View previous topic :: View next topic |
Author |
Message |
Abbos Just Arrived
Joined: 26 Feb 2003 Posts: 0 Location: Berkshire, UK
|
Posted: Tue Aug 10, 2004 1:05 am Post subject: Where are domain password hashes stored on a local machine? |
|
|
Hi Guys/Girls,
I have just recently started playing with Rainbow Tables and am curious to find out where the hashes are stored on a local machine for domain users that have logged on to it.
Could anyone help?
Thanks in advance.
|
|
Back to top |
|
|
White Scorpion Just Arrived
Joined: 19 Sep 2003 Posts: 5 Location: The Netherlands
|
Posted: Tue Aug 10, 2004 7:39 am Post subject: |
|
|
no where, they are stored in the DC, the only one that is stored locally is the one of which you used to log in, this one is stored in memory, and you can read it with the tool : pw2kget.exe.
|
|
Back to top |
|
|
mr_who Just Arrived
Joined: 14 Apr 2003 Posts: 0
|
Posted: Fri Aug 13, 2004 3:52 pm Post subject: |
|
|
lepricaun wrote: |
no where, they are stored in the DC, the only one that is stored locally is the one of which you used to log in, this one is stored in memory, and you can read it with the tool : pw2kget.exe. |
There are at least two places where your domain password is: cache (remember CachedLogonCount?), and memory, but pw2kget doesn't seem to be able to get it very well.,
The amount might be bigger depending on your usage of the system
|
|
Back to top |
|
|
Bog Just Arrived
Joined: 23 Aug 2003 Posts: 2 Location: Toronto, Ontario Canada
|
Posted: Fri Aug 13, 2004 6:34 pm Post subject: |
|
|
Here's a test...
1. Logon to a workstation that is memeber of a domain (using domain credentials).
2. Shutdown.
3. Disconnect the computer from the network.
4. Start the workstation and try to logon to the domain with the same user credentials.
I believe this does work since the credentials are cached on the workstation. I have done this in the past and will test with my current workstation to confirm.
I do not know where these credentials would be cached but would love to know.
[edit]
Confirmed. I logged onto my Windows XP Pro workstation with cached credentials (I was physically disconnected from the LAN).
Please don't double post. Use the Edit button instead. - sgt_b
|
|
Back to top |
|
|
White Scorpion Just Arrived
Joined: 19 Sep 2003 Posts: 5 Location: The Netherlands
|
Posted: Fri Aug 13, 2004 10:24 pm Post subject: |
|
|
then i'm curious too!
if this is true, then this would be a big mistake, but i have never saw it working myself, i've tried it more then once though, one multiple systems of multiple companies...
|
|
Back to top |
|
|
Mongrel SF Mod
Joined: 30 May 2002 Posts: 8
|
Posted: Fri Aug 13, 2004 11:09 pm Post subject: |
|
|
It is true and there is good reason for it.
A real life example here - I am member of the work domain at home via
VPN. I login normally running all logins scripts and have access to the
network resources.
BUT when the VPN is down or I work locally I don't
change the Domain at logon.
Think about it - I would always have two profiles, two My Documents, two
Favorites - two of *everything*.
I would be constantly looking for that letter I was writing to the boss in
c:\documents and settings\mynetowkrprofile\my documents
instead of clicking the My Documents desktop icon.
and the likes. I could not have common IE favorites. My OE mail would be
in different profiles so my emails would be in two different places.
As it is my local profile folder is always the same. Say I was the sales
manger traveling for a living. Wouldn't want to have two profiles for
whether I'm on the VPN or working on the train.
It looks to see if the network is there and then uses same credentials
locally.
btw - I think the credentials are stored in the profile's ntuser.dat.
|
|
Back to top |
|
|
White Scorpion Just Arrived
Joined: 19 Sep 2003 Posts: 5 Location: The Netherlands
|
Posted: Sat Aug 14, 2004 12:33 am Post subject: |
|
|
i've been trying to get that data out of the ntuser.dat files, but no success so far
anyone has a clue?
|
|
Back to top |
|
|
Bog Just Arrived
Joined: 23 Aug 2003 Posts: 2 Location: Toronto, Ontario Canada
|
Posted: Sat Aug 14, 2004 2:06 am Post subject: |
|
|
As mentioned above, CachedLogonCount set to 0 will prevent caching of these credentials. It may be controlled by Group Policy too.
"Interactive Logon: Number of previous logons to cache" in the security policy.
|
|
Back to top |
|
|
White Scorpion Just Arrived
Joined: 19 Sep 2003 Posts: 5 Location: The Netherlands
|
Posted: Sat Aug 14, 2004 3:14 pm Post subject: |
|
|
yes i know, but i switch them on on purpose, but still can't find it...
|
|
Back to top |
|
|
MattA Trusted SF Member
Joined: 13 Jun 2003 Posts: 16777193 Location: Eastbourne + London
|
|
Back to top |
|
|
PhiBer SF Mod
Joined: 11 Mar 2003 Posts: 20 Location: Your MBR
|
Posted: Thu Aug 19, 2004 1:25 am Post subject: |
|
|
The cached credentials include user name, password and domain. The info is stored in an irreversibly encrypted form on the local machine.
|
|
Back to top |
|
|
White Scorpion Just Arrived
Joined: 19 Sep 2003 Posts: 5 Location: The Netherlands
|
Posted: Thu Aug 19, 2004 11:09 am Post subject: |
|
|
does that mean you need to crack it? if so, which alghorithm is used?
|
|
Back to top |
|
|
anbanphd Just Arrived
Joined: 07 Aug 2004 Posts: 0
|
Posted: Thu Aug 19, 2004 1:47 pm Post subject: look at local sam file |
|
|
your local password will be stored in windows folder, you can give a search and find where it is. Now just run lophtcrack or john the ripper or brutus to open the password by brute force attack or dictionary based password cracking.
|
|
Back to top |
|
|
White Scorpion Just Arrived
Joined: 19 Sep 2003 Posts: 5 Location: The Netherlands
|
Posted: Thu Aug 19, 2004 6:02 pm Post subject: |
|
|
do you mean it is in there in plain text (the hash that is) , cause when you take a look at a sam file, you normally can't see the hashes that easy...(maybe due to syskey) . and aren't logon credentials encrypted with syskey too???
|
|
Back to top |
|
|
|