter, including your Windows version,
service pack level, language, and the output of "cachedump -vv".
Prevention
In order to prevent a malicious user from recovering cached passwords, we
recommend to:
* Revoke local administrator privileges from all users;
* Reduce the number of cached password. Change to 1 the following
registry key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT
ADDITIONAL INFORMATION
The information has been provided by Thales Security Systems (TSS).
The original article can be found at:
<http://www.cr0.net:8040/misc/cachedump.html>
http://www.cr0.net:8040/misc/cachedump.html
To keep updated with the tool visit the project's homepage at:
<http://www.cr0.net:8040/misc/cachedump-1.1.zip>
http://www.cr0.net:8040/misc/cachedump-1.1.zip
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
