Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003
By default Windows 2000, XP and 2003 systems in a domain or Active Directory tree cache the passwords and credentials of previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems. These cached passwords are stored as hashes in the local systems registry at the values HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 though NL$10. Unless the ACL is changed these values require SYSTEM level privileges to access (you can set it so an admin account can read them but you would still want to use a tool to parse out the data). Arnaud Pilon has created a tool called CacheDump for extracting these password hashes out of the registry. He and his team have also come up with patches for the password cracking tool “John the Ripper” that allow you to use John to crack these stored credential hashes. More on the technical details can be found at http://www.cr0.net:8040/misc/cachedump.html for those who are so inclined. Fortunately from a security standpoint the way Microsoft hashes cached passwords is much more secure than the way they store local passwords in the SAM file. Since each cached hash has its own salt (a set of more or less random bits figured into the hash algorithm to help foil pre-computed attacks) cached passwords hashes take much longer to crack than LM hashes which don't salt the same way, are case insensitive and are split into seven character chunks.
This tutorial will cover the basics of collecting the cached password hashes and setting up a Debian based Linux system with a patched version of “John the Ripper” to crack these hashes. With a little modification to these basic instructions you should be able to get the patched version of John to work on just about any *nix system or under the Cygwin environment for Windows.
First download and extract cachedump.exe from http://www.cr0.net:8040/misc/cachedump-1.0.zip to the Windows box you want to get the cached password hashes from. Once you have extracted the executable make sure you are logged in as an admin user then drop out to a command prompt and use the following command to pipe the hashes into a file:
If you look in the mydump.txt file it should contain data that looks something like the following:
Theses are the stored usernames and password hashes. Now open a shell to your Linux box. Let’s install the stable version of John so we have all of the documentation (it should be in /usr/share/doc/john/) and configuration files, the following command should do the trick:
Now let’s extract john.ini to /etc/john/ using the following command:
apt-get install john
Once that’s done we need to download the source for John 1.6.37:
gunzip -c /usr/share/doc/john/examples/john.ini.gz > /etc/john/john.ini
Then extract the source files:
Now let’s obtain the patches needed to make John work with Windows cached password hashes:
tar xfz john-1.6.37.tar.gz
Then unpack and integrate the patches into the main source:
Now it’s time to compile. Change directory into the source code directory:
gunzip -c john-1.6.37-bigpatch-10.diff.gz | patch -p0
We have to specify the platform (if you are not sure of your platform just type “make” without any parameters to see what options are available). Since I’m using a Pentium III and Linux I’ll choose “linux-x86-mmx-elf” as my target platform:
Assuming there were no errors during the compile, change into the directory that the binaries where copied to:
Copy the mydump.txt file from the Windows box to the Linux box and put it in the “run” directory. Once that is done we can begin to try and crack the hashes. The first kind of crack we will try is the wordlist crack:
The command above will read every word in the file “password.lst”, hash it with each individual user’s salt and compare the generated hash with the stored hash. If the hashes match John will print the password to the screen:
./john --wordlist:password.lst -format:mscash mydump.txt
The “password.lst” file that comes with John is rather small so I would recommend downloading a more extensive word list like the one that comes with L0phtcrack (called “words-english-big.dic”) or the Argon Wordlist from http://neworder.box.sk/codebox.links.php?&key=passdict and using those instead.
If at any time you wish to see the current progress of John just hit enter and a line like the following should appear:
There are other more advanced cracks you could attempt. The following command will use the rules in john.ini to mangle the words from “password.lst” by changing characters around with likely substitution and additions:
guesses: 0 time: 0:00:00:01 84% c/s: 398184 trying: tenderee
If you have a lot of time and a fast computer you can try the incremental (brute force) mode and see if it gives you better results:
./john --rules --wordlist:password.lst -format:mscash mydump.txt
Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish.
./john -i:all -format:mscash mydump.txt
In most cases cached passwords should not be much of a problem since they can take a long time to crack if you have good password policies in place. For those who are still paranoid and have a very reliable connection to their domain control they can follow these steps to disable the caching of passwords and credentials:
1. Set the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ CachedLogonsCount to 0.
I hope that this tutorial has been useful, happy password auditing!
John the Ripper Homepage:
John the Ripper Documentation:
NewOrder’s Wordlists and Tools:
NeuTrons tutorial on making a password cracking cluster. His information may help you if you have a lot of computers you can spare cycles on while doing your password audit: