inception icon indicating copy to clipboard operation
inception copied to clipboard

Published 20 hours ago verified publisher icon carmaa

Windows AD account's erroneous passwords are cached

Open carmaa opened this issue 13 years ago • 12 comments

Since Windows cache passwords, the password entered after use of the tool is used against AD, locking the AD account out of the domain. Need to investigate alternative patching methods.

carmaa avatar May 02 '12 22:05 carmaa

Pull network cable on target. Normal Windows PW checking is AD then local cache. Bypassing AD will allow tool in current state to work.

init99 avatar May 03 '12 15:05 init99

Have you tested this?

carmaa avatar May 03 '12 21:05 carmaa

Yes. Successfully patched an XPsp3 workstation on domain. Attempt to log in fails. Remove network cable, try again, success. However, if network cable is reconnected, any attempts to access network resources seem to use the "fake" password and will fail.

init99 avatar May 03 '12 21:05 init99

Ah, OK so what you are saying is that the patch won't work if the computer is connected to the domain. That's expected. The issue is more related to the fact that windows cache the erroneous password (like you mentioned) and that subsequent AD authentications will fail.

That being said, I'll look into if there's a way to patch the method that decides if a password is needed at all (I think winlockpwn did this).

carmaa avatar May 03 '12 21:05 carmaa

Adding signatures for all Windows systems patching the call that decides if the account needs to enter a password to authenticate or not - should take care of this issue.

carmaa avatar Oct 07 '12 22:10 carmaa

Further investigation shows that patching will work both in "Not logged in" (with network cable unplugged) and "Locked" states. Laptops will likely be on WiFi which one may or may not be able to turn off with hardware switches.

As the tool is intended for Locked machines, this issue is closed for now. Would need a secondary patch for all Windows patches to ensure that the hash resulting from the authentication is not cached.

carmaa avatar Oct 11 '12 02:10 carmaa

Just wanted to ask prior locking my domain account again as I did in the past - is the caching of incorrect credentials already sorted out or an unlock on a computer joined in a domain will result in a locked account as it did before?

strasharo avatar Jan 07 '14 16:01 strasharo

Yeah... That's still a problem, unfortunately. Considering re-reverse engineer new sigs for Windows 7 and up for the next big release. Let's reopen this ticket to remind myself.

carmaa avatar Jan 07 '14 18:01 carmaa

By the way and completely off topic - any idea why I suddenly have 60 new people starring this project over a timespan of 2 days?

carmaa avatar Jan 07 '14 18:01 carmaa

No idea at all. Personally I was about to ask my question on http://www.breaknenter.org as I did 2 years ago here - http://www.breaknenter.org/projects/inception/#comment-1550, when I recalled that there is already an open ticket on Github for it. :-) Perhaps the repo was mentioned on some popular place?

strasharo avatar Jan 07 '14 22:01 strasharo

Any updates on this issue?

sumsysam141141 avatar Jul 16 '15 14:07 sumsysam141141

Why not put the "old"/correct hash back in it's place after it's unlocked? You should be able to copy/save/print to screen, and then copy it back no?

richrumble avatar Sep 06 '16 15:09 richrumble