December 26, 2009 at 7:22 am #4517
Do you guys know a way to prevent a LM from being stored as part of cached credentials?
December 26, 2009 at 4:36 pm #28265
I have a domain controller and a workstation that is member of this domain.
The domain (2003 SP2) has LMCompatibilityLevel set to 4
The workstation (XP SP3) has LMCompatibilityLevel set to 3 and NoLMHash set to 1.
I logged on the workstation as a user with domain admins rights, then used a tool called mscvtl.exe to list the credentials and got the following:
Using fgdump on the domain I got the following:
As you can see the hashes obtained from both the domain and the workstation are the same.
I know that cached credentials are different from LM and NTLM hashes, as they are hashed with the username.
So my questions based on this:
Why the cached credentials on the workstation are exactly the same as the ones on the domain (not different from it)
Why LM is being stored on the station despite the fact the NoLMhash is set to prevent LM hash from being stored?
December 28, 2009 at 4:21 pm #28266unsupportedParticipant
I am not very familiar with enabling the nolmhash option (and my internet is acting up right now), but I do know if the password is longer than 15 characters it will not be stored as an LM hash. Your setup appears to be solid per M$ (http://support.microsoft.com/kb/299656).
Also, I hope you altered the hash in some way, rather than just posting the hash on the internet. Most of us are well meaning security professionals, but you have the possibility of opening up a security hole in your organization by posting this information.
December 28, 2009 at 5:40 pm #28267KetchupParticipant
Have you changed your passwords since you implemented the NoLMhash option? Accounts that had LM hashes enabled prior to you enabling this settings will continue to store LM hashes until the next password change.
December 29, 2009 at 12:33 am #28268
Thank you guys for responding back.
@unsupported, the hashes are from a lab machines that are not facing the internet, but I agree with you and thanks for the tip. I know that a password that is 15 character long will not be stored as LM hash. I used one in addition to setting NoLMHash, but it puzzled me when using metasploit hashdump I get both the Lm and NTLM hashes and LM was not zeros. (Heck fgdump shows zeros on the machine itself :))
@Ketchup, yes I did change the password for the testing account that was created before having NoLMhash enabled. But after having it enabled, I created a new account and the newly created account had LM hash available/stored (Not zeros).
So it seems even after enabling NoLMHash any new account needs to change its password to make sure it will not be stored in LM hash.
That’s something I try to understand. 🙂
- You must be logged in to reply to this topic.