Hi
In a thread about cachedump and rainbow tables[1], we were
discussing the threat to windows AD environments of using
rainbow tables on cached domain credentials to crack the
administrator password.
The threat is evident since the domain administrator often
is called "administrator",
and the MSCache procedure salts with the username only.
Here, I have to be more precise to avoid a confusion I
generated in the above mentioned thread. With username, the
name of the user (administrator) is meant. It does not represent
the full username (domain\administrator or administrator@domain).
This is a claim - in order to proof it, I have three indices
1. a theoretical analysis of the MSCash algorithm[2]
2. a logical argument:
PasswordsPro generates the correct MSCash hash without having to specify the domain
3. a practical analysis:
I have set the domain administrator "administrator"'s password to
- fr34k!pwd on a windows 2003 standard server domain with domain name D1
- fr34k!pwd on a windows 2003 standard server domain with domain name D2
- fr34k!pwd on a windows 2003 enterprise server domain with domain name D3
The MSCash was 87efe1.... in all 3 cases, in agreement with PasswordsPro.
Actually, in a Microsoft article the security of cached domain credentials
is discussed[3].
Disabling caching
It is possible to disable the caching of domain credentials[4].
Check your registry for
and setCode:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
Code:CachedLogonsCount = 0
I am wondering:
- How many of you, who run a domain, have a domain administrator called "administrator"?
- ...and how many of you have an easy crackeable password on it?
- and finally: Do you think that disabling the caching of domain credentials is
good practice? Are you doing it (GPO)? I do, but my users have in principle access to
a local account in the unlikely case that the domain controller is unavailable
Cheers
[1] http://www.antionline.com/showthread...hreadid=274812
[2] http://www.openwall.com/john/contrib...cash-5.diff.gz
[3] http://support.microsoft.com/default...en-us%3B913485
[4] http://support.microsoft.com/kb/172931/en-us
Reply With Quote