Tutorial:Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003

[br_fusion]

The only problem with Cain&Abel is that it does not recognize CacheDump's format. In order to crack mscash hashes, you must run Cain&Abel from the target machine and import them from within Cain&Abel. Hopefully they will fix this in later versions.

Someone correct me if I'm wrong.


Fusion

[Irongeek]

You are correct. Sometime I will have to play with using Cain on PE Builder with the Runscanner plugin.

[NeuTron]

Sorry to dredge up a five month old thread...but for those of you that couldn't follow this tutorial because you didn't have access to a linux box, I compiled a cygwin version of John 1.6.37 with the mscache patches. This way, you can do the whole tutorial on one windows box.

-NeuTron

[Jareds411]

Thanks NeuTron! I was in that situation, I'll try this out tommorrow.

[rrohela]

HI,
Is it possible to increase incremental mode max length to more than 8 like 20..
As here we are using password of more than 8 characters & John is not able to brake these with option Mscache.
If any one know how to fix it... Please help ...
Or please post compiled application with Mscache support & have no limitation of 8 characters..
this will be a greater help.
Thx.

[phobia]

rrohela... People here tend to have an attitude with people bringing up old posts. A lot of them got beat as children are still dealing with that.

If you have a question it works best to just place it in a new thread.

[Somefilename]

Nice, nice.

[rrohela]

Do as you like.... Goog

[ET1/SS]

http://www.governmentsecurity.org/fo...opic=16151&hl=

[puzzlepants]

Sorry to bring up this thread again but several people mentioned the fact that Cain does not recognize CacheDump's format nor does it allow importing of hashes. After a little work I managed to get around that and had Cain cracking hashes that I had dumped using CacheDump. Here's a tutorial I wrote on how to do it:

Crack CacheDump Hashes Using Cain

This is a follow-up to Irongeek's tutorial on Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003. In version 2.68, Cain added support for MS-Cache hashes but unfortunately it only supports cracking hashes retrieved from the local machine.

This is really a big limitation because, as I've found, usually you want to go get a lot of hashes from different machines and compile them into a big list and crack them all at once. If this is not the case, it is usually not convenient to crack the hashes on the machine that they were retrieved from because it may be a machine at your office or school. You may have sufficient privaleges to install and use Cain but in most cases it's probably not the best idea.

Cain is much easier to use than John the Ripper for cracking just about anything. In this case, both Cain and John the Ripper support cracking MS-Cache hashes but John has the distinct advantage of being able to crack hashes from a list rather than restricting only to hashes retrieved from the local machine. In fact, as John is only meant to crack hashes, it cannot even retrieve any hashes at all but that's beside the point.

Cain also has a nice, pretty GUI and runs on Windows, therefore making it much easier for most people to use compared to John (command line only, can't run on Windows without the help of Cygwin). As I said before, Cain only supports cracking hashes retrieved from the local machine but most of the time this isn't convenient or safe. However, there is a way to get Cain to crack MS-Cache hashes from any machine that you'd like.

CacheDump is a tool mentioned in Irongeek's tutorial that can retrieve cached hashes from a machine. It requires administrative privaleges to retrieve the hashes so you'll have to be logged in under an adminstrative account for it to work. Irongeek spells it out in his tutorial so I won't go through how to use it here. Once you have used it and have your text file with the hashes, take that to the computer you'd like to crack the hashes on using Cain.

There are two things holding Cain back from cracking hashes obtained from external machines. The first is that Cain does not support importing a hash list to be cracked. To get around this you need to first be sure that Cain is closed. If Cain isn't closed, you won't be able to save any changes to the file you will need to change (see the next paragraph). Next, go into the Cain directory, which by default is C:\Program Files\Cain

In this directory, you should find a file called CACHE.LST among many others. All the LST files you see are temporary files that Cain uses to store cracked and uncracked hashes between sessions. That way Cain doesn't have to start cracking everything all over when you start up the program again and you don't have to import the hashes again as well. CACHE.LST is, you guessed it, where Cain stores the MS-Cache hashes. Go ahead and open this file up in Notepad or your favorite text editor. If there is anything in the file to begin with you can do what you would like with it. Leaving it or deleting it won't affect anything at all.

The second problem Cain has is that it does not understand the format that CacheDump uses. Fortunately, the formats that Cain and CacheDump use are very similar and don't require much effort to convert. Here is the format that Cain uses:

domain;username;password;hash;

Here is the format that cachedump uses:

username:hash:domain

There may be some extra information at the end of a cachedump entry but as far as I can tell that doesn't affect anything in terms of the hash or the final password. At first I thought it may be used somehow in the salt but I've found in my testing so far that this is not true.

Going back to Cain's format, you can see that it's pretty simple. At first, obviously, "password" will be completely blank. An actual line from CACHE.LST would look something like this:

acme;roadrunner;;6C7773E383661CC9FD9980FB7AFA8A5D;

The same hash dumped by cachedump would look like this:

roadrunner:6C7773E383661CC9FD9980FB7AFA8A5D:acme

As you can see, the formats are very similar and easy to convert between. The only problem is that this becomes a little intensive if you have a lot of hashes. You wouldn't want to convert a lot of hashes by hand obviously, so I hacked together a quick PHP script that converts between the two formats. The script really only does a little bit of string parsing and reconstructing and is rather simple overall. It would also be really easy to get the same result from just about any other programming language if you wanted to create one yourself.

There are 2 PHP pages involved though they could easily be combined into one. I named them cache.php and cache2.php creatively enough. Here is the source for cache.php where the user can upload a file with cachedump hashes:

<html>
<head>
<title>File Uploader</title>
</head>
<body>
<b>Convert cachedump output for Cain</b><br><br>
<form enctype="multipart/form-data" action="cache2.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="102400" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br>
<input type="submit" value="Upload File" />
</form>
</body>
</html>

This particular script sets the limit for uploads to 100 KB (102,400 bytes) but you can change that easily if you would like. The other part of the script, cache2.php, is where the real magic happens. It takes the uploaded file and puts the text into an array where each line of text (each username, hash, domain combination) corresponds to one entry in the array. A loop then processes each entry in the array and outputs the Cain-formatted text. Here is the source for that page:

<html>
<head>
<title>Cache</title>
</head>
<body>
<?
// Where the file is going to be placed
$target_path = "uploads/";

/* Add the original filename to our target path. Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

// This is how we will get the temporary file...
$_FILES['uploadedfile']['tmp_name'];

$target_path = "uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

/* Check to see if the file was successfully uploaded or not */
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded<br><br>" .
"Here is your output:<br><br>";

/* Open the uploaded file */
$arrContents = file($target_path);

/* For every line in the uploaded file, perform the following */
foreach($arrContents as $v) {
$arr = explode(":", $v);
echo $arr[2] . ";" . $arr[0] . ";;" . $arr[1] . ";<br>";
}

/* Delete the uploaded file */
unlink($target_path);
}
else {
echo "There was an error uploading the file, <a href=\"cache.php\">please try again</a>!";
}
?>
</body>
</html>

As you can see, both files are pretty simple. To run these on your server you will have to have write permissions in whatever directory you send the uploaded file to (set in the variable $target_path). Obviously you will have to have PHP installed on your server as well. Other than that, this script doesn't require anything else.

If you're too lazy to run this script on your own server or you don't have a server to run this script on, I have a server up and running with this script on it for anybody to use. Before I give the link I must say a few things. First of all, this server is running on a residential cable connection and therefore cannot handle a lot of traffic. So please don't flood my poor little server or I will have to take the script down. Secondly, if you have a server to run this script on, please do. My poor little server can only handle so much.

Without further ado, you can now freely convert cachedump output to Cain input here.

The rest of this tutorial should be pretty self-explainatory but I am going to go ahead and tell you what you need to do next. If you listened to my directions earlier, I told you to open up CACHE.LST in Notepad or your favorite text editor. Since I never told you to close it, you should still have it open. Copy and paste your converted cachedump output into that window and save it. Then you can open up Cain, go to the cracker tab, and you should see all of your beautiful hashes ready to be cracked once you click on MS-Cache hashes.

Now you should be ready to crack to your heart's delight but I feel I should give you a warning before you do. Compared to John the Ripper, Cain is slow. When I say slow, I mean really slow. When I ran a specially compiled version of John for Windows, it consistently ran at more than 400,000 combinations per second (c/s) on a 1.8 GHz Intel Celeron with 768 MB of RAM during a dictionary attack. Using the same dictionary and the same number of hashes, Cain ran at (and is still running at) around 3,000 combinations per second. As you can see, Cain runs a ton slower than John. The only advantage to Cain, besides the GUI and ability to run natively on Windows, is that it (I think) supports more hybrid options (taking words from a dictionary list and changing them around slightly) compared to John.

In my experiences with John, it seems to get faster as time goes on. I recall running John on a 1 GHz AMD laptop with 256 MB of RAM. I booted up Whax and didn't even bother loading up a window manager (ie fluxbox or KDE). I ran a bruteforce attack on some cached hashes and the attack started at about 350,000 combinations per second. After about a week straight, the number had climbed to 450,000. So there, John is way faster.

It's about time to wrap this tutorial up. A few things before I let you go though. Firstly, I have a nice screenshot of Cain cracking a ton of MS-Cache hashes for me. Secondly, if anybody has any problems doing anything I mentioned in the tutorial, you can email me at the following address:

puzzlepants(at)gmail.com