Return to the archive index

Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003

From:  kayodeok <news4kayode@btopenworld.com>
Date:  Wed, 09 Mar 2005 09:11:38 +0000
Newsgroups:  grc.linkfarm,grc.security

 Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003

 http://www.irongeek.com/i.php?page=security/cachecrack

 By default Windows 2000, XP and 2003 systems in a domain or Active Directory
 tree cache the passwords and credentials of previously logged in users.
 This is done so that the users can still login again if the Domain
 Controller or ADS tree can not be reached either because of Controller
 failure or network problems. These cached passwords are stored as hashes in
 the local systems registry at the values HKLM\SECURITY\CACHE\NL$1 though NL$10. 
 Unless the ACL is changed these values require SYSTEM level privileges to access 
 (you can set it so an admin account can read them but you would still want to use 
 a tool to parse out the data). 

 Arnaud Pilon has created a tool called CacheDump for extracting these
 password hashes out of the registry. He and his team have also come up with
 patches for the password cracking tool 'John the Ripper' that allow you to
 use John to crack these stored credential hashes. 

 More on the technical details can be found at
 http://www.cr0.net:8040/misc/cachedump.html for those who are so inclined. 

 Fortunately from a security standpoint the way Microsoft hashes cached
 passwords is much more secure than the way they store local passwords in
 the SAM file. Since each cached hash has its own salt (a set of more or
 less random bits figured into the hash algorithm to help foil pre-computed
 attacks) cached passwords hashes take much longer to crack than LM hashes
 which only use one salt, are case insensitive and are split into seven
 character chunks.

 This tutorial will cover the basics of collecting the cached password hashes
 and setting up a Debian based Linux system with a patched version of 'John
 the Ripper' to crack these hashes. With a little modification to these
 basic instructions you should be able to get the patched version of John to
 work on just about any *nix system or under the Cygwin environment for
 Windows.

From Usenet Articles Archive (UAA)
Maintained by gwl
gwl At Home