Results 1 to 4 of 4

Thread: Cached Domain Credentials and Rainbow Tables

  1. #1
    Senior Member
    Join Date
    Mar 2004
    Posts
    557

    Cached Domain Credentials and Rainbow Tables

    Hi

    In a thread about cachedump and rainbow tables[1], we were
    discussing the threat to windows AD environments of using
    rainbow tables on cached domain credentials to crack the
    administrator password.

    The threat is evident since the domain administrator often
    is called "administrator",


    and the MSCache procedure salts with the username only.


    Here, I have to be more precise to avoid a confusion I
    generated in the above mentioned thread. With username, the
    name of the user (administrator) is meant. It does not represent
    the full username (domain\administrator or administrator@domain).


    This is a claim - in order to proof it, I have three indices

    1. a theoretical analysis of the MSCash algorithm[2]

    2. a logical argument:
    PasswordsPro generates the correct MSCash hash without having to specify the domain

    3. a practical analysis:
    I have set the domain administrator "administrator"'s password to
    - fr34k!pwd on a windows 2003 standard server domain with domain name D1
    - fr34k!pwd on a windows 2003 standard server domain with domain name D2
    - fr34k!pwd on a windows 2003 enterprise server domain with domain name D3

    The MSCash was 87efe1.... in all 3 cases, in agreement with PasswordsPro.


    Actually, in a Microsoft article the security of cached domain credentials
    is discussed[3].


    Disabling caching

    It is possible to disable the caching of domain credentials[4].
    Check your registry for
    Code:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
    and set

    Code:
       CachedLogonsCount = 0

    I am wondering:
    - How many of you, who run a domain, have a domain administrator called "administrator"?
    - ...and how many of you have an easy crackeable password on it?
    - and finally: Do you think that disabling the caching of domain credentials is
    good practice? Are you doing it (GPO)? I do, but my users have in principle access to
    a local account in the unlikely case that the domain controller is unavailable

    Cheers


    [1] http://www.antionline.com/showthread...hreadid=274812
    [2] http://www.openwall.com/john/contrib...cash-5.diff.gz
    [3] http://support.microsoft.com/default...en-us%3B913485
    [4] http://support.microsoft.com/kb/172931/en-us
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  2. #2
    Sec_ware, an excellent thread ... well done on that bit of r&d !

    My thread was more provocative though

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    My thread was more provocative though
    Sure, you can go to the Zoological gardens and have an intellectually stimulating conversation with the curator, or...............................you can go provoke the gorillas?

    I think that you know the difference

    Happy Easter

    And go practice your Curtiss Helldiver attack routines.............hint: don't be element #2 leader, from what I recall of the 1933 movie

  4. #4
    How many of you, who run a domain, have a domain administrator called "administrator"?
    I do , But it's got everything disabled so it doesn't do much, and the password is pretty tight.
    Had a few attempts at having it cracked, but looks like it's still nice and tight..
    poor cracker is gonna feel stupid when it's cracked to fine that they cannot do anything with the account. All that work for nothing, suckers.!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •