Page 1 of 5 123 ... LastLast
Results 1 to 10 of 44

Thread: Tutorial:Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Tutorial:Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003

    Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003

    By default Windows 2000, XP and 2003 systems in a domain or Active Directory tree cache the passwords and credentials of previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems. These cached passwords are stored as hashes in the local systems registry at the values HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 though NL$10. Unless the ACL is changed these values require SYSTEM level privileges to access (you can set it so an admin account can read them but you would still want to use a tool to parse out the data). Arnaud Pilon has created a tool called CacheDump for extracting these password hashes out of the registry. He and his team have also come up with patches for the password cracking tool “John the Ripper” that allow you to use John to crack these stored credential hashes. More on the technical details can be found at http://www.cr0.net:8040/misc/cachedump.html for those who are so inclined. Fortunately from a security standpoint the way Microsoft hashes cached passwords is much more secure than the way they store local passwords in the SAM file. Since each cached hash has its own salt (a set of more or less random bits figured into the hash algorithm to help foil pre-computed attacks) cached passwords hashes take much longer to crack than LM hashes which don't salt the same way, are case insensitive and are split into seven character chunks.

    This tutorial will cover the basics of collecting the cached password hashes and setting up a Debian based Linux system with a patched version of “John the Ripper” to crack these hashes. With a little modification to these basic instructions you should be able to get the patched version of John to work on just about any *nix system or under the Cygwin environment for Windows.

    First download and extract cachedump.exe from http://www.cr0.net:8040/misc/cachedump-1.0.zip to the Windows box you want to get the cached password hashes from. Once you have extracted the executable make sure you are logged in as an admin user then drop out to a command prompt and use the following command to pipe the hashes into a file:

    Code:
    cachedump >mydump.txt
    If you look in the mydump.txt file it should contain data that looks something like the following:

    Code:
    jdoe:2d9f0b052932ad18b87f315641921cda
    admin:2d9f0b052932ad18b87f315641921cda
    tjanes:2d9f0b052932ad18b87f315641921cda
    Theses are the stored usernames and password hashes. Now open a shell to your Linux box. Let’s install the stable version of John so we have all of the documentation (it should be in /usr/share/doc/john/) and configuration files, the following command should do the trick:

    Code:
    apt-get install john
    Now let’s extract john.ini to /etc/john/ using the following command:

    Code:
    gunzip -c /usr/share/doc/john/examples/john.ini.gz > /etc/john/john.ini
    Once that’s done we need to download the source for John 1.6.37:

    Then extract the source files:

    Code:
    tar xfz john-1.6.37.tar.gz
    Now let’s obtain the patches needed to make John work with Windows cached password hashes:

    Then unpack and integrate the patches into the main source:

    Code:
    gunzip -c john-1.6.37-bigpatch-10.diff.gz |  patch -p0
    Now it’s time to compile. Change directory into the source code directory:

    Code:
    cd john-1.6.37/src/
    We have to specify the platform (if you are not sure of your platform just type “make” without any parameters to see what options are available). Since I’m using a Pentium III and Linux I’ll choose “linux-x86-mmx-elf” as my target platform:

    Code:
    make linux-x86-mmx-elf
    Assuming there were no errors during the compile, change into the directory that the binaries where copied to:

    Code:
    cd ../run/
    Copy the mydump.txt file from the Windows box to the Linux box and put it in the “run” directory. Once that is done we can begin to try and crack the hashes. The first kind of crack we will try is the wordlist crack:

    Code:
    ./john --wordlist:password.lst -format:mscash mydump.txt
    The command above will read every word in the file “password.lst”, hash it with each individual user’s salt and compare the generated hash with the stored hash. If the hashes match John will print the password to the screen:

    Code:
    hotmonkeylove         (jdoe)
    The “password.lst” file that comes with John is rather small so I would recommend downloading a more extensive word list like the one that comes with L0phtcrack (called “words-english-big.dic”) or the Argon Wordlist from http://neworder.box.sk/codebox.links.php?&key=passdict and using those instead.

    If at any time you wish to see the current progress of John just hit enter and a line like the following should appear:

    Code:
    guesses: 0  time: 0:00:00:01 84%  c/s: 398184  trying: tenderee
    There are other more advanced cracks you could attempt. The following command will use the rules in john.ini to mangle the words from “password.lst” by changing characters around with likely substitution and additions:

    Code:
    ./john --rules --wordlist:password.lst -format:mscash mydump.txt
    If you have a lot of time and a fast computer you can try the incremental (brute force) mode and see if it gives you better results:

    Code:
    ./john -i:all -format:mscash mydump.txt
    Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish.

    In most cases cached passwords should not be much of a problem since they can take a long time to crack if you have good password policies in place. For those who are still paranoid and have a very reliable connection to their domain control they can follow these steps to disable the caching of passwords and credentials:

    1. Set the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ CachedLogonsCount to 0.
    2. Reboot

    I hope that this tutorial has been useful, happy password auditing!

    Further research:

    CacheDump Homepage:
    http://www.cr0.net:8040/misc/cachedump.html

    John the Ripper Homepage:
    http://www.openwall.com//john/

    John the Ripper Documentation:
    http://cvsweb.openwall.com/cgi/cvswe...john/john/doc/

    NewOrder’s Wordlists and Tools:
    http://neworder.box.sk/codebox.links.php?&key=passdict

    NeuTrons tutorial on making a password cracking cluster. His information may help you if you have a lot of computers you can spare cycles on while doing your password audit:
    http://www.antionline.com/showthread...hreadid=262750

  2. #2
    bloody amazing post. once again! BRAVO!

    i'd give you greens - but i have to spread them.

  3. #3
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Thanks Jebo. And thanks MsMittens for letting me know I should disable smileys in my commands.

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    Well Done IronGeek, another wonderful Post!
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Great post. Note that the cachedump extracts can be pumped into L0phtCrack as well.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by thehorse13
    Great post. Note that the cachedump extracts can be pumped into L0phtCrack as well.

    --TH13
    They can? I thought they were a different algorithm. Have you tested that? I’ll have to give it a shot on my workstation.

  7. #7
    Senior Member
    Join Date
    Nov 2002
    Posts
    339
    Irongeek: Dude, you are a stud. You write some rockstar tutorials. Very nicely done.

    TH: I didn't know that either, fill me in on how that one works in IRC the next time you stop in. Take it easy buddy.
    Don\'t be a bitch! Use Slackware.

  8. #8
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    excellent tutorial, nice job!
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  9. #9
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by thehorse13
    Great post. Note that the cachedump extracts can be pumped into L0phtCrack as well.

    --TH13
    I did some more testing ad reading and it does not look like L0phtcrack can be used since the hashing methods for cached passwords are different from both NT hashes and LM hashes. If you know how it can be done with L0phtcrack please let me know as I like that tool better.

  10. #10
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I changed the last sentence of the first paragraph of the tutorial to be more accurate about how LM Hashes work.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •