Cracking Cached Passwords on Windows

By | April 6, 2006

By default Windows 2000, XP and 2003 systems in a domain or Active Directory tree cache the passwords and credentials of previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems.

These cached passwords are stored as hashes in the local systems registry at the values HKEY_LOCAL_MACHINESECURITYCACHENL$1 through NL$10. Unless the ACL is changed these values require SYSTEM level privileges to access (you can set it so an admin account can read them but you would still want to use a tool to parse out the data). Arnaud Pilon has created a tool called CacheDump for extracting these password hashes out of the registry.

Fortunately from a security standpoint the way Microsoft hashes cached passwords is much more secure than the way they store local passwords in the SAM file. Since each cached hash has its own salt (a set of more or less random bits figured into the hash algorithm to help foil pre-computed attacks) cached passwords hashes take much longer to crack than LM (LAN Manager) hashes which don´t salt the same way, are case insensitive and are split into seven character chunks.Read Full Story

Leave a Reply