OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Free, Bob (RWF4pge.com)
Date: Fri Nov 16 2001 - 11:21:14 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Annsi-

    As mentioned before, real basically, LSA secrets contains the user's cached
    credentials,web/ftp passwords, the machine account password as well as
    service account passwords. I forgot about RAS passwords and probably
    something else as well. As you noticed it is pretty trivial to obtain some
    of these passwords which is why password reuse is such a _huge_ issue. Keep
    in mind that you needed administrator access to obain what you did but that
    is a whole different story.

    Again, very basically the SAM (depending on machine's role) accounts
    database contains the user and group accounts, built-in global groups and
    computer accounts and the SAM built-in database contains the built-in local
    group accounts, such as Administrators, Users, and Guests.

    http://www.sans.org/infosecFAQ/malicious/stealing.htm has a writeup with a
    good starting list of references at the end.

    As strictly a student of all this work done by others I am reminded of 2
    very basic tenents, NEVER reuse passwords and protect your ERD's like a
    mother lion ;-]

    Again, this is all very basic but I hope it is enough to further your quest.

    regards

    Bob Free
    Sr. Network Specialist
    ISTS/ITUSS/DC/System Server Support
    PG&E Auburn, Ca

    -----Original Message-----
    From: Anssi Porttikivi [mailto:anssi.porttikiviteleware.fi]
    Sent: Friday, November 16, 2001 5:57 AM
    To: focus-mssecurityfocus.com
    Subject: RE: Cached Network Password

    Can you give us a pointer to some more articles? I am looking for an
    answer to the next question:

    AFAIK domain username and password hash pair is cached in the Registry
    SAM sub tree (or hive) in NT/2000. That part of the registry is the
    "hive" file in %SystemRoot%\System32\Config\SAM. So what goes to there,
    and what goes to HKLM\Security\policy\secrets?

    When I look at my "secrets" with Lsadump2, I see my in clear text FTP
    password to a remote machine, and I see in clear text one of my old
    domain passwords (the password -2, if current is zero)! Is this for
    checking, that I don't re-use passwords? Pretty dangerous, I would say!
    I still use that same password somewhere else!

    -----Original Message-----
    From: Free, Bob [mailto:RWF4pge.com]
    Cc: 'focus-mssecurityfocus.com'
    Subject: RE: Cached Network Password

    HKLM\Security\policy\secrets can store cached credentials,web/ftp
    passwords
    and the machine account password as well as service accts. A good
    reference
    is http://razor.bindview.com/tools/desc/lsadump2_readme.html and
    HEW2K covers it nicely http://www.hackingexposed.com/win2k/home.html

    Exploits are generally referred to as the LSA secrets hack and there is
    a
    fair amount of information available on the net, even a Microsoft KB
    article.