.

Cached Credentials and LM hash

<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Sat Dec 26, 2009 2:22 am

Cached Credentials and LM hash

Do you guys know a way to prevent a LM from being stored as part of cached credentials?
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Sat Dec 26, 2009 11:36 am

Re: Cached Credentials and LM hash

I have a domain controller and a workstation that is member of this domain.

The domain (2003 SP2) has LMCompatibilityLevel set to 4
The workstation (XP SP3) has LMCompatibilityLevel set to 3 and NoLMHash set to 1.

I logged on the workstation as a user with domain admins rights, then used a tool called mscvtl.exe to list the credentials and got the following:

DOMAIN\Administrator a0d412ed972ffe81aad3b435b51404ee:312c6174da490caeb422f3fa5a7aeer4

Using fgdump on the domain I got the following:
Administrator:500:a0d412ed972ffe81aad3b435b51404ee:312c6174da490caeb422f3fa5a7aeer4

As you can see the hashes obtained from both the domain and the workstation are the same.

I know that cached credentials are different from LM and NTLM hashes, as they are hashed with the username.

So my questions based on this:

Why the cached credentials on the workstation are exactly the same as the ones on the domain (not different from it)

Why LM is being stored on the station despite the fact the NoLMhash is set to prevent LM hash from being stored?

Thank you
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Mon Dec 28, 2009 11:21 am

Re: Cached Credentials and LM hash

I am not very familiar with enabling the nolmhash option (and my internet is acting up right now), but I do know if the password is longer than 15 characters it will not be stored as an LM hash.  Your setup appears to be solid per M$ (http://support.microsoft.com/kb/299656).

Also, I hope you altered the hash in some way, rather than just posting the hash on the internet.  Most of us are well meaning security professionals, but you have the possibility of opening up a security hole in your organization by posting this information.

Good luck.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Dec 28, 2009 12:40 pm

Re: Cached Credentials and LM hash

Have you changed your passwords since you implemented the NoLMhash option?  Accounts that had LM hashes enabled prior to you enabling this settings will continue to store LM hashes until the next password change. 
~~~~~~~~~~~~~~
Ketchup
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Mon Dec 28, 2009 7:33 pm

Re: Cached Credentials and LM hash

Thank you guys for responding back.

@unsupported, the hashes are from a lab machines that are not facing the internet, but I agree with you and thanks for the tip. I know that a password that is 15 character long will not be stored as LM hash. I used one in addition to setting NoLMHash, but it puzzled me when using metasploit hashdump I get both the Lm and NTLM hashes and LM was not zeros. (Heck fgdump shows zeros on the machine itself :))

@Ketchup, yes I did change the password for the testing account that was created before having NoLMhash enabled. But after having it enabled, I created a new account and the newly created account had LM hash available/stored (Not zeros).

So it seems even after enabling NoLMHash any new account needs to change its password to make sure it will not be stored in LM hash.

That's something I try to understand. :)

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software