Hacking Windows cached credentials

   Oops I did it again. I mean I forgot a password for a Windows service account. Personally I prefer to use Local or Network Service accounts to run Windows services.  Some tasks need more permissions such as application installation, system monitoring tools – the SYSTEM account meets such requirements. But some applications require a user account. It can be local Windows, Active Directory account or MS SQL user.  Of course it’s piece of cake to create one but you’d have one issue – passwords.  Having the same password for all your service accounts is OK if you are only administrator but  it is bad practice. You can write down all passwords and keep them in save place. That what I usually do, especially for implementation projects and 3rd and 4th level support.

   About a month ago we did SharePoint upgrade – good time to change passwords of service accounts (sometimes you should do it for security reason).  So I changed them and decided to put the new passwords into my Passwords doco after the upgrade. I realise that I forgot to do it  a few weeks later during configuration of another MOSS service. But it was to late I forgot the passwords Crying.  I did not want to reset the passwords – I’d have to put new passwords in to many places and it was a risk that I could break applications which use portal and IIS. So I skipped to Plan B.

   By default once user logged on Windows keeps users’ password in its cache (can be turned off using Group or Local Policy). First you need to dump password from the cache.  PWDumpX is a good tool for it. You can download it from http://reedarvin.thearvins.com/tools.html and run it from command prompt: PWDumpX

PWDumpX -c localhost + +

   It creates localhost-PWCache.txt files which you can feed to another hacking tool. If it does not work for you check you firewall settings because the PWDumpX actually works this way: temporary installs a service using \\localhost\admin$ path, runs  it under SYSTEM account, the service dumps all passwords and PWDumpX uninstalls the services. You can do it from remote computer as well – type computer name or IP address instead of localhost.

image   The second step is password recovery. Don’t do it on a production server. It heavy uses CPU.

   Next tool is PasswordPro from InsidePro. The first thing to do is add Domain Cached Credentials module. You get an error message "Use program option menu to import hashing modules before importing hashes!" when attempt to open or import any file.  I found this task tricky. I don’t think it’s possible without a mouse.  Press F9 (menu Service | Options) and go to the last option, "Hashing Modules", then right click on the list of modules.  Browse to the "Domain Cached Credentials.dll" file location and select it. Now you can open hash files.

imageImport the password dump file from step 1, select type of hashes and you ready for rock-n-roll. image

  Dictionaries may help you but never did to me (for my password I use more then 10 symbols with lower and upper cases, numbers and special symbols).  Brute-force attack (Ctrl-Alt-2) did not help either (all weekend my workstation overheated its two Xeon CPUs but no luck). So I created my own dictionary with passwords I use or may use (combination of words replacing I on 1, A on @, O on 0 etc and increasing numbers  in the middle and the end of passwords). It was not long this time. When the password had appeared in the password field I said to my self "I knew it, it must be this one". But why I did not try it? Wink Sometimes our memory plays games with us.

I’ve learned my lesson, now my password doco is up-to-date.

Here is my recommendations for Windows security regarding passwords:

  1. Use complex passwords (lower and uppercase letters, numbers and special symbols such as $#@!^&*:;~). Passwords should be long enough (minimum 10 symbols).
  2. Change the password regularly. Don’t set "Password never expire" on user accounts, even if it is your boss’s account, especially if it’s your boss :) or anyone from top management.  You have to do it for service accounts but don’t forget to change their passwords from time to time, don’t use one password for years.
  3. Caching credentials can be disabled but don’t do it for laptop users – they won’t be able to log on when they are offline (in plane, train or in the middle of nowhere without connection to the domain)
  4. Disable caching for terminal (Citrix) servers. If a terminal server can not connect to a domain controller it’s useless anyway unless terminal users use local applications. Keeping many user password in cache on one server is a security risk. A local admin can hack cached passwords and get unauthorised access to users data, one of the terminal users may be a domain administrator who has not changed his/her password since last logon.
  5. Don’t use the same passwords for all service account.  If you can use several service account even for one application – do it (you would easy delegate rights to another administrator but not full control). You can put service account names and passwords in a doco but never in the same file.
  6. Users should remember their passwords, no write them down and stick on their monitors – don’t make your password rule to complicated.

An example of good passwords:

  1. IWishIHad1Password  –> it’s strong and easy
  2. 1W1sh1H@d0n3P@ssw0rd –> even better. Can you read it? It’s the same as the first one just different spelling Open-mouthed 

Good luck


About oleggap

IT Pro
This entry was posted in Security. Bookmark the permalink.