You should be familiar with the well known tool "CacheDump" from Arnaud Pilon; it is an application which dumps the cached password hashes stored into the registry. Cain's MSCACHE Hashes Dumper does exactly the same thing and allows you to import password hashes directly into the relative "MSCACHE Hashes" password cracker tab. By default, Windows stores a copy of domain logon passwords into the local registry; this enables the user to logon locally even if the domain controller is off-line or unavailable. Cached passwords are stored locally under the form of hashes encrypted with the NL$KM LSA secret. This feature decrypts cached hashes and prepares them to be cracked using Dictionary or Brute-Force attacks.

 

How it works

This feature of the program follows the same methodology used by Todd Sabin in his PWDUMP2 program to extract MSCACHE hashes present on the system. It uses the "DLL injection" technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread's executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.

Once injected and executed the thread will run with the same access privileges of the Local Security Authority Subsystem; it will load the function "DumpCache" from Abel.dll that will

retrieve the NL$KM LSA secret and decrypt MSCACHE hashes stored in the registry. Unlike "CacheDump", the NL$KM LSA secret is obtained using the LsarOpenSecret and LsarQuerySecret APIs from  LSASRV.DLL. The thread stores the data returned from these functions in a temporary file named cache.txt located in the same directory of the program. Finally, unencrypted MSCACHE hashes are put on the screen and the temporary file deleted.

Usage

To dump MSCACHE hashes you can press the "Insert" button on the keyboard or click the icon with the blue + on the toolbar. Once dumped, cached password hashes can be sent to MSCACHE cracker using the list pop up menu. You can choose to dump MSCACHE hashes from the local system or from external registry hive files (SYSTEM and SECURITY); Windows Vista hive files are also supported.

Requirements

This feature requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.

Abel.dll is also required by the remote thread injected into LSASS process.