tag:blogger.com,1999:blog-6787362638788314904.post2254511354727503531..comments2024-03-07T06:22:55.106-05:00Comments on Push the Red Button: Cached Domain CredentialsBrendan Dolan-Gavitthttp://www.blogger.com/profile/17143824408632888880noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-6787362638788314904.post-68757772746595312802013-11-12T09:36:21.394-05:002013-11-12T09:36:21.394-05:00@Arun - how is it going? Did you figure it out?@Arun - how is it going? Did you figure it out?Bob Shttps://www.blogger.com/profile/09245023678219396953noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-3185933753359252702013-10-10T08:12:58.760-04:002013-10-10T08:12:58.760-04:00This comment has been removed by the author.Arunhttps://www.blogger.com/profile/00727349741137008170noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-90616757755304433742013-10-10T08:12:11.049-04:002013-10-10T08:12:11.049-04:00I am accepting the point of Bob. To Set a domain c...I am accepting the point of Bob. To Set a domain cached credential the system contacting DC everytime. The DC send these values. To check the integrity of this windows add or follow some checksum in the tail of the cached data. It differs 16 byte data to 20/22 byte data. Me to failed to crack it. Right now I am working on it to reverse engineer this, once I succeed will update in this thread. <br /><br />Or if anyone know this please correct me.Arunhttps://www.blogger.com/profile/00727349741137008170noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-69344031772231927792013-10-08T08:41:46.362-04:002013-10-08T08:41:46.362-04:00@moyix - Bumping this question ... do you know the...@moyix - Bumping this question ... do you know the answer? Regarding setting a domain cached credential ... the trick seems to be the checksum needed. Do you know how to set the final checksum on the last 16 bytes? Thx!Bob Shttps://www.blogger.com/profile/09245023678219396953noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-43817828322791461652013-02-07T20:12:39.906-05:002013-02-07T20:12:39.906-05:00Hi Great article,
Just wanted to know if the store...Hi Great article,<br />Just wanted to know if the stored domain credentials will remain in the registry permanently or will be automatically cleared after some days<br />Thanks<br />Anonymoushttps://www.blogger.com/profile/09020761411469790801noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-39388885818250927982011-07-05T23:05:41.071-04:002011-07-05T23:05:41.071-04:00@moyix - regarding setting a domain cached credent...@moyix - regarding setting a domain cached credential ... the trick seems to be the checksum needed. Do you know how to set the final checksum on the last 16 bytes? Thx!Bob Shttps://www.blogger.com/profile/09245023678219396953noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-36940509968627970222011-01-23T04:20:27.056-05:002011-01-23T04:20:27.056-05:00Great article! You break it down extremely well. I...Great article! You break it down extremely well. I've noticed Vista/7 are different than XP on protected storage. Do you know of any progress on decrypting the LSA/NKLM key on Vista/7? <br /><br />Thanks again. That was awesome.Unknownhttps://www.blogger.com/profile/03753974552438164908noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-69766108098059634632009-09-10T11:23:56.933-04:002009-09-10T11:23:56.933-04:00Really an interesting article. TNX for that excell...Really an interesting article. TNX for that excellent work. The Volatility-plugin was able to extract the hash from a SP2-memdump but failed with SP3. Do you know what MS may have changed?<br /><br />Cu<br /><br />MichaelMichttps://www.blogger.com/profile/03769171162717944993noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-39020686546663000512008-05-21T14:16:00.000-04:002008-05-21T14:16:00.000-04:00I'm glad you enjoyed the article! To answer your q...I'm glad you enjoyed the article! To answer your question, it should indeed be possible to change the password, hash it, and then re-encrypt the block and put it in the registry. I've actually written code to do this in the case of standard local user hashes (to demonstrate an attack that will be discussed in my DFRWS paper); however, it should be pretty easy to do the same with cached domain credentials.<BR/><BR/>One thing that should be noted though, is that even if you do this, I'm pretty sure you will still not be able to access network resources as that domain user, as the original hash is used in the NTLM challenge/response mechanism. You might be able to use something like the "pass the hash" toolkit to re-inject the correct hash once you've logged in, though.Brendan Dolan-Gavitthttps://www.blogger.com/profile/17143824408632888880noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-19874751841209044482008-05-08T05:19:00.000-04:002008-05-08T05:19:00.000-04:00Really good stuff, makes the whole process much cl...Really good stuff, makes the whole process much clearer.<BR/>Is it possible to reverse the process to encrypt data using the RC4 Key? The reason for this would be to overwrite the existing password hash with one you calculated from a known password. I realise that this would have a very limited application but sometimes you just have to log on as a particular user to get something to work, and if the domain password security is good, then using a dictonary attack or brute forcing are just not effective.Unknownhttps://www.blogger.com/profile/09247106032059306412noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-61255207042861749922008-02-26T15:42:00.000-05:002008-02-26T15:42:00.000-05:00Indeed, protected storage is something that should...Indeed, protected storage is something that should be implemented. I've been thinking about doing it, but have not yet had the time. If you think you have a decent idea of how to implement it, go for it! Feel free to e-mail me if you have any questions about the CredDump code as well.<BR/><BR/>Cheers,<BR/>BrendanBrendan Dolan-Gavitthttps://www.blogger.com/profile/17143824408632888880noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-1771830080928520732008-02-26T05:46:00.000-05:002008-02-26T05:46:00.000-05:00Great article. Creddump now only misses a function...Great article. Creddump now only misses a function to dump the protected storage (encrypted with LSA secrets iirc?). I will dig into that if you are interested (code to dump protected storage is widely available).Nicolashttps://www.blogger.com/profile/13519246405691213722noreply@blogger.com