|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Free, Bob (RWF4
pge.com)Date: Thu Nov 15 2001 - 17:02:50 CST
HKLM\Security\policy\secrets can store cached credentials,web/ftp passwords
and the machine account password as well as service accts. A good reference
is http://razor.bindview.com/tools/desc/lsadump2_readme.html and
HEW2K covers it nicely http://www.hackingexposed.com/win2k/home.html
Exploits are generally referred to as the LSA secrets hack and there is a
fair amount of information available on the net, even a Microsoft KB
article.
Bob Free
Sr. Network Specialist
ISTS/ITUSS/DC/System Server Support
PG&E Auburn, Ca
-----Original Message-----
From: RH [mailto:RHbeulah.org]
Sent: Thursday, November 15, 2001 11:31 AM
To: 'Sean Waddell'; Dimitri Limanovski
Cc: 'focus-mssecurityfocus.com'
Subject: RE: Cached Network Password
I think Dimitri was actually asking for the *file* location of the password
hashes that have been cached.. not how to turn off hashing. I would like to
know too.
I *also* would like to know where about the hashes that the SERVICES that
log on with domain accounts store their password hashes (i.e. Exchange
server and SMS use domain level service accounts; these servers have to have
the password stored somewhere locally in order to authenticate the account
and start the service).
Anyone know these two things off the top of their head?
-----Original Message-----
From: Sean Waddell [mailto:swaddellespgroup.net]
Sent: Thursday, November 15, 2001 10:42 AM
To: Dimitri Limanovski
Cc: 'focus-mssecurityfocus.com'
Subject: Re: Cached Network Password
There is a registry edit that you can make to prevent pwd's from being
cached.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"CachedLogonsCount"="0"
This should be part of your hardening process.
-- Sean Waddell Network Engineer The ESP GroupDimitri Limanovski wrote: > > If I'm not mistaken, by default WindowsNT/2000 will remember (cache) user > credentials, both local and network, unless defined otherwise via domain > security policy or by hand in the registry. > Now, where does OS keep this "cached" password? To test I first logged to > the network using one of the test machines. I then disconnected from the > network and logged using the same network credentials while actually > "offline". No problems there. (BTW, network password is remembered because > you'll get an error when trying to use anything else). I then used pwdump2 > and extracted password hashes. I then tried to LophtCrack it but was only > presented with the list of local users and their corresponding passwords. > Now, what happened to "cached" network username/password? Where does Windows > keep this information and is it possible to extract them? > Thanks in advance, > > Dimitri
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]