Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003

Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003
By Irongeek

Update:3/26/2006 Added Puzzlepants' article on importing CacheDump files into Cain at the bottom of this page.
Update:8/24/2005
NeuTron sent me a version of John compiled with Cygwin that includes the MSCACHE patches. You can also use newer versions of Cain to crack store credentials. Try them out.


        By default Windows 2000, XP and 2003 systems in a domain or Active Directory tree cache the passwords and credentials of previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems. These cached passwords are stored as hashes in the local systems registry at the values HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10. Unless the ACL is changed these values require SYSTEM level privileges to access (you can set it so an admin account can read them but you would still want to use a tool to parse out the data). Arnaud Pilon has created a tool called CacheDump for extracting these password hashes out of the registry. He and his team have also come up with patches for the password cracking tool "John the Ripper" that allow you to use John to crack these stored credential hashes. More on the technical details can be found at http://www.cr0.net:8040/misc/cachedump.html for those who are so inclined. Fortunately from a security standpoint the way Microsoft hashes cached passwords is much more secure than the way they store local passwords in the SAM file. Since each cached hash has its own salt (a set of more or less random bits figured into the hash algorithm to help foil pre-computed attacks) cached passwords hashes take much longer to crack than LM (LAN Manager) hashes which don't salt the same way, are case insensitive and are split into seven character chunks.

        This tutorial will cover the basics of collecting the cached password hashes and setting up a Debian based Linux system with a patched version of "John the Ripper" to audit these hashes for weak passwords. With a little modification to these basic instructions you should be able to get the patched version of John to work on just about any *nix system or under the Cygwin environment for Windows.

        First download and extract cachedump.exe from http://www.cr0.net:8040/misc/cachedump-1.0.zip to the Windows box you want to get the cached password hashes from. Once you have extracted the executable make sure you are logged in as an admin user, then drop out to a command prompt and use the following command to pipe the hashes into a file:

Windows Command:
cachedump >mydump.txt


        If you look in the mydump.txt file it should contain data that looks something like the following:

Mydump.txt Contents:

jdoe:ac45d39d1029a02938b9302918c9210
admin:23acb302913da1293840329a12931ac
tjanes:2394820194832ac239104928130ab32



        Theses are the stored usernames and password hashes. Now open a shell to your Linux box. Install the stable version of John so you have all of the documentation (it should be in /usr/share/doc/john/) and configuration files, the following command should do the trick:

Linux Command:
apt-get install john


        Now extract john.ini to /etc/john/ using the following command:

Linux Command:
gunzip -c /usr/share/doc/john/examples/john.ini.gz > /etc/john/john.ini


        Once that's done you need to download the source for John 1.6.37:

Linux Command:
wget http://www.openwall.com/john/b/john-1.6.37.tar.gz


        Then extract the source files:

Linux Command:
tar xfz john-1.6.37.tar.gz


        Now obtain the patches needed to make John work with Windows cached password hashes:

Linux Command:
wget http://www.cr0.net:8040/misc/john-1.6.37-bigpatch-10.diff.gz


        Then unpack and integrate the patches into the main source:

Linux Command:
gunzip -c john-1.6.37-bigpatch-10.diff.gz |  patch -p0


        Now it's time to compile. Change directory into the source code directory:

Linux Command:
cd john-1.6.37/src/


        You have to specify the platform (if you are not sure of your platform just type "make" without any parameters to see what options are available). Since I'm using a Pentium III and Linux I chose "linux-x86-mmx-elf" as my target platform:

Linux Command:
make linux-x86-mmx-elf


        Assuming there were no errors during the compile, change into the directory that the binaries were copied to:

Linux Command:
cd ../run/


        Copy the mydump.txt file from the Windows box to the Linux box and put it in the "run" directory. Once that is done you can begin to try and crack the hashes. The first kind of crack to try is the wordlist crack:

Linux Command:
./john --wordlist:password.lst -format:mscash mydump.txt


        The command above will read every word in the file "password.lst" and hash it with each individual user's salt then compare the generated hash with the stored hash. If the hashes match, John will print the password to the screen:

Linux Command Output:
hotmonkeylove         (jdoe)


        The "password.lst" file that comes with John is rather small so I would recommend downloading a more extensive word list like the one that comes with L0phtcrack (called "words-english-big.dic") or the Argon Wordlist from http://neworder.box.sk/codebox.links.php?&key=passdict and using those instead.

        If at any time you wish to see the current progress of John just hit enter and a line like the following should appear:

Linux Command:
guesses: 0  time: 0:00:00:01 84%  c/s: 398184  trying: tenderee


        There are other more advanced cracks you could attempt. The following command will use the rules in john.ini to mangle the words from "password.lst" by changing characters around with likely substitution and additions:

Linux Command:
./john --rules --wordlist:password.lst -format:mscash mydump.txt


        If you have a lot of time and a fast computer you can try the incremental (brute force) mode and see if it gives you better results:

Linux Command:
./john -i:all -format:mscash mydump.txt


        Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish.

        In most cases cached passwords should not be much of a problem since they can take a long time to crack if you have good password policies in place. For those who are still paranoid and have a very reliable connection to their domain controller, they can follow these steps to disable the caching of passwords and credentials:

1. Set the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ CachedLogonsCount to 0.
2. Reboot

        I hope that this tutorial has been useful. Happy password auditing!

Further research:

CacheDump Homepage:
http://www.cr0.net:8040/misc/cachedump.html

John the Ripper Homepage:
http://www.openwall.com//john/

John the Ripper Documentation:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/john/john/doc/

NewOrder's Wordlists and Tools:
http://neworder.box.sk/codebox.links.php?&key=passdict

NeuTron's tutorial on making a password cracking cluster. His information may help you if you have a lot of computers you can spare cycles on while doing your password audit:
http://www.antionline.com/showthread.php?s=&threadid=262750

A little addition from Puzzlepants, with some formatting by me:

          Sorry to bring up this thread again but several people mentioned the fact that Cain does not recognize CacheDump's format nor does it allow importing of hashes. After a little work I managed to get around that and had Cain cracking hashes that I had dumped using CacheDump. Here's a tutorial I wrote on how to do it:


Crack CacheDump Hashes Using Cain
by
P
uzzlepants


          This is a follow-up to Irongeek's tutorial on Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003. In version 2.68, Cain added support for MS-Cache hashes but unfortunately it only supports cracking hashes retrieved from the local machine.

          This is really a big limitation because, as I've found, usually you want to go get a lot of hashes from different machines and compile them into a big list and crack them all at once. If this is not the case, it is usually not convenient to crack the hashes on the machine that they were retrieved from because it may be a machine at your office or school. You may have sufficient privaleges to install and use Cain but in most cases it's probably not the best idea.

          Cain is much easier to use than John the Ripper for cracking just about anything. In this case, both Cain and John the Ripper support cracking MS-Cache hashes but John has the distinct advantage of being able to crack hashes from a list rather than restricting only to hashes retrieved from the local machine. In fact, as John is only meant to crack hashes, it cannot even retrieve any hashes at all but that's beside the point.

          Cain also has a nice, pretty GUI and runs on Windows, therefore making it much easier for most people to use compared to John (command line only, can't run on Windows without the help of Cygwin). As I said before, Cain only supports cracking hashes retrieved from the local machine but most of the time this isn't convenient or safe. However, there is a way to get Cain to crack MS-Cache hashes from any machine that you'd like.

          CacheDump is a tool mentioned in Irongeek's tutorial that can retrieve cached hashes from a machine. It requires administrative privaleges to retrieve the hashes so you'll have to be logged in under an adminstrative account for it to work. Irongeek spells it out in his tutorial so I won't go through how to use it here. Once you have used it and have your text file with the hashes, take that to the computer you'd like to crack the hashes on using Cain.

          There are two things holding Cain back from cracking hashes obtained from external machines. The first is that Cain does not support importing a hash list to be cracked. To get around this you need to first be sure that Cain is closed. If Cain isn't closed, you won't be able to save any changes to the file you will need to change (see the next paragraph). Next, go into the Cain directory, which by default is C:\Program Files\Cain

          In this directory, you should find a file called CACHE.LST among many others. All the LST files you see are temporary files that Cain uses to store cracked and uncracked hashes between sessions. That way Cain doesn't have to start cracking everything all over when you start up the program again and you don't have to import the hashes again as well. CACHE.LST is, you guessed it, where Cain stores the MS-Cache hashes. Go ahead and open this file up in Notepad or your favorite text editor. If there is anything in the file to begin with you can do what you would like with it. Leaving it or deleting it won't affect anything at all.

          The second problem Cain has is that it does not understand the format that CacheDump uses. Fortunately, the formats that Cain and CacheDump use are very similar and don't require much effort to convert. Here is the format that Cain uses:

                              domain;username;password;hash;

          Here is the format that cachedump uses:

                              username:hash:domain

          There may be some extra information at the end of a cachedump entry but as far as I can tell that doesn't affect anything in terms of the hash or the final password. At first I thought it may be used somehow in the salt but I've found in my testing so far that this is not true.

