Cain y sus milagritos...

Por defecto se guardan en caché las credenciales de los últimos 10 usuarios
que han hecho logon.

Puedes ver los 10 ítems listados en HKEY_LOCAL_MACHINE\Security\Cache
después de cambiar los permisos.

Cambia el valor de la clave
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\cachedlogonscount
a 1 para deshabilitar el caché

No tengo el Cain, así que porfa avísame si después de limpiar la caché sigue
encontrando la password.

Saludos,

Fabián

"Sanjor" escribió en el mensaje
news:%

WindowsXP Pro. con todas las actualizaciones.
Me da por hacerme unas pruebas de seguridad con Cain 2.7.5

Mi sorpresa es que en la ficha LSA Secrets me encuentra la Password de
administrador segun pone en DefaultPassword.
El caso es que he estado buscando por el registro i no tengo ni la clave
DefaultPassword ni AutoAdminLogon en
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon.

El sistema solo almacenar en NTLM las password (Almacenar contraseñas
usando cifrado reversible...Deshabilitada)

En caches o Protected Storage, no, esa password solo se usa de
administrador.
¿¿De donde extrae la pasword??

Alguien puede aclararme eso, no creo que Cain pueda cracquearme la passord
el solito en un plis, de algun lado debe recuperarla, pero ¿de donde?


Gracias de antemano.




Cordialmente Jgas

Permisos cambiados i chache borrada.
Valor de la cache 1.

La sigue encontrando
El caso es que Cain es el único que lo encuentra otros programas de
deteccion de contraseñas ni se asoma.


Gracias! Fabian


"Fabián Pazmiño" escribió en el mensaje
news:

Por defecto se guardan en caché las credenciales de los últimos 10
usuarios que han hecho logon.

Puedes ver los 10 ítems listados en HKEY_LOCAL_MACHINE\Security\Cache
después de cambiar los permisos.

Cambia el valor de la clave
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\cachedlogonscount
a 1 para deshabilitar el caché

No tengo el Cain, así que porfa avísame si después de limpiar la caché
sigue encontrando la password.

Saludos,

Fabián

"Sanjor" escribió en el mensaje
news:%

WindowsXP Pro. con todas las actualizaciones.
Me da por hacerme unas pruebas de seguridad con Cain 2.7.5

Mi sorpresa es que en la ficha LSA Secrets me encuentra la Password de
administrador segun pone en DefaultPassword.
El caso es que he estado buscando por el registro i no tengo ni la clave
DefaultPassword ni AutoAdminLogon en
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon.

El sistema solo almacenar en NTLM las password (Almacenar contraseñas
usando cifrado reversible...Deshabilitada)

En caches o Protected Storage, no, esa password solo se usa de
administrador.
¿¿De donde extrae la pasword??

Alguien puede aclararme eso, no creo que Cain pueda cracquearme la
passord el solito en un plis, de algun lado debe recuperarla, pero ¿de
donde?


Gracias de antemano.




Cordialmente Jgas

Pon passw de mas de 8 caracteres y comentame si la encuentra.

Jose Manuel Tella Llop
MVP - Windows
(quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna clase,
y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.



"Sanjor" wrote in message
news:
Upssss!!!!
Estos tambien la encuentran, cada uno con su técnica.
Vale entro como administrador y puedo ver mi password, no tiene mucho
merito, pero...
Partiendo de que guardando las passwords solo en NTLM no tienen vuelta atras
y que el systema al realitzar las validaciones solo sabe de hashes.
¿Como es posible que rescate la pass por medio de procesos internos?

¿Quizas me estoy perdiendo algo?

Atentamente


Sanjor



Proactive Password Auditor 151 (Dump from memory - Memory Local Computer)
Windows info attack **Opciones**
Memory of local computer

If you have administrator rights on the machine you run PPA on, you can dump
password hashes from its memory. This method works regardless of the SYSKEY
mode, and gives hashes for all users, including Active Directory users.


Proactive System Password Recovery 4.1.3 (NT Secrets Private
DefaultPassword)
NT Secrets
Shows passwords cached by the system: RAS passwords, passwords of some
users, SQL server passwords, etc. Can be local (for current user only) or
global (for all users).

Also, the program can get the secrets from SYSTEM/SECURITY files taken from
another system - simply check the Manual decryption option, browse for these
files, (optionally) check the Show old secrets option if you'd like to see
the secrets that are still stored but not being used anymore, and press
Manual decryption.

All secrets (from local machine or external Registry files) can be edited,
but use this feature with great care.

manual decription
E:\WINDOWS\system32\config\SYSTEM
E:\WINDOWS\system32\config\SECURITY


Cain 2.7.5 (LSA Secrets DefaultPassword)
LSA Secrets Dumper

LSA Secrets are used to store information such as the passwords for service
accounts used to start services under an account other than local System.
Dial-Up credentials and other application defined passwords also reside
here.

How it works
This feature of the program follows the same methodology used by Todd Sabin
in his PWDUMP2 program to decrypt LSA secrets present on the system. It uses
the "DLL injection" technique to run a thread in the same security context
of the Local Security Authority Subsystem process. The thread's executable
code must first be copied to the address space of LSASS process and this
requires an account with the SeDebugPrivilege user right. By default only
Administrators have this right.

Once injected and executed the thread will run with the same access
privileges of the Local Security Authority Subsystem; it will load the
function "DumpLsa" from Abel.dll which will open and query each secret using
the LsarOpenSecret and LsarQuerySecret APIs from LSASRV.DLL. The thread
stores the data returned from these functions in a temporary file named
lsa.txt located in the same directory of the program. Finally, the content
of this file is put on the screen and the temporary file is deleted.

Usage
To dump the content of the LSA Secrets you can press the "Insert" button on
the keyboard or click the icon with the blue + on the toolbar.

Requirements
This feature requires an account with the SeDebugPrivilege user right. By
default only Administrators have this right.

Abel.dll is also required by the remote thread injected into LSASS process.

Acabo de probarlo...
Las saca no solo Cain los 3.

¿Que me estoy perdiendo?

la he probado con 12 caracteres

Atentamente


jgas


"JM Tella Llop [MVP Windows]" escribió en el mensaje
news:

Pon passw de mas de 8 caracteres y comentame si la encuentra.

Jose Manuel Tella Llop
MVP - Windows
(quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna clase,
y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.



"Sanjor" wrote in message
news:
Upssss!!!!
Estos tambien la encuentran, cada uno con su técnica.
Vale entro como administrador y puedo ver mi password, no tiene mucho
merito, pero...
Partiendo de que guardando las passwords solo en NTLM no tienen vuelta
atras y que el systema al realitzar las validaciones solo sabe de hashes.
¿Como es posible que rescate la pass por medio de procesos internos?

¿Quizas me estoy perdiendo algo?

Atentamente


Sanjor



Proactive Password Auditor 151 (Dump from memory - Memory Local Computer)
Windows info attack **Opciones**
Memory of local computer

If you have administrator rights on the machine you run PPA on, you can
dump password hashes from its memory. This method works regardless of the
SYSKEY mode, and gives hashes for all users, including Active Directory
users.


Proactive System Password Recovery 4.1.3 (NT Secrets Private
DefaultPassword)
NT Secrets
Shows passwords cached by the system: RAS passwords, passwords of some
users, SQL server passwords, etc. Can be local (for current user only) or
global (for all users).

Also, the program can get the secrets from SYSTEM/SECURITY files taken
from another system - simply check the Manual decryption option, browse
for these files, (optionally) check the Show old secrets option if you'd
like to see the secrets that are still stored but not being used anymore,
and press Manual decryption.

All secrets (from local machine or external Registry files) can be edited,
but use this feature with great care.

manual decription
E:\WINDOWS\system32\config\SYSTEM
E:\WINDOWS\system32\config\SECURITY


Cain 2.7.5 (LSA Secrets DefaultPassword)
LSA Secrets Dumper

LSA Secrets are used to store information such as the passwords for
service accounts used to start services under an account other than local
System. Dial-Up credentials and other application defined passwords also
reside here.

How it works
This feature of the program follows the same methodology used by Todd
Sabin in his PWDUMP2 program to decrypt LSA secrets present on the system.
It uses the "DLL injection" technique to run a thread in the same security
context of the Local Security Authority Subsystem process. The thread's
executable code must first be copied to the address space of LSASS process
and this requires an account with the SeDebugPrivilege user right. By
default only Administrators have this right.

Once injected and executed the thread will run with the same access
privileges of the Local Security Authority Subsystem; it will load the
function "DumpLsa" from Abel.dll which will open and query each secret
using the LsarOpenSecret and LsarQuerySecret APIs from LSASRV.DLL. The
thread stores the data returned from these functions in a temporary file
named lsa.txt located in the same directory of the program. Finally, the
content of this file is put on the screen and the temporary file is
deleted.

