Differences between MSCacheV1 and MSCacheV2
472 views
Skip to first unread message
Adrian Crenshaw
Aug 14, 2011, 11:46:44 AM8/14/11
to isdpo...@googlegroups.com
Hi all,
Ok, I've been Googling this up and found no answer. My statements in this email may also be wrong, so double check.
On WIndows boxes in a domain, the last 10 passwords are saved (by default) as a hash on the local box in case communications to the domain go down. The user name is used as a salt in these hashes.
Windows before Visa: uses MSCacheV1 (AKA Domain Cached Credentials)
Windows Vista/7/2008: use MSCacheV2
Cain can now dump and crack both, but at 70 attempts per sec with Cain on a newer i7, it's kind of pointless. Hashcat/cudaHashCat seems to be able to crack MSCacheV1 much faster than Cain, but only seems to support MSCacheV1 as far as I can tell. Anyone know what the real differences in algorithm are between the two MSCache versions?
As a side note: What do you use for dumping these hashes? I've been using Cain, but would love to hear if there is something better.
Thanks,
Adrian
--
"The ability to quote is a serviceable substitute for wit." ~ W. Somerset Maugham
Ok, I've been Googling this up and found no answer. My statements in this email may also be wrong, so double check.
On WIndows boxes in a domain, the last 10 passwords are saved (by default) as a hash on the local box in case communications to the domain go down. The user name is used as a salt in these hashes.
Windows before Visa: uses MSCacheV1 (AKA Domain Cached Credentials)
Windows Vista/7/2008: use MSCacheV2
Cain can now dump and crack both, but at 70 attempts per sec with Cain on a newer i7, it's kind of pointless. Hashcat/cudaHashCat seems to be able to crack MSCacheV1 much faster than Cain, but only seems to support MSCacheV1 as far as I can tell. Anyone know what the real differences in algorithm are between the two MSCache versions?
As a side note: What do you use for dumping these hashes? I've been using Cain, but would love to hear if there is something better.
Thanks,
Adrian
--
"The ability to quote is a serviceable substitute for wit." ~ W. Somerset Maugham
Will Genovese
Aug 15, 2011, 10:34:49 AM8/15/11
to isdpodcast
I believe v2 uses sha1 hash iterations along with the md4 that v1 uses
to encrypt the password, so in order to crack v2 you'd have to:
generate password,md4,10 iterations of sha1, then compare to hash to
crack, if matches yay :), if not boo :(
to encrypt the password, so in order to crack v2 you'd have to:
generate password,md4,10 iterations of sha1, then compare to hash to
crack, if matches yay :), if not boo :(
Mr bonez
Aug 15, 2011, 10:44:43 AM8/15/11
to isdpo...@googlegroups.com
Well as I'm not sure at all about the hashes and such, I CAN say I have a windows password cracker disc that works on every version of windows that has been created, and if they keep using the SAM database will ever use. If people would like a copy it's only like 2mb and I have it in ISO format. The coding involved with that could probably give some insight as to how it's being cracked.
--
You received this message because you are subscribed to the Google Groups "isdpodcast" group.
To post to this group, send email to isdpo...@googlegroups.com.
To unsubscribe from this group, send email to isdpodcast+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/isdpodcast?hl=en.
Jaded
Aug 15, 2011, 10:49:11 AM8/15/11
to isdpo...@googlegroups.com, isdpodcast
The passwd cache behavior can also be turned off.
Regards,
Boris
Boris Sverdlik
Sr Partner
Jaded Security Consulting
bsve...@gmail.com
Boris.S...@jadedsecurity.com
Mobile: 646.867.2375
Skype: jadedsecurity
Irc: #jadedsecurity
Adrian Crenshaw
Aug 15, 2011, 11:21:40 AM8/15/11
to isdpo...@googlegroups.com
Thanks all, but I'm looking specifically at cached domain credentials, not the NTLM or LM hashes in the SAM.
Thanks,
Adrian
Thanks,
Adrian
Adrian Sanabria
Aug 15, 2011, 3:07:08 PM8/15/11
to isdpo...@googlegroups.com
I got into trying to do that last year and determined it was a complete lost cause. Was looking at YEARS to crack a single passwd. Hopefully I missed something ;)
Will Genovese
Aug 15, 2011, 4:56:57 PM8/15/11
to isdpodcast
adrian shoot me an email I have code from a buddy that shows how to
create a cached password both v1 and v2 that a friend was making for
password cracking plugin. as far as a cracker the last time I seen
someone attempted gpu cracking for cached the creator of barswf had
made a private paid version for someone. havent noticed if anyone has
attempted gpu cracking besides him
create a cached password both v1 and v2 that a friend was making for
password cracking plugin. as far as a cracker the last time I seen
someone attempted gpu cracking for cached the creator of barswf had
made a private paid version for someone. havent noticed if anyone has
attempted gpu cracking besides him
Reply all
Reply to author
Forward
0 new messages