Hello everybody !
Since I am quoted in this post, I feel compelled to clarify the
situation and give away much of my knowledge for free ... (I guess it is
Christmas effect :-)
The logon credentials of the last 10 users that login into a particular
machine (that's true, you can see that the last 10 users that login into a
machine are able to login even when disconnected from the network, thanks
to the cached credentials) are cached somewhere in the local machine
(someone mentioned to me the LSA Secrets, but I'm not sure about this
location, can also be somewhere else in the protected section of the
registry. LSA itself is one of these protected sections. Please read on).
Take into account that the caching can be (and should be? ;-) disabled
with the following registry key:
HKLM\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT (change it to 1 to disable
the caching)
My guess is that this information is SYSKEYed or encrypted in some other
way.
> ...
> So far so good. Now to the bad news (extract from a post of Nicolas
> Ruff in the full-disclosure list,
> http://seclists.org/lists/fulldisclosure/2003/Dec/0794.html):
> "Cached logon are stored in some kind of "double hash" way (
> LM(LM(password)) or NTLM(NTLM(password))
> ) - very difficult to break in a reasonable time, but still vulnerable
> to dictionnary attacks.
> However I do not know any publicly released tool able to retrieve and
> crack cached logon (even if I
> am working on it :-). "
> ...
> OK, who has time to test all the above? ;-)
Cached values are generated as follow :
- Cached LM hash = MD4('LM hash' + Unicode lowercase username)
- Cached NTLM hash = MD4('NTLM hash' + Unicode lowercase username)
There are some noticeable differences between Windows NT4 and Windows
2000+ cache store:
- Windows NT4: cached passwords are stored separately as LSA secrets.
They are not encrypted. LM and NTLM values are generated.
- Windows 2000+: cached passwords are stored inside the
'HKLM\Security\Cache\NL$' registry keys. Those keys are visible only by
SYSTEM user, but as a local admin you can change permissions on those
keys. They are RC4-encrypted with a mix of per-key secret and NL$KM LSA
secret. Only NTLM values are generated.
Now you should be able to code your own tool, because I won't release
anything about this one. In fact I suspect such tools have been hanging
around since the release of Windows NT4, see the excellent
http://www.toolcrypt.org/ site, and especially :
http://www.toolcrypt.org/tools/cachebf/index.html.
Well it is possible, that logon-information is not cached locally (I mean,
only in memory) for security reasons. Seems like you have to get the SAM
(with all domain-users inside) from a domain-controller ;-)... Did you
check for other SAM-files in the local filesystem (%windir%\repair)?
There are 3 very different things here :
- Logged-in user information, such as password, cached plaintext in
memory during the whole user session.
Hint : use PasswordReminder.
http://www.smidgeonsoft.prohosting.com/#PasswordReminder
- Last 10 domain logins cached in registry.
Hint : use LSADUMP2 + CACHEBF on Windows NT4, use your brain on Windows
2000.
- Local user accounts, stored in SAM database.
Hint : use PWDUMP as a local admin.
Does anyone knows if it is posible with pwdump to get the information
About a logged on user.
For instance, If I log on my computer, I use a domain logon, and when I
execute pwdump I only see local user....
Well, unfortunately I suspect this is really a n00b question : if you
run PWDUMP locally, you will only get local SAM accounts *even if you
are logged in with a domain account*. To get domain accounts, you need
to run PWDUMP3+ against a domain controller using a domain admin
account. Otherwise if you are just interested in finding the currently
logged-in user password, use the aforementioned PasswordReminder utility.
Happy new year !
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------
