Cached Credentials

This discusses cached credentials security in Microsoft Windows Server 2003, in Microsoft Windows XP, and in Microsoft Windows 2000.

Domain credentials
Domain credentials are used by operating system components and are authenticated by the Local Security Authority (LSA). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data. This registered security package may be the Kerberos protocol or NTLM.

Windows stores the last ten domain login credentials in the event that the domain controller goes offline. If the domain controller goes offline, a user will still be able to log into their computer. This feature is mainly for laptop users that do not regularly log into their company’s domain. The number of credentials that the computer stores can be controlled by the following registry key, or via group policy:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\ CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT

The credentials are hidden from normal users, even administrator accounts. The SYSTEM user is the only user that has privileges to view these credentials. In order for an administrator to view these credentials in the registry they must access the registry as a SYSTEM user.

The Cached credentials are stored in the registry at the following registry location:

HKEY_LOCAL_MACHINE\SECURITY\Cache

The easiest way to gain SYSTEM user access to the registry is listed below:

Start > Run > CMD.EXE

The syntax is:

at \\<computername> <time when you want the item to open> /interactive regedt32.exe

C:\at \\computer1 10:23 /interactive regedt32.exe

This opens a registry editor window at 10:23am with system user privileges. The window will not look any different than when you normally access the registry editor. However, you should see that the CACHE folder is now available under the SECURITY folder. This folder should hold 10 different entries, one for each of the cached credentials being stored.

Hashing Algorithm
In Windows 2000 and in later versions of Windows, the username and password are not cached. Instead, the system stores an encrypted verifier of the password. This verifier is a salted MD4 hash that is computed two times. The double computation effectively makes the verifier a hash of the hash of the user password. This behavior is unlike the behavior of Microsoft Windows NT 4.0 and earlier versions of Windows NT.

I cannot verify this information but I believe this is how the cached credentials are hashed:

1. Hash the user's password using NTLM.
2. Salt the hash from above with the username.
3. Apply NTLM hashing on the combination from 2.

NTLMHash( username + NTLMHash(password) )

How to Resolve

If you want to disable cached credentials you can do the following, however if you lose access to the domain controller you will be unable to login:

1. Set the following registry value to 0:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount

2. Reboot

Cached credentials should not be stored on your computer any longer.

Tools

FGDump
http://www.foofus.net/fizzgig/fgdump/
FGDUMP requires a user to have an administrator account in order to pull the cached credentials. FGDUMP will pull the local SAM hashes as well as the cached credentials and dump them into two files. It also, will disable the antivirus on the computer and re-enable it when it finishes.

FGDUMP is capable of pulling credentials off of a networked computer provided that the account used has administrative rights on the computer.

John The Ripper
http://openwall.com/john/

Cain & Abel
http://www.oxid.it/cain.html


References

Cached credentials security in Windows Server 2003, in Windows XP, and in Windows 2000
http://support.microsoft.com/kb/913485

Cracking Cached Domain/Active Directory Passwords on Windows XP/2000/2003
http://www.irongeek.com/i.php?page=security/cachecrack

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.