The Ethical Hacker Network - Cached Credentials and LM hash

d3l0n

Jr. Member

Offline

Posts: 59

Cached Credentials and LM hash

« on: December 26, 2009, 01:22:59 AM »

Do you guys know a way to prevent a LM from being stored as part of cached credentials?


	Logged

d3l0n

Jr. Member

Offline

Posts: 59

Re: Cached Credentials and LM hash

« Reply #1 on: December 26, 2009, 10:36:32 AM »

I have a domain controller and a workstation that is member of this domain.

The domain (2003 SP2) has LMCompatibilityLevel set to 4
The workstation (XP SP3) has LMCompatibilityLevel set to 3 and NoLMHash set to 1.

I logged on the workstation as a user with domain admins rights, then used a tool called mscvtl.exe to list the credentials and got the following:

DOMAIN\Administrator a0d412ed972ffe81aad3b435b51404ee:312c6174da490caeb422f3fa5a7aeer4

Using fgdump on the domain I got the following:
Administrator:500:a0d412ed972ffe81aad3b435b51404ee:312c6174da490caeb422f3fa5a7aeer4

As you can see the hashes obtained from both the domain and the workstation are the same.

I know that cached credentials are different from LM and NTLM hashes, as they are hashed with the username.

So my questions based on this:

Why the cached credentials on the workstation are exactly the same as the ones on the domain (not different from it)

Why LM is being stored on the station despite the fact the NoLMhash is set to prevent LM hash from being stored?

Thank you


	Logged

unsupported

Sr. Member

Offline

Posts: 318

Unofficial Newbie Moderator

Re: Cached Credentials and LM hash

« Reply #2 on: December 28, 2009, 10:21:00 AM »

I am not very familiar with enabling the nolmhash option (and my internet is acting up right now), but I do know if the password is longer than 15 characters it will not be stored as an LM hash. Your setup appears to be solid per M$ (http://support.microsoft.com/kb/299656).

Also, I hope you altered the hash in some way, rather than just posting the hash on the internet. Most of us are well meaning security professionals, but you have the possibility of opening up a security hole in your organization by posting this information.

Good luck.


	Logged

-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP

Ketchup

Hero Member

Offline

Posts: 1021

Re: Cached Credentials and LM hash

« Reply #3 on: December 28, 2009, 11:40:41 AM »

Have you changed your passwords since you implemented the NoLMhash option? Accounts that had LM hashes enabled prior to you enabling this settings will continue to store LM hashes until the next password change.


	Logged

~~~~~~~~~~~~~~
Ketchup

d3l0n

Jr. Member

Offline

Posts: 59

Re: Cached Credentials and LM hash

« Reply #4 on: December 28, 2009, 06:33:17 PM »

Thank you guys for responding back.

@unsupported, the hashes are from a lab machines that are not facing the internet, but I agree with you and thanks for the tip. I know that a password that is 15 character long will not be stored as LM hash. I used one in addition to setting NoLMHash, but it puzzled me when using metasploit hashdump I get both the Lm and NTLM hashes and LM was not zeros. (Heck fgdump shows zeros on the machine itself

)

@Ketchup, yes I did change the password for the testing account that was created before having NoLMhash enabled. But after having it enabled, I created a new account and the newly created account had LM hash available/stored (Not zeros).

So it seems even after enabling NoLMHash any new account needs to change its password to make sure it will not be stored in LM hash.

That's something I try to understand.


	Logged

Pages: [1] Go Up

« previous next »