Adrian, Tangently related but AD does have some settings to defend against this (on the workstation side... mobile not as well)
BTW- looking forward to meeting up with all you guys at Derbycon. Liam Randall <Wall_of_text> --------------------------------------------------------------- Policy Name: Interactive logon: Number of previous logons to cache (in case domain controller is not available) Policy Path: Computer Configuration\Windows Settings\Local Policies\Security Options Supported On: Windows XP SP2, Windows Server 2003 & higher Registry Setting: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount Description: Interactive logon: Number of previous logons to cache (in case domain controller is not available) All previous users' logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on . If a domain controller is unavailable and a user's logon information is cached, the user is prompted with a message that reads as follows: Windows cannot connect to a server to confirm your logon settings. You have been logged on using previously stored account information. If you changed your account information since you last logged on to this computer, those changes will not be reflected in this session. If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message: The system cannot log you on now because the domain <DOMAIN_NAME> is not available. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Default: 10 --------------------------------------------------------------- Policy Name: Interactive logon: Require Domain Controller authentication to unlock workstation Policy Path: Computer Configuration\Windows Settings\Local Policies\Security Options Supported On: Windows XP SP2, Windows Server 2003 & higher Registry Setting: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon Description: Interactive logon: Require Domain Controller authentication to unlock Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, a domain controller must authenticate the domain account that is being used to unlock the computer. Default: Disabled. Important This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers. --------------------------------------------------------------- Policy Name: Network access: Do not allow storage of credentials or .NET Passports for network authentication Policy Path: Computer Configuration\Windows Settings\Local Policies\Security Options Supported On: Windows XP SP2, Windows Server 2003 Registry Setting: MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds Description: Network access: Do not allow storage of credentials or .NET Passports for network authentication This security setting determines whether Stored User Names and Passwords saves passwords, credentials, or .NET Passports for later use when it gains domain authentication. If it is enabled, this setting prevents the Stored User Names and Passwords from storing passwords and credentials. Note: When configuring this security setting, changes will not take effect until you restart Windows. For more information about Stored User Names and Passwords, see Stored User Names and Passwords. Default: Disabled. --------------------------------------------------------------- </Wall_of_text> From: [email protected] [mailto:[email protected]] On Behalf Of Adrian Crenshaw Sent: Sunday, August 14, 2011 11:49 AM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] Differences between MSCacheV1 and MSCacheV2 Hi all, Ok, I've been Googling this up and found no answer. My statements in this email may also be wrong, so double check. On WIndows boxes in a domain, the last 10 passwords are saved (by default) as a hash on the local box in case communications to the domain go down. The user name is used as a salt in these hashes. Windows before Visa: uses MSCacheV1 (AKA Domain Cached Credentials) Windows Vista/7/2008: use MSCacheV2 Cain can now dump and crack both, but at 70 attempts per sec with Cain on a newer i7, it's kind of pointless. Hashcat/cudaHashCat seems to be able to crack MSCacheV1 much faster than Cain, but only seems to support MSCacheV1 as far as I can tell. Anyone know what the real differences in algorithm are between the two MSCache versions? As a side note: What do you use for dumping these hashes? I've been using Cain, but would love to hear if there is something better. Thanks, Adrian -- "The ability to quote is a serviceable substitute for wit." ~ W. Somerset Maugham _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
