You should be familiar with the well known tool CacheDump from Arnaud Pilon; it is an application which dumps the cached password hashes stored into the registry. Cain s MSCACHE Hashes Dumper does exactly the same thing and allows you to import password hashes directly into the relative MSCACHE Hashes password cracker tab. By default, Windows stores a copy of domain logon passwords into the local registry; this enables the user to logon locally even if the domain controller is off-line or unavailable. Cached passwords are stored locally under the form of hashes encrypted with the NL KM LSA secret. This feature decrypts cached hashes and prepares them to be cracked using Dictionary or Brute-Force attacks.

How it works

This feature of the program follows the same methodology used by Todd Sabin in his PWDUMP2 program to extract MSCACHE hashes present on the system. It uses the DLL injection technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread s executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.

Once injected and executed the thread will run with the same access privileges of the Local Security Authority Subsystem; it will load the function DumpCache from Abel.dll that will

retrieve the NL KM LSA secret and decrypt MSCACHE hashes stored in the registry. Unlike CacheDump, the NL KM LSA secret is obtained using the LsarOpenSecret and LsarQuerySecret APIs from  LSASRV.DLL. The thread stores the data returned from these functions in a temporary file named cache.txt located in the same directory of the program. Finally, unencrypted MSCACHE hashes are put on the screen and the temporary file deleted.

Usage

To dump MSCACHE hashes you can press the Insert button on the keyboard or click the icon with the blue on the toolbar. Once dumped, cached password hashes can be sent to MSCACHE cracker using the list pop up menu. You can choose to dump MSCACHE hashes from the local system or from external registry hive files SYSTEM and SECURITY ; Windows Vista hive files are also supported.

Requirements

This feature requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.

Abel.dll is also required by the remote thread injected into LSASS process.

Copyright 2001-2011 Massimiliano Montoro. All rights reserved.

Hashcat, advanced password recovery Usage: hashcat options hashfile mask wordfiles directories Options General: -m, --hash-type NUM.

Feb 14, 2013 - As most people here will know, Windows caches domain/AD MS-Cache is a pretty simple format - it s an MD4 hash of the password, followed.

The local challenges can be grabbed from here and various other writeups are online. I was off on the timing for this one, so I only dove into most the challenges on.

Oxid.it web site Cain Abel v4.9.56 released - Added Windows Vault Password Decoder.

Help Irongeek.com pay for bandwidth and research equipment:

Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003

By Irongeek

Update:3/26/2006 Added Puzzlepants article on importing CacheDump files into Cain at the bottom of this page.

Update:8/24/2005 NeuTron sent me a version of John compiled with Cygwin that includes the MSCACHE patches. You can also use newer versions of Cain to crack store credentials. Try them out.

By default Windows 2000, XP and 2003 systems in a domain or Active Directory tree cache the passwords and credentials of previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems. These cached passwords are stored as hashes in the local systems registry at the values HKEY_LOCAL_MACHINE SECURITY CACHE NL 1 through NL 10. Unless the ACL is changed these values require SYSTEM level privileges to access you can set it so an admin account can read them but you would still want to use a tool to parse out the data. Arnaud Pilon has created a tool called CacheDump for extracting these password hashes out of the registry. He and his team have also come up with patches for the password cracking tool John the Ripper that allow you to use John to crack these stored credential hashes. More on the technical details can be found at for those who are so inclined. Fortunately from a security standpoint the way Microsoft hashes cached passwords is much more secure than the way they store local passwords in the SAM file. Since each cached hash has its own salt a set of more or less random bits figured into the hash algorithm to help foil pre-computed attacks cached passwords hashes take much longer to crack than LM LAN Manager hashes which don t salt the same way, are case insensitive and are split into seven character chunks.

This tutorial will cover the basics of collecting the cached password hashes and setting up a Debian based Linux system with a patched version of John the Ripper to audit these hashes for weak passwords. With a little modification to these basic instructions you should be able to get the patched version of John to work on just about any nix system or under the Cygwin environment for Windows.

First download and extract cachedump.exe from to the Windows box you want to get the cached password hashes from. Once you have extracted the executable make sure you are logged in as an admin user, then drop out to a command prompt and use the following command to pipe the hashes into a file:

Windows Command:

cachedump mydump.txt

If you look in the mydump.txt file it should contain data that looks something like the following:

Mydump.txt Contents:

admin:23acb302913da1293840329a12931ac

tjanes:2394820194832ac239104928130ab32

Theses are the stored usernames and password hashes. Now open a shell to your Linux box. Install the stable version of John so you have all of the documentation it should be in /usr/share/doc/john/ and configuration files, the following command should do the trick:

Linux Command:

Now extract john.ini to /etc/john/ using the following command:

Once that s done you need to download the source for John 1.6.37:

Then extract the source files:

Now obtain the patches needed to make John work with Windows cached password hashes:

Then unpack and integrate the patches into the main source:

gunzip -c john-1.6.37-bigpatch-10.diff.gz   patch -p0

Now it s time to compile. Change directory into the source code directory:

cd john-1.6.37/src/

You have to specify the platform if you are not sure of your platform just type make without any parameters to see what options are available. Since I m using a Pentium III and Linux I chose linux-x86-mmx-elf as my target platform:

make linux-x86-mmx-elf

Assuming there were no errors during the compile, change into the directory that the binaries were copied to:

cd. ./run/

Copy the mydump.txt file from the Windows box to the Linux box and put it in the run directory. Once that is done you can begin to try and crack the hashes. The first kind of crack to try is the wordlist crack:

./john --wordlist:password.lst -format:mscash mydump.txt

The command above will read every word in the file password.lst and hash it with each individual user s salt then compare the generated hash with the stored hash. If the hashes match, John will print the password to the screen:

Linux Command Output:

hotmonkeylove          jdoe

The password.lst file that comes with John is rather small so I would recommend downloading a more extensive word list like the one that comes with L0phtcrack called words-english-big.dic or the Argon Wordlist from key passdict and using those instead.

If at any time you wish to see the current progress of John just hit enter and a line like the following should appear:

guesses: 0  time: : 84   c/s: 398184  trying: tenderee

There are other more advanced cracks you could attempt. The following command will use the rules in john.ini to mangle the words from password.lst by changing characters around with likely substitution and additions:

./john --rules --wordlist:password.lst -format:mscash mydump.txt

If you have a lot of time and a fast computer you can try the incremental brute force mode and see if it gives you better results:

./john -i:all -format:mscash mydump.txt

Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish.

In most cases cached passwords should not be much of a problem since they can take a long time to crack if you have good password policies in place. For those who are still paranoid and have a very reliable connection to their domain controller, they can follow these steps to disable the caching of passwords and credentials:

1. Set the registry value HKLM SOFTWARE Microsoft Windows NT CurrentVersion Winlogon CachedLogonsCount to 0.

2. Reboot

I hope that this tutorial has been useful. Happy password auditing.

Further research.

Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003 By Irongeek. Update:3/26/2006 Added Puzzlepants article on importing CacheDump files.