• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Where are domain password hashes stored on a local machine?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

View previous topic :: View next topic  
Author Message
Abbos
Just Arrived
Just Arrived


Joined: 26 Feb 2003
Posts: 0
Location: Berkshire, UK

Offline

PostPosted: Tue Aug 10, 2004 1:05 am    Post subject: Where are domain password hashes stored on a local machine? Reply with quote

Hi Guys/Girls,

I have just recently started playing with Rainbow Tables and am curious to find out where the hashes are stored on a local machine for domain users that have logged on to it.

Could anyone help?

Thanks in advance.
Back to top
View user's profile Send private message
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Tue Aug 10, 2004 7:39 am    Post subject: Reply with quote

no where, they are stored in the DC, the only one that is stored locally is the one of which you used to log in, this one is stored in memory, and you can read it with the tool : pw2kget.exe.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
mr_who
Just Arrived
Just Arrived


Joined: 14 Apr 2003
Posts: 0


Offline

PostPosted: Fri Aug 13, 2004 3:52 pm    Post subject: Reply with quote

lepricaun wrote:
no where, they are stored in the DC, the only one that is stored locally is the one of which you used to log in, this one is stored in memory, and you can read it with the tool : pw2kget.exe.


There are at least two places where your domain password is: cache (remember CachedLogonCount?), and memory, but pw2kget doesn't seem to be able to get it very well.,

The amount might be bigger depending on your usage of the system
Back to top
View user's profile Send private message
Bog
Just Arrived
Just Arrived


Joined: 23 Aug 2003
Posts: 2
Location: Toronto, Ontario Canada

Offline

PostPosted: Fri Aug 13, 2004 6:34 pm    Post subject: Reply with quote

Here's a test...

1. Logon to a workstation that is memeber of a domain (using domain credentials).
2. Shutdown.
3. Disconnect the computer from the network.
4. Start the workstation and try to logon to the domain with the same user credentials.

I believe this does work since the credentials are cached on the workstation. I have done this in the past and will test with my current workstation to confirm.

I do not know where these credentials would be cached but would love to know.

[edit]

Confirmed. I logged onto my Windows XP Pro workstation with cached credentials (I was physically disconnected from the LAN).

Please don't double post. Use the Edit button instead. - sgt_b
Back to top
View user's profile Send private message
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Fri Aug 13, 2004 10:24 pm    Post subject: Reply with quote

then i'm curious too!
if this is true, then this would be a big mistake, but i have never saw it working myself, i've tried it more then once though, one multiple systems of multiple companies...
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Fri Aug 13, 2004 11:09 pm    Post subject: Reply with quote

It is true and there is good reason for it.

A real life example here - I am member of the work domain at home via
VPN. I login normally running all logins scripts and have access to the
network resources.

BUT when the VPN is down or I work locally I don't
change the Domain at logon.

Think about it - I would always have two profiles, two My Documents, two
Favorites - two of *everything*.

I would be constantly looking for that letter I was writing to the boss in
c:\documents and settings\mynetowkrprofile\my documents
instead of clicking the My Documents desktop icon.
and the likes. I could not have common IE favorites. My OE mail would be
in different profiles so my emails would be in two different places.

As it is my local profile folder is always the same. Say I was the sales
manger traveling for a living. Wouldn't want to have two profiles for
whether I'm on the VPN or working on the train.

It looks to see if the network is there and then uses same credentials
locally.

btw - I think the credentials are stored in the profile's ntuser.dat.
Back to top
View user's profile Send private message
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Sat Aug 14, 2004 12:33 am    Post subject: Reply with quote

i've been trying to get that data out of the ntuser.dat files, but no success so far Sad

anyone has a clue?
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Bog
Just Arrived
Just Arrived


Joined: 23 Aug 2003
Posts: 2
Location: Toronto, Ontario Canada

Offline

PostPosted: Sat Aug 14, 2004 2:06 am    Post subject: Reply with quote

As mentioned above, CachedLogonCount set to 0 will prevent caching of these credentials. It may be controlled by Group Policy too.

"Interactive Logon: Number of previous logons to cache" in the security policy.
Back to top
View user's profile Send private message
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Sat Aug 14, 2004 3:14 pm    Post subject: Reply with quote

yes i know, but i switch them on on purpose, but still can't find it...
Back to top
View user's profile Send private message Send e-mail Visit poster's website
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Mon Aug 16, 2004 9:30 pm    Post subject: Reply with quote

The cached logon details are stored in syskey in 2k

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prnb_efs_zbxr.asp

and in NT4 in this registry key
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q199/0/71.asp&NoWebContent=1

discussion at insecure.org
http://seclists.org/lists/vuln-/[b][/b]dev[b][/b]/2001/Jan/0027.html
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Thu Aug 19, 2004 1:25 am    Post subject: Reply with quote

The cached credentials include user name, password and domain. The info is stored in an irreversibly encrypted form on the local machine.
Back to top
View user's profile Send private message
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Thu Aug 19, 2004 11:09 am    Post subject: Reply with quote

does that mean you need to crack it? if so, which alghorithm is used?
Back to top
View user's profile Send private message Send e-mail Visit poster's website
anbanphd
Just Arrived
Just Arrived


Joined: 07 Aug 2004
Posts: 0


Offline

PostPosted: Thu Aug 19, 2004 1:47 pm    Post subject: look at local sam file Reply with quote

your local password will be stored in windows folder, you can give a search and find where it is. Now just run lophtcrack or john the ripper or brutus to open the password by brute force attack or dictionary based password cracking.
Back to top
View user's profile Send private message
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Thu Aug 19, 2004 6:02 pm    Post subject: Reply with quote

do you mean it is in there in plain text (the hash that is) , cause when you take a look at a sam file, you normally can't see the hashes that easy...(maybe due to syskey) . and aren't logon credentials encrypted with syskey too???
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register