Cracking cached domain/AD passwords in Windows XP/2000/2003
Results 1 to 9 of 9

Thread: Cracking cached domain/AD passwords in Windows XP/2000/2003

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Cracking cached domain/AD passwords in Windows XP/2000/2003

    I was asked by someone else how Windows systems in a domain cache passwords so that people can login even when the box canít contact the domain controller. I found a site by a guy named Arnaud Pilon about how it works and he also provides tools for grabbing the password hashes out of the LSASS cache and cracking them using John the Ripper. Interesting stuff. Here is the URL:

    http://www.cr0.net:8040/misc/cachedump.html

  2. #2
    Senior Member
    Join Date
    Jun 2004
    Posts
    379
    Irongeek nice link, but i have one question i was wornding if any one could answer. In the article he says
    Credentials are stored in HKLM\SECURITY\
    CACHE\NL$n with n ranging between 1 and 10. The default ACL does not allow
    Administrators to read these registry values, which can only be accessed
    with SYSTEM privileges.
    and then he goes on on how to get the information stored in HKLM\SECURITY\CACHE\NL$n using CacheDump but wouldnt it also be possible to get the same information from HKLM\SECURITY\CACHE\NL$n with out tools if you had system pivileges.

  3. #3
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Administrators donít have as high a level of access as the SYSTEM account, so he starts a service with his tool to run as SYSTEM and get to those values. At least that is my understanding.

  4. #4
    Senior Member
    Join Date
    Jun 2004
    Posts
    379
    I know, but what i am saying is that i know of ways of getting system privileges on a windows box even if you aren't admin and my question was if you got your self system priv would you be able to get the passwords with out any tools to be unencryped on a difrent computer.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yes. If you can access the registry with SYSTEM rights, then you can grab your hashes. This is exactly how L0phtCrack works.


    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member
    Join Date
    Jun 2004
    Posts
    379
    Ok thank you thehorse13 i was just wornding if you could, I would have tryed it befor asking but i dont have access to that kind of network right now.

  7. #7
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I just tested it and it seems to work great. Still, it can take a long time to crack a password using John's incremental mode so it's of limited use to a cracker. Maybe I should write a tutorial on on.

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    There really isn't a need to login with an account that has system privileges. Just use regedit and give yourself the permissions to the proper keys. By default only system has privileges, but the OS doesn't keep you from changing the permissons on those keys.

  9. #9
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I just tested what mohaughn said and he is correct, but the cachedump tool does everything for you and parses out the usernames so it's easier than to do it all by hand.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •