Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: pwdump 2 & 3

from [miguel . dilaj] Network Security [Permanent Link]
Subject: Re: pwdump 2 & 3
Date: Thu, 6 Jan 2005 03:06:05 +0100 
Hi Nicolas,

Good to see that you're around here! Happy New Year to you as well!
Your explanation is quite interesting, but I see a conflict with the 
information mentioned in:
"Windows Passwords: Everything You Need To Know"
http://202.181.238.2/hk/teched2004/ppt/Day_2_Rm402/WIN495(1500-1615).ppt

According to the above mentioned presentation, the information in the 
cache is:
MD5(NTLM(password)+userID+Domain)

Can you provide any feedback on that?
Thanks a lot!

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG






"Nicolas RUFF (listes)" <ruff.lists@edelweb.fr>
05/01/2005 18:15

 
        To:     pen-test@securityfocus.com
        cc:     Miguel Dilaj/PH/Novartis@PH, IndianZ <indianz@indianz.ch>, 
pentest@oissg.org, Jean-Baptiste.Marchand@hsc.fr
        Subject:        Re: pwdump 2 & 3


                 Hello everybody !

Since I am quoted in this post, I feel compelled to clarify the 
situation and give away much of my knowledge for free ... (I guess it is 
Christmas effect :-)

[snip]

Cached values are generated as follow :
- Cached LM hash   = MD4('LM hash' + Unicode lowercase username)
- Cached NTLM hash = MD4('NTLM hash' + Unicode lowercase username)

There are some noticeable differences between Windows NT4 and Windows 
2000+ cache store:

- Windows NT4: cached passwords are stored separately as LSA secrets. 
They are not encrypted. LM and NTLM values are generated.

- Windows 2000+: cached passwords are stored inside the 
'HKLM\Security\Cache\NL$' registry keys. Those keys are visible only by 
SYSTEM user, but as a local admin you can change permissions on those 
keys. They are RC4-encrypted with a mix of per-key secret and NL$KM LSA 
secret. Only NTLM values are generated.

Now you should be able to code your own tool, because I won't release 
anything about this one. In fact I suspect such tools have been hanging 
around since the release of Windows NT4, see the excellent 
http://www.toolcrypt.org/ site, and especially : 
http://www.toolcrypt.org/tools/cachebf/index.html.



Well it is possible, that logon-information is not cached locally (I 

mean, 

only in memory) for security reasons. Seems like you have to get the SAM 



(with all domain-users inside) from a domain-controller ;-)... Did you 
check for other SAM-files in the local filesystem (%windir%\repair)?


There are 3 very different things here :

- Logged-in user information, such as password, cached plaintext in 
memory during the whole user session.

Hint : use PasswordReminder.
http://www.smidgeonsoft.prohosting.com/#PasswordReminder

- Last 10 domain logins cached in registry.

Hint : use LSADUMP2 + CACHEBF on Windows NT4, use your brain on Windows 
2000.

- Local user accounts, stored in SAM database.

Hint : use PWDUMP as a local admin.



Does anyone knows if it is posible with pwdump to get the information
About a logged on user.

For instance, If I log on my computer, I use a domain logon, and when I
execute pwdump I only see local user....


Well, unfortunately I suspect this is really a n00b question : if you 
run PWDUMP locally, you will only get local SAM accounts *even if you 
are logged in with a domain account*. To get domain accounts, you need 
to run PWDUMP3+ against a domain controller using a domain admin 
account. Otherwise if you are just interested in finding the currently 
logged-in user password, use the aforementioned PasswordReminder utility.


Happy new year !
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  How to start a Pen Test Consultancy ?, vivek_ece_iitg
Next by Date:  RE: Penetration Testing a CheckPoint NG FW on Nokia, Dieter Sarrazyn
Previous by Thread:  Re: pwdump 2 & 3, Nicolas RUFF (listes)
Next by Thread:  Re: pwdump 2 & 3, Nicolas RUFF (lists)
Indexes:  [Date] [Thread] [Top] [All Lists]