分享
 
 
 

Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003

王朝c#·作者佚名  2006-12-16
窄屏简体版  字體: |||超大  

By default Windows 2000, XP and 2003 systems in a domain or Active Directory tree cache the passwords and credentials of previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems. These cached passwords are stored as hashes in the local systems registry at the values HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10. Unless the ACL is changed these values require SYSTEM level privileges to access (you can set it so an admin account can read them but you would still want to use a tool to parse out the data). Arnaud Pilon has created a tool called CacheDump for extracting these password hashes out of the registry. He and his team have also come up with patches for the password cracking tool “John the Ripper” that allow you to use John to crack these stored credential hashes. More on the technical details can be found at http://www.cr0.net:8040/misc/cachedump.html for those who are so inclined. Fortunately from a security standpoint the way Microsoft hashes cached passwords is much more secure than the way they store local passwords in the SAM file. Since each cached hash has its own salt (a set of more or less random bits figured into the hash algorithm to help foil pre-computed attacks) cached passwords hashes take much longer to crack than LM (LAN Manager) hashes which don't salt the same way, are case insensitive and are split into seven character chunks.

This tutorial will cover the basics of collecting the cached password hashes and setting up a Debian based Linux system with a patched version of “John the Ripper” to audit these hashes for weak passwords. With a little modification to these basic instructions you should be able to get the patched version of John to work on just about any *nix system or under the Cygwin environment for Windows.

First download and extract cachedump.exe from http://www.cr0.net:8040/misc/cachedump-1.0.zip to the Windows box you want to get the cached password hashes from. Once you have extracted the executable make sure you are logged in as an admin user, then drop out to a command prompt and use the following command to pipe the hashes into a file:

cachedump >mydump.txt

If you look in the mydump.txt file it should contain data that looks something like the following:

jdoe:ac45d39d1029a02938b9302918c9210

admin:23acb302913da1293840329a12931ac

tjanes:2394820194832ac239104928130ab32

--------'

If you have a lot of time and a fast computer you can try the incremental (brute force) mode and see if it gives you better results:

./john -i:all -format:mscash mydump.txt

Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish.

In most cases cached passwords should not be much of a problem since they can take a long time to crack if you have good password policies in place. For those who are still paranoid and have a very reliable connection to their domain controller, they can follow these steps to disable the caching of passwords and credentials:

1. Set the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ CachedLogonsCount to 0.

2. Reboot

I hope that this tutorial has been useful. Happy password auditing!

Further research:

CacheDump Homepage:

http://www.cr0.net:8040/misc/cachedump.html

John the Ripper Homepage:

http://www.openwall.com//john/

John the Ripper Documentation:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/john/john/doc/

NewOrder’s Wordlists and Tools:

http://neworder.box.sk/codebox.links.php?&key=passdict

NeuTron's tutorial on making a password cracking cluster. His information may help you if you have a lot of computers you can spare cycles on while doing your password audit:

http://www.antionline.com/showthread.php?s=&threadid=262750

A little addition from Puzzlepants, with some formatting by me:

Sorry to bring up this thread again but several people mentioned the fact that Cain does not recognize CacheDump's format nor does it allow importing of hashes. After a little work I managed to get around that and had Cain cracking hashes that I had dumped using CacheDump. Here's a tutorial I wrote on how to do it:

Crack CacheDump Hashes Using Cain

by

Puzzlepants

This is a follow-up to Irongeek's tutorial on Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003. In version 2.68, Cain added support for MS-Cache hashes but unfortunately it only supports cracking hashes retrieved from the local machine.

This is really a big limitation because, as I've found, usually you want to go get a lot of hashes from different machines and compile them into a big list and crack them all at once. If this is not the case, it is usually not convenient to crack the hashes on the machine that they were retrieved from because it may be a machine at your office or school. You may have sufficient privaleges to install and use Cain but in most cases it's probably not the best idea.

Cain is much easier to use than John the Ripper for cracking just about anything. In this case, both Cain and John the Ripper support cracking MS-Cache hashes but John has the distinct advantage of being able to crack hashes from a list rather than restricting only to hashes retrieved from the local machine. In fact, as John is only meant to crack hashes, it cannot even retrieve any hashes at all but that's beside the point.

Cain also has a nice, pretty GUI and runs on Windows, therefore making it much easier for most people to use compared to John (command line only, can't run on Windows without the help of Cygwin). As I said before, Cain only supports cracking hashes retrieved from the local machine but most of the time this isn't convenient or safe. However, there is a way to get Cain to crack MS-Cache hashes from any machine that you'd like.

CacheDump is a tool mentioned in Irongeek's tutorial that can retrieve cached hashes from a machine. It requires administrative privaleges to retrieve the hashes so you'll have to be logged in under an adminstrative account for it to work. Irongeek spells it out in his tutorial so I won't go through how to use it here. Once you have used it and have your text file with the hashes, take that to the computer you'd like to crack the hashes on using Cain.

There are two things holding Cain back from cracking hashes obtained from external machines. The first is that Cain does not support importing a hash list to be cracked. To get around this you need to first be sure that Cain is closed. If Cain isn't closed, you won't be able to save any changes to the file you will need to change (see the next paragraph). Next, go into the Cain directory, which by default is C:\Program Files\Cain

In this directory, you should find a file called CACHE.LST among many others. All the LST files you see are temporary files that Cain uses to store cracked and uncracked hashes between sessions. That way Cain doesn't have to start cracking everything all over when you start up the program again and you don't have to import the hashes again as well. CACHE.LST is, you guessed it, where Cain stores the MS-Cache hashes. Go ahead and open this file up in Notepad or your favorite text editor. If there is anything in the file to begin with you can do what you would like with it. Leaving it or deleting it won't affect anything at all.

