.

cached domain password retrieval

<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Tue Feb 27, 2007 6:05 pm

cached domain password retrieval

Hi all,

I was wondering what tools you guys use to retrieve and crack any cached credentials for domain users on workstations.  I was in a meeting about password policy and I mentioned that our computer lab computers are still set to cache credentials and store NTLM passwords for users.  Later I went to one of our lab computers and used fgdump to get a list of hashes for local accounts on the machine.  However, no matter what I try I can't seem to get a list of cached credentials for domain accounts that have logged in.  I know that there has been plenty of activity on these machines, but I can't get at it.  I tried using Cain, but I keep getting an error about LSASS.  And yes, I am logging in with a local administrator account on the machine.

any ideas?
<<

Kev

Post Wed Feb 28, 2007 9:45 am

Re: cached domain password retrieval

Have you tried LOphtCrack? Cain is good ( called the poor mans LOphtCrack) but LOphtCrack is stronger for digging in.  It is still my favorite.
<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Wed Feb 28, 2007 9:58 am

Re: cached domain password retrieval

The word on the street is that Symantec bought lophtcrack and discontinued it.  I couldn't find the program anywhere.  The open source cousin of lophtcrack, ophcrack, doesn't seem to be able to gather cached credentials, only local accounts.  Any other ideas, or does anyone have some thoughts on what I'm doing wrong?
<<

CadillacGolfer

Newbie
Newbie

Posts: 36

Joined: Thu Dec 14, 2006 1:58 pm

Post Wed Feb 28, 2007 10:41 am

Re: cached domain password retrieval

what are the command line switches you are using with fgdump?
<<

Kev

Post Wed Feb 28, 2007 10:59 am

Re: cached domain password retrieval

You  could try hacking it like a hacker.  There are a number of cache dump tools that are good and I think a little better than fgdump. You might want to google them and play with them. Tools that require Admin access will not work if there is an error or misconfiguration in windows. Is there an actual error in your permissions or authentication set up?  The authentication process itself is handled by LSASS and you are getting an error there.    Some live linux cds work well for getting around that.  You boot to the CD and by-pass the entire Admin thing and allow you to grab the sams file or whatever you want to a usb drive.     
<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Wed Feb 28, 2007 2:59 pm

Re: cached domain password retrieval

Well, Kev, the reason I brought this up was so other people could tell me some of those tools that are better than fgdump to get at cached passwords.  I looked around on google and most of the tutorials on gathering the password caches use a tool called cachedump which is no longer in the public domain. 

Now I've found that cachedump does come with fgdump, and if I use that program directly I can get the hashes that I want.  Then I reformatted the cache file info a format that can be used by Cain and tried running a dictionary attack against the file.  We'll see how well that works for me.
Kevin
<<

Kev

Post Wed Feb 28, 2007 3:35 pm

Re: cached domain password retrieval

Hey, its sounds like you are getting there.  I hope the dictionary attack works as opposed to having to brute force it.  As I posted before, LOphtCrack is my favorite. If it’s discontinued, I wonder if its legal for someone to sell or give their copy to someone?  The interesting thing is some cache dump tools work better than others depending on the set up. I have run into a situation one time where I tried 3 different tools and it was the 3rd one Cachedump that did the trick.  Its good to have an arsenal, at least that’s my experience. That’s why I recommended hunting down a few different ones and start playing with them.  You have to be flexible and creative to hack. Sounds like that’s what you are doing. Good job!
<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Wed Feb 28, 2007 3:51 pm

Re: cached domain password retrieval

Thanks, Kev.  You don't have to think very hard to figure that the key to dictionary attacks is having a great word list.  I found a website that has a pretty good pile of word lists that people might want to check out.  http://www.theargon.com/achilles/wordlists/.

So far I have managed to break 5 of 17 passwords with the dictionary attack, which I would consider to be pretty good results.  After all, a person only needs one to cause some damage.

The point of this whole exercise is to come up with some tips for making the lab computers at our university less susceptible to this kind of thing.  I have a few suggestions that I will run by my managers:
  1. We need to alter the registry so that we don't cache credentials
  2. We need to make sure that the workstations aren't storing LANMAN hashes of local accounts
  3. Maybe we should alter group policy so that users cannot run executables from a usb drive.
<<

LSOChris

Post Wed Feb 28, 2007 5:04 pm

Re: cached domain password retrieval

there is a patch for john the ripper(1.6.x) for cachedump outputted pw files.  it may be included with 1.7 version, i dont recall checking though.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software