LSA Secrets is what I have heard this caching of credentials being called.

Some explanation of the location of data:
http://is-it-true.org/nt/registry/rtips320.shtml

a nice tool:
http://razor.bindview.com/tools/files/lsadump2.zip

-----Original Message-----
From: Dimitri Limanovski [mailto:dimitrisalliemaesolutions.com]
Sent: Tuesday, November 13, 2001 9:24 AM
To: 'focus-mssecurityfocus.com'
Subject: Cached Network Password

If I'm not mistaken, by default WindowsNT/2000 will remember (cache) user
credentials, both local and network, unless defined otherwise via domain
security policy or by hand in the registry.
Now, where does OS keep this "cached" password? To test I first logged to
the network using one of the test machines. I then disconnected from the
network and logged using the same network credentials while actually
"offline". No problems there. (BTW, network password is remembered because
you'll get an error when trying to use anything else). I then used pwdump2
and extracted password hashes. I then tried to LophtCrack it but was only
presented with the list of local users and their corresponding passwords.
Now, what happened to "cached" network username/password? Where does Windows
keep this information and is it possible to extract them?
Thanks in advance,

Dimitri

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]