-
April 13th, 2006, 08:06 AM
#1
Cached Domain Credentials and Rainbow Tables
Hi
In a thread about cachedump and rainbow tables[1], we were
discussing the threat to windows AD environments of using
rainbow tables on cached domain credentials to crack the
administrator password.
The threat is evident since the domain administrator often
is called "administrator",
and the MSCache procedure salts with the username only.
Here, I have to be more precise to avoid a confusion I
generated in the above mentioned thread. With username, the
name of the user (administrator) is meant. It does not represent
the full username (domain\administrator or administrator@domain).
This is a claim - in order to proof it, I have three indices
1. a theoretical analysis of the MSCash algorithm[2]
2. a logical argument:
PasswordsPro generates the correct MSCash hash without having to specify the domain
3. a practical analysis:
I have set the domain administrator "administrator"'s password to
- fr34k!pwd on a windows 2003 standard server domain with domain name D1
- fr34k!pwd on a windows 2003 standard server domain with domain name D2
- fr34k!pwd on a windows 2003 enterprise server domain with domain name D3
The MSCash was 87efe1.... in all 3 cases, in agreement with PasswordsPro.
Actually, in a Microsoft article the security of cached domain credentials
is discussed[3].
Disabling caching
It is possible to disable the caching of domain credentials[4].
Check your registry for
Code:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
and set
Code:
CachedLogonsCount = 0
I am wondering:
- How many of you, who run a domain, have a domain administrator called "administrator"?
- ...and how many of you have an easy crackeable password on it?
- and finally: Do you think that disabling the caching of domain credentials is
good practice? Are you doing it (GPO)? I do, but my users have in principle access to
a local account in the unlikely case that the domain controller is unavailable
Cheers
[1] http://www.antionline.com/showthread...hreadid=274812
[2] http://www.openwall.com/john/contrib...cash-5.diff.gz
[3] http://support.microsoft.com/default...en-us%3B913485
[4] http://support.microsoft.com/kb/172931/en-us
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
April 14th, 2006, 12:38 PM
#2
Member
Sec_ware, an excellent thread ... well done on that bit of r&d !
My thread was more provocative though
-
April 14th, 2006, 01:20 PM
#3
My thread was more provocative though
Sure, you can go to the Zoological gardens and have an intellectually stimulating conversation with the curator, or...............................you can go provoke the gorillas?
I think that you know the difference
Happy Easter
And go practice your Curtiss Helldiver attack routines.............hint: don't be element #2 leader, from what I recall of the 1933 movie
-
April 14th, 2006, 01:45 PM
#4
How many of you, who run a domain, have a domain administrator called "administrator"?
I do , But it's got everything disabled so it doesn't do much, and the password is pretty tight.
Had a few attempts at having it cracked, but looks like it's still nice and tight..
poor cracker is gonna feel stupid when it's cracked to fine that they cannot do anything with the account. All that work for nothing, suckers.!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|