Monday, January 19, 2009

About Windows passwords, hashes and registry

Here is a great set of articles about Windows passwords schemes by 

Syskey and the Sam:
http://moyix.blogspot.com/2008/02/syskey-and-sam.html

Decrypting LSA Secrets:
http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html


Cached Domain Credentials:
http://moyix.blogspot.com/2008/02/cached-domain-credentials.html

Besides the articles, Brendan create a set of tools to use with Volativility that will allow to extract those password from a memory dump:

  • hashdump: dump the LanMan and NT hashes from the registry (deobfuscated). 
  • lsadump: dump the LSA secrets (decrypted) from the registry. 
  • cachedump: dump any cached domain password hashes from the registry. This will obviously only work if the memory image comes from a machine that was part of a domain. 
Enjoy
-CMM
By -
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...

  • Scan for shellshock with wfuzz
    In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everyw...
  • Wfuzz 2.1 released !
    I'm pleased to announce  a new version of WFuzz! Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for findi...
  • Scanning ports through SSH Port Forwarding
    In one of the latest penetration tests we faced a SSH server that was based in Maverick SSHTOOLS. The funny thing is that this server was ...