The second problem Cain has is that it does not understand the format that CacheDump uses. Fortunately, the formats that Cain and CacheDump use are very similar and don't require much effort to convert. Here is the format that Cain uses:

domain;username;password;hash;

Here is the format that cachedump uses:

username:hash:domain

There may be some extra information at the end of a cachedump entry but as far as I can tell that doesn't affect anything in terms of the hash or the final password. At first I thought it may be used somehow in the salt but I've found in my testing so far that this is not true.

Going back to Cain's format, you can see that it's pretty simple. At first, obviously, 'password' will be completely blank. An actual line from CACHE.LST would look something like this:

acme;roadrunner;;6C7773E383661CC9FD9980FB7AFA8A5D;

The same hash dumped by cachedump would look like this:

roadrunner:6C7773E383661CC9FD9980FB7AFA8A5D:acme

As you can see, the formats are very similar and easy to convert between. The only problem is that this becomes a little intensive if you have a lot of hashes. You wouldn't want to convert a lot of hashes by hand obviously, so I hacked together a quick PHP script that converts between the two formats. The script really only does a little bit of string parsing and reconstructing and is rather simple overall. It would also be really easy to get the same result from just about any other programming language if you wanted to create one yourself.

There are 2 PHP pages involved though they could easily be combined into one. I named them cache.php and cache2.php creatively enough. Here is the source for cache.php where the user can upload a file with cachedump hashes:

<html>

<head>

<title>File Uploader</title>

</head>

<body>

<b>Convert cachedump output for Cain</b><br><br>

<form enctype='multipart/form-data' action='cache2.php' method='POST'>

<input type='hidden' name='MAX_FILE_SIZE' value='102400' />

Choose a file to upload: <input name='uploadedfile' type='file' /><br>

<input type='submit' value='Upload File' />

</form>

</body>

</html>

This particular script sets the limit for uploads to 100 KB (102,400 bytes) but you can change that easily if you would like. The other part of the script, cache2.php, is where the real magic happens. It takes the uploaded file and puts the text into an array where each line of text (each username, hash, domain combination) corresponds to one entry in the array. A loop then processes each entry in the array and outputs the Cain-formatted text. Here is the source for that page:

<html>

<head>

<title>Cache</title>

</head>

<body>

<?

// Where the file is going to be placed

$target_path = 'uploads/';

/* Add the original filename to our target path. Result is 'uploads/filename.extension' */

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

// This is how we will get the temporary file...

$_FILES['uploadedfile']['tmp_name'];

$target_path = 'uploads/';

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

/* Check to see if the file was successfully uploaded or not */

if(move_uploaded_file($_FILES['uploadedfile']['tmp

_name'], $target_path)) {

echo 'The file '. basename( $_FILES['uploadedfile']['name']). ' has been uploaded<br><br>' .

'Here is your output:<br><br>';

/* Open the uploaded file */

$arrContents = file($target_path);

/* For every line in the uploaded file, perform the following */

foreach($arrContents as $v) {

$arr = explode(':', $v);

echo $arr[2] . ';' . $arr[0] . ';;' . $arr[1] . ';<br>';

}

/* Delete the uploaded file */

unlink($target_path);

}

else {

echo 'There was an error uploading the file, <a href=\'cache.php\'>please try again</a>!';

}

?>

</body>

</html>

As you can see, both files are pretty simple. To run these on your server you will have to have write permissions in whatever directory you send the uploaded file to (set in the variable $target_path). Obviously you will have to have PHP installed on your server as well. Other than that, this script doesn't require anything else.

If you're too lazy to run this script on your own server or you don't have a server to run this script on, I have a server up and running with this script on it for anybody to use. Before I give the link I must say a few things. First of all, this server is running on a residential cable connection and therefore cannot handle a lot of traffic. So please don't flood my poor little server or I will have to take the script down. Secondly, if you have a server to run this script on, please do. My poor little server can only handle so much.

Without further ado, you can now freely convert cachedump output to Cain input here.

The rest of this tutorial should be pretty self-explainatory but I am going to go ahead and tell you what you need to do next. If you listened to my directions earlier, I told you to open up CACHE.LST in Notepad or your favorite text editor. Since I never told you to close it, you should still have it open. Copy and paste your converted cachedump output into that window and save it. Then you can open up Cain, go to the cracker tab, and you should see all of your beautiful hashes ready to be cracked once you click on MS-Cache hashes.

Now you should be ready to crack to your heart's delight but I feel I should give you a warning before you do. Compared to John the Ripper, Cain is slow. When I say slow, I mean really slow. When I ran a specially compiled version of John for Windows, it consistently ran at more than 400,000 combinations per second (c/s) on a 1.8 GHz Intel Celeron with 768 MB of RAM during a dictionary attack. Using the same dictionary and the same number of hashes, Cain ran at (and is still running at) around 3,000 combinations per second. As you can see, Cain runs a ton slower than John. The only advantage to Cain, besides the GUI and ability to run natively on Windows, is that it (I think) supports more hybrid options (taking words from a dictionary list and changing them around slightly) compared to John.

In my experiences with John, it seems to get faster as time goes on. I recall running John on a 1 GHz AMD laptop with 256 MB of RAM. I booted up Whax and didn't even bother loading up a window manager (ie fluxbox or KDE). I ran a bruteforce attack on some cached hashes and the attack started at about 350,000 combinations per second. After about a week straight, the number had climbed to 450,000. So there, John is way faster.

It's about time to wrap this tutorial up. A few things before I let you go though. Firstly, I have a nice screenshot of Cain cracking a ton of MS-Cache hashes for me. Secondly, if anybody has any problems doing anything I mentioned in the tutorial, you can email me at the following address:

puzzlepants(at)gmail.com

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有