The Ethical Hacker Network - cached domain password retrieval

mn_kthompson

Jr. Member

Offline

Posts: 58

cached domain password retrieval

« on: February 27, 2007, 05:05:02 PM »

Hi all,

I was wondering what tools you guys use to retrieve and crack any cached credentials for domain users on workstations. I was in a meeting about password policy and I mentioned that our computer lab computers are still set to cache credentials and store NTLM passwords for users. Later I went to one of our lab computers and used fgdump to get a list of hashes for local accounts on the machine. However, no matter what I try I can't seem to get a list of cached credentials for domain accounts that have logged in. I know that there has been plenty of activity on these machines, but I can't get at it. I tried using Cain, but I keep getting an error about LSASS. And yes, I am logging in with a local administrator account on the machine.

any ideas?


	Logged

Kev

Guest

Re: cached domain password retrieval

« Reply #1 on: February 28, 2007, 08:45:26 AM »

Have you tried LOphtCrack? Cain is good ( called the poor mans LOphtCrack) but LOphtCrack is stronger for digging in. It is still my favorite.


	Logged

mn_kthompson

Jr. Member

Offline

Posts: 58

Re: cached domain password retrieval

« Reply #2 on: February 28, 2007, 08:58:33 AM »

The word on the street is that Symantec bought lophtcrack and discontinued it. I couldn't find the program anywhere. The open source cousin of lophtcrack, ophcrack, doesn't seem to be able to gather cached credentials, only local accounts. Any other ideas, or does anyone have some thoughts on what I'm doing wrong?


	Logged

CadillacGolfer

Newbie

Offline

Posts: 36

Re: cached domain password retrieval

« Reply #3 on: February 28, 2007, 09:41:03 AM »

what are the command line switches you are using with fgdump?


	Logged

Kev

Guest

Re: cached domain password retrieval

« Reply #4 on: February 28, 2007, 09:59:09 AM »

You could try hacking it like a hacker. There are a number of cache dump tools that are good and I think a little better than fgdump. You might want to google them and play with them. Tools that require Admin access will not work if there is an error or misconfiguration in windows. Is there an actual error in your permissions or authentication set up? The authentication process itself is handled by LSASS and you are getting an error there. Some live linux cds work well for getting around that. You boot to the CD and by-pass the entire Admin thing and allow you to grab the sams file or whatever you want to a usb drive.


	Logged

mn_kthompson

Jr. Member

Offline

Posts: 58

Re: cached domain password retrieval

« Reply #5 on: February 28, 2007, 01:59:11 PM »

Well, Kev, the reason I brought this up was so other people could tell me some of those tools that are better than fgdump to get at cached passwords. I looked around on google and most of the tutorials on gathering the password caches use a tool called cachedump which is no longer in the public domain.

Now I've found that cachedump does come with fgdump, and if I use that program directly I can get the hashes that I want. Then I reformatted the cache file info a format that can be used by Cain and tried running a dictionary attack against the file. We'll see how well that works for me.
Kevin


	Logged

Kev

Guest

Re: cached domain password retrieval

« Reply #6 on: February 28, 2007, 02:35:14 PM »

Hey, its sounds like you are getting there. I hope the dictionary attack works as opposed to having to brute force it. As I posted before, LOphtCrack is my favorite. If it’s discontinued, I wonder if its legal for someone to sell or give their copy to someone? The interesting thing is some cache dump tools work better than others depending on the set up. I have run into a situation one time where I tried 3 different tools and it was the 3rd one Cachedump that did the trick. Its good to have an arsenal, at least that’s my experience. That’s why I recommended hunting down a few different ones and start playing with them. You have to be flexible and creative to hack. Sounds like that’s what you are doing. Good job!


	Logged

mn_kthompson

Jr. Member

Offline

Posts: 58

Re: cached domain password retrieval

« Reply #7 on: February 28, 2007, 02:51:46 PM »

Thanks, Kev. You don't have to think very hard to figure that the key to dictionary attacks is having a great word list. I found a website that has a pretty good pile of word lists that people might want to check out. http://www.theargon.com/achilles/wordlists/.

So far I have managed to break 5 of 17 passwords with the dictionary attack, which I would consider to be pretty good results. After all, a person only needs one to cause some damage.

The point of this whole exercise is to come up with some tips for making the lab computers at our university less susceptible to this kind of thing. I have a few suggestions that I will run by my managers:
1. We need to alter the registry so that we don't cache credentials
2. We need to make sure that the workstations aren't storing LANMAN hashes of local accounts
3. Maybe we should alter group policy so that users cannot run executables from a usb drive.


	Logged

LSOChris

Guest

Re: cached domain password retrieval

« Reply #8 on: February 28, 2007, 04:04:47 PM »

there is a patch for john the ripper(1.6.x) for cachedump outputted pw files. it may be included with 1.7 version, i dont recall checking though.


	Logged

Pages: [1] Go Up

« previous next »