Here is a great set of articles about Windows passwords schemes by
Syskey and the Sam:
http://moyix.blogspot.com/2008/02/syskey-and-sam.html
Decrypting LSA Secrets:
http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html
Cached Domain Credentials:
http://moyix.blogspot.com/2008/02/cached-domain-credentials.html
Besides the articles, Brendan create a set of tools to use with Volativility that will allow to extract those password from a memory dump:
- hashdump: dump the LanMan and NT hashes from the registry (deobfuscated).
- lsadump: dump the LSA secrets (decrypted) from the registry.
- cachedump: dump any cached domain password hashes from the registry. This will obviously only work if the memory image comes from a machine that was part of a domain.
Enjoy
-CMM
No comments:
Post a Comment