Usage
To dump the content of the LSA Secrets you can press the "Insert" button
on the keyboard or click the icon with the blue + on the toolbar.

Requirements
This feature requires an account with the SeDebugPrivilege user right. By
default only Administrators have this right.

Abel.dll is also required by the remote thread injected into LSASS
process.

Pues te estas perdiendo usar XP+SP2 (y el resto de parches..). Lo acabo de
probar con esa version de Cain, y me lo he pasado como un enano...:-) Hacia
tiempo que no probaba estas basurillas. Veamos: lo que hace es meter una
inyexxion de cosigo a la lsass.exe

Si tienes el DEP activado, y lo ejecutas, claro está con derechos
administrativos. se pega un cebollon la lssass.exe y al minuto se
reinicia el sistema por caida de servicio critico. Al reiniciar te informa
el DEP de la inyeccion de codigo.

Lo he probado tambien en otro XP+SP2 que tenia en una maquina virtual...
virgencito del to' y la misma caida. (evidentemente sin sacar ningun
dato).

Jose Manuel Tella Llop
MVP - Windows
(quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna clase,
y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.



"jgas" wrote in message
news:%

Acabo de probarlo...
Las saca no solo Cain los 3.

¿Que me estoy perdiendo?

la he probado con 12 caracteres

Atentamente


jgas


"JM Tella Llop [MVP Windows]" escribió en el mensaje
news:

Pon passw de mas de 8 caracteres y comentame si la encuentra.

Jose Manuel Tella Llop
MVP - Windows
(quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna clase,
y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.



"Sanjor" wrote in message
news:
Upssss!!!!
Estos tambien la encuentran, cada uno con su técnica.
Vale entro como administrador y puedo ver mi password, no tiene mucho
merito, pero...
Partiendo de que guardando las passwords solo en NTLM no tienen vuelta
atras y que el systema al realitzar las validaciones solo sabe de hashes.
¿Como es posible que rescate la pass por medio de procesos internos?

¿Quizas me estoy perdiendo algo?

Atentamente


Sanjor



Proactive Password Auditor 151 (Dump from memory - Memory Local
Computer)
Windows info attack **Opciones**
Memory of local computer

If you have administrator rights on the machine you run PPA on, you can
dump password hashes from its memory. This method works regardless of the
SYSKEY mode, and gives hashes for all users, including Active Directory
users.


Proactive System Password Recovery 4.1.3 (NT Secrets Private
DefaultPassword)
NT Secrets
Shows passwords cached by the system: RAS passwords, passwords of some
users, SQL server passwords, etc. Can be local (for current user only) or
global (for all users).

Also, the program can get the secrets from SYSTEM/SECURITY files taken
from another system - simply check the Manual decryption option, browse
for these files, (optionally) check the Show old secrets option if you'd
like to see the secrets that are still stored but not being used anymore,
and press Manual decryption.

All secrets (from local machine or external Registry files) can be
edited, but use this feature with great care.

manual decription
E:\WINDOWS\system32\config\SYSTEM
E:\WINDOWS\system32\config\SECURITY


Cain 2.7.5 (LSA Secrets DefaultPassword)
LSA Secrets Dumper

LSA Secrets are used to store information such as the passwords for
service accounts used to start services under an account other than local
System. Dial-Up credentials and other application defined passwords also
reside here.

How it works
This feature of the program follows the same methodology used by Todd
Sabin in his PWDUMP2 program to decrypt LSA secrets present on the
system. It uses the "DLL injection" technique to run a thread in the same
security context of the Local Security Authority Subsystem process. The
thread's executable code must first be copied to the address space of
LSASS process and this requires an account with the SeDebugPrivilege user
right. By default only Administrators have this right.

Once injected and executed the thread will run with the same access
privileges of the Local Security Authority Subsystem; it will load the
function "DumpLsa" from Abel.dll which will open and query each secret
using the LsarOpenSecret and LsarQuerySecret APIs from LSASRV.DLL. The
thread stores the data returned from these functions in a temporary file
named lsa.txt located in the same directory of the program. Finally, the
content of this file is put on the screen and the temporary file is
deleted.

Usage
To dump the content of the LSA Secrets you can press the "Insert" button
on the keyboard or click the icon with the blue + on the toolbar.

Requirements
This feature requires an account with the SeDebugPrivilege user right. By
default only Administrators have this right.

Abel.dll is also required by the remote thread injected into LSASS
process.