Cached Credentials and LM hash

Viewing 4 reply threads
  • Author
    Posts
    • #4517
      d3l0n
      Participant

      Do you guys know a way to prevent a LM from being stored as part of cached credentials?

    • #28265
      d3l0n
      Participant

      I have a domain controller and a workstation that is member of this domain.

      The domain (2003 SP2) has LMCompatibilityLevel set to 4
      The workstation (XP SP3) has LMCompatibilityLevel set to 3 and NoLMHash set to 1.

      I logged on the workstation as a user with domain admins rights, then used a tool called mscvtl.exe to list the credentials and got the following:

      DOMAINAdministrator a0d412ed972ffe81aad3b435b51404ee:312c6174da490caeb422f3fa5a7aeer4

      Using fgdump on the domain I got the following:
      Administrator:500:a0d412ed972ffe81aad3b435b51404ee:312c6174da490caeb422f3fa5a7aeer4

      As you can see the hashes obtained from both the domain and the workstation are the same.

      I know that cached credentials are different from LM and NTLM hashes, as they are hashed with the username.

      So my questions based on this:

      Why the cached credentials on the workstation are exactly the same as the ones on the domain (not different from it)

      Why LM is being stored on the station despite the fact the NoLMhash is set to prevent LM hash from being stored?

      Thank you

    • #28266
      unsupported
      Participant

      I am not very familiar with enabling the nolmhash option (and my internet is acting up right now), but I do know if the password is longer than 15 characters it will not be stored as an LM hash.  Your setup appears to be solid per M$ (http://support.microsoft.com/kb/299656).

      Also, I hope you altered the hash in some way, rather than just posting the hash on the internet.  Most of us are well meaning security professionals, but you have the possibility of opening up a security hole in your organization by posting this information.

      Good luck.

    • #28267
      Ketchup
      Participant

      Have you changed your passwords since you implemented the NoLMhash option?  Accounts that had LM hashes enabled prior to you enabling this settings will continue to store LM hashes until the next password change. 

    • #28268
      d3l0n
      Participant

      Thank you guys for responding back.

      @unsupported, the hashes are from a lab machines that are not facing the internet, but I agree with you and thanks for the tip. I know that a password that is 15 character long will not be stored as LM hash. I used one in addition to setting NoLMHash, but it puzzled me when using metasploit hashdump I get both the Lm and NTLM hashes and LM was not zeros. (Heck fgdump shows zeros on the machine itself :))

      @Ketchup, yes I did change the password for the testing account that was created before having NoLMhash enabled. But after having it enabled, I created a new account and the newly created account had LM hash available/stored (Not zeros).

      So it seems even after enabling NoLMHash any new account needs to change its password to make sure it will not be stored in LM hash.

      That’s something I try to understand. 🙂

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?