Return to the archive index
From: kayodeok <news4kayode@btopenworld.com> Date: Wed, 09 Mar 2005 09:11:38 +0000 Newsgroups: grc.linkfarm,grc.security Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003 http://www.irongeek.com/i.php?page=security/cachecrack By default Windows 2000, XP and 2003 systems in a domain or Active Directory tree cache the passwords and credentials of previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems. These cached passwords are stored as hashes in the local systems registry at the values HKLM\SECURITY\CACHE\NL$1 though NL$10. Unless the ACL is changed these values require SYSTEM level privileges to access (you can set it so an admin account can read them but you would still want to use a tool to parse out the data). Arnaud Pilon has created a tool called CacheDump for extracting these password hashes out of the registry. He and his team have also come up with patches for the password cracking tool 'John the Ripper' that allow you to use John to crack these stored credential hashes. More on the technical details can be found at http://www.cr0.net:8040/misc/cachedump.html for those who are so inclined. Fortunately from a security standpoint the way Microsoft hashes cached passwords is much more secure than the way they store local passwords in the SAM file. Since each cached hash has its own salt (a set of more or less random bits figured into the hash algorithm to help foil pre-computed attacks) cached passwords hashes take much longer to crack than LM hashes which only use one salt, are case insensitive and are split into seven character chunks. This tutorial will cover the basics of collecting the cached password hashes and setting up a Debian based Linux system with a patched version of 'John the Ripper' to crack these hashes. With a little modification to these basic instructions you should be able to get the patched version of John to work on just about any *nix system or under the Cygwin environment for Windows.
From Usenet Articles Archive (UAA)
Maintained by gwl
gwl At Home