March 6th, 2005, 06:12 PM
Cracking cached domain/AD passwords in Windows XP/2000/2003
I was asked by someone else how Windows systems in a domain cache passwords so that people can login even when the box canít contact the domain controller. I found a site by a guy named Arnaud Pilon about how it works and he also provides tools for grabbing the password hashes out of the LSASS cache and cracking them using John the Ripper. Interesting stuff. Here is the URL:
March 6th, 2005, 06:55 PM
Irongeek nice link, but i have one question i was wornding if any one could answer. In the article he says
and then he goes on on how to get the information stored in HKLM\SECURITY\CACHE\NL$n using CacheDump but wouldnt it also be possible to get the same information from HKLM\SECURITY\CACHE\NL$n with out tools if you had system pivileges.
Credentials are stored in HKLM\SECURITY\
CACHE\NL$n with n ranging between 1 and 10. The default ACL does not allow
Administrators to read these registry values, which can only be accessed
with SYSTEM privileges.
March 6th, 2005, 07:52 PM
Administrators donít have as high a level of access as the SYSTEM account, so he starts a service with his tool to run as SYSTEM and get to those values. At least that is my understanding.
March 7th, 2005, 12:12 AM
I know, but what i am saying is that i know of ways of getting system privileges on a windows box even if you aren't admin and my question was if you got your self system priv would you be able to get the passwords with out any tools to be unencryped on a difrent computer.
March 7th, 2005, 12:23 AM
Yes. If you can access the registry with SYSTEM rights, then you can grab your hashes. This is exactly how L0phtCrack works.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
March 7th, 2005, 12:34 AM
Ok thank you thehorse13 i was just wornding if you could, I would have tryed it befor asking but i dont have access to that kind of network right now.
March 7th, 2005, 05:21 PM
I just tested it and it seems to work great. Still, it can take a long time to crack a password using John's incremental mode so it's of limited use to a cracker. Maybe I should write a tutorial on on.
March 7th, 2005, 07:44 PM
There really isn't a need to login with an account that has system privileges. Just use regedit and give yourself the permissions to the proper keys. By default only system has privileges, but the OS doesn't keep you from changing the permissons on those keys.
March 7th, 2005, 07:50 PM
I just tested what mohaughn said and he is correct, but the cachedump tool does everything for you and parses out the usernames so it's easier than to do it all by hand.