          Going back to Cain's format, you can see that it's pretty simple. At first, obviously, "password" will be completely blank. An actual line from CACHE.LST would look something like this:

                              acme;roadrunner;;6C7773E383661CC9FD9980FB7AFA8A5D;


          The same hash dumped by cachedump would look like this:

                              roadrunner:6C7773E383661CC9FD9980FB7AFA8A5D:acme

          As you can see, the formats are very similar and easy to convert between. The only problem is that this becomes a little intensive if you have a lot of hashes. You wouldn't want to convert a lot of hashes by hand obviously, so I hacked together a quick PHP script that converts between the two formats. The script really only does a little bit of string parsing and reconstructing and is rather simple overall. It would also be really easy to get the same result from just about any other programming language if you wanted to create one yourself.

          There are 2 PHP pages involved though they could easily be combined into one. I named them cache.php and cache2.php creatively enough. Here is the source for cache.php where the user can upload a file with cachedump hashes:

<html>
<head>
<title>File Uploader</title>
</head>
<body>
<b>Convert cachedump output for Cain</b><br><br>
<form enctype="multipart/form-data" action="cache2.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="102400" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br>
<input type="submit" value="Upload File" />
</form>
</body>
</html>


          This particular script sets the limit for uploads to 100 KB (102,400 bytes) but you can change that easily if you would like. The other part of the script, cache2.php, is where the real magic happens. It takes the uploaded file and puts the text into an array where each line of text (each username, hash, domain combination) corresponds to one entry in the array. A loop then processes each entry in the array and outputs the Cain-formatted text. Here is the source for that page:

<html>
<head>
<title>Cache</title>
</head>
<body>
<?
// Where the file is going to be placed
$target_path = "uploads/";

/* Add the original filename to our target path. Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

// This is how we will get the temporary file...
$_FILES['uploadedfile']['tmp_name'];

$target_path = "uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

/* Check to see if the file was successfully uploaded or not */
if(move_uploaded_file($_FILES['uploadedfile']['tmp
_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded<br><br>" .
"Here is your output:<br><br>";

/* Open the uploaded file */
$arrContents = file($target_path);

/* For every line in the uploaded file, perform the following */
foreach($arrContents as $v) {
$arr = explode(":", $v);
echo $arr[2] . ";" . $arr[0] . ";;" . $arr[1] . ";<br>";
}

/* Delete the uploaded file */
unlink($target_path);
}
else {
echo "There was an error uploading the file, <a href=\"cache.php\">please try again</a>!";
}
?>
</body>
</html>

          As you can see, both files are pretty simple. To run these on your server you will have to have write permissions in whatever directory you send the uploaded file to (set in the variable $target_path). Obviously you will have to have PHP installed on your server as well. Other than that, this script doesn't require anything else.

          If you're too lazy to run this script on your own server or you don't have a server to run this script on, I have a server up and running with this script on it for anybody to use. Before I give the link I must say a few things. First of all, this server is running on a residential cable connection and therefore cannot handle a lot of traffic. So please don't flood my poor little server or I will have to take the script down. Secondly, if you have a server to run this script on, please do. My poor little server can only handle so much.

          Without further ado, you can now freely convert cachedump output to Cain input here.

          The rest of this tutorial should be pretty self-explainatory but I am going to go ahead and tell you what you need to do next. If you listened to my directions earlier, I told you to open up CACHE.LST in Notepad or your favorite text editor. Since I never told you to close it, you should still have it open. Copy and paste your converted cachedump output into that window and save it. Then you can open up Cain, go to the cracker tab, and you should see all of your beautiful hashes ready to be cracked once you click on MS-Cache hashes.

          Now you should be ready to crack to your heart's delight but I feel I should give you a warning before you do. Compared to John the Ripper, Cain is slow. When I say slow, I mean really slow. When I ran a specially compiled version of John for Windows, it consistently ran at more than 400,000 combinations per second (c/s) on a 1.8 GHz Intel Celeron with 768 MB of RAM during a dictionary attack. Using the same dictionary and the same number of hashes, Cain ran at (and is still running at) around 3,000 combinations per second. As you can see, Cain runs a ton slower than John. The only advantage to Cain, besides the GUI and ability to run natively on Windows, is that it (I think) supports more hybrid options (taking words from a dictionary list and changing them around slightly) compared to John.

          In my experiences with John, it seems to get faster as time goes on. I recall running John on a 1 GHz AMD laptop with 256 MB of RAM. I booted up Whax and didn't even bother loading up a window manager (ie fluxbox or KDE). I ran a bruteforce attack on some cached hashes and the attack started at about 350,000 combinations per second. After about a week straight, the number had climbed to 450,000. So there, John is way faster.

          It's about time to wrap this tutorial up. A few things before I let you go though. Firstly, I have a nice screenshot of Cain cracking a ton of MS-Cache hashes for me. Secondly, if anybody has any problems doing anything I mentioned in the tutorial, you can email me at the following address:

puzzlepants(at)gmail.com



If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek