On Thu, 2004-12-16 at 10:39 +0100, miguel.dilaj@pharma.novartis.com
wrote:
Hi!
Well... the facts first:
The logon credentials of the last 10 users that login into a particular
machine (that's true, you can see that the last 10 users that login into a
machine are able to login even when disconnected from the network, thanks
to the cached credentials) are cached somewhere in the local machine
(someone mentioned to me the LSA Secrets, but I'm not sure about this
location, can also be somewhere else in the protected section of the
registry. LSA itself is one of these protected sections. Please read on).
Take into account that the caching can be (and should be? ;-) disabled
with the following registry key:
HKLM\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT (change it to 1 to disable
the caching)
Yes, administrator should change it to 1 to reduce the security impact
of cached password.
On the other hand, there's a very suspicious location on the registry (I'm
accessing the registry as SYSTEM, I don't know if this location can be
accessed as administrator):
HKLM\Security\Cache
Guess what? There are 10 items there, NL$1 to NL$10 ;-)
Every one of them is a binary key, that doesn't look like plain-old hashes
or anything like that, but my guess is that this is the place to
investigate.
To have confirmation of the above, read
http://support.microsoft.com/default.aspx?scid=kb;en-us;199071
So far so good. Now to the bad news (extract from a post of Nicolas Ruff
in the full-disclosure list,
http://seclists.org/lists/fulldisclosure/2003/Dec/0794.html):
"Cached logon are stored in some kind of "double hash" way (
LM(LM(password)) or NTLM(NTLM(password))
) - very difficult to break in a reasonable time, but still vulnerable to
dictionnary attacks.
However I do not know any publicly released tool able to retrieve and
crack cached logon (even if I
am working on it :-). "
Yes, Nicolas told us more about the caching method designed by
Microsoft. So it's now time to disclose our open source tool, cachedump,
developed in our intrustion testing lab.
CacheDump, licensed under the GPL, demonstrates how to recover cache
entry information: username and hashed password. Sysadmins and security
consultants are welcomed to use this program; malicious users can't do
anything with it as long as they do not have Administrator privileges.
CacheDump does not rely on the dll-injection method used in pwdump or
lsadump2; it creates a NT service on the fly in order to read the static
LSA key from LSASS.EXE's process memory, and deciphers the cache entries
to expose the password hashes.
CacheDump's output is similar to pwdump's, with of course a different
hash function; a plugin for john the ripper password cracker has been
developed for offline dictionnary and bruteforce cracking.
This plugin for John the Ripper should work on all architectures
supported by the cracker. It will run on most unices. Under Microsoft
Windows, it will only work under Cygwin.
Links:
http://www.cr0.net:8040/misc/cachedump.html
http://www.cr0.net:8040/misc/patch-john.html
Arnaud Pilon
--
IT Security Consultant
Thales Security Systems
