I know in a Windows environment local passwords are stored in SAM and domain passwords are cached locally in the register at HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10.
At the moment I am doing an password audit on a Novell server
(NDS/ eDirectory) and Windows client environment. In this case local passwords are still stored in SAM. But where are the local NDS cached passwords on the Windows client. Probably not in the same register location, since I cannot grab them with CacheDump?
Thanks for your help.
<shrug> just fire-up google and see what you can find. I don't know anyone who actually uses Novell (not that I've had to Pentest anyway).
Doesn't tell you the exact file but I'm sure with some additional searching you can find it....secrets from SecretStore in eDirectory or NDS are cached to an encrypted information store on the workstation's Windows directory. This local store persists after the eDirectory authenticated session is closed. For laptop users, this functionality provides access to login data while the users aren't connected to the network.
Thanks Thorin. I already did some thorough search via Google, but I can only find vague references like: "the local data store with the cached NDS/ eDirectory credentials', but still didn't find the actually location.
What about using SysInternals Filemon and Regmon tools (or just windows search for any file(s) modified in the last day) and force a new user to be added to the cache somehow?
I tested it with a new account. Funny Novell caches the NDS/ eDirectory credentials in the SAM database where Windows only stores local accounts.
I confirmed an interesting vulnerability with Novell. According to this advisory, the Novell password can be dumped out of memory:
We confirmed this on a Novell 7 environment while performing a pentest.
Use both Psexec and pmdump as follows:
psexec \\hostname -u username -p password -s -f -c pmdump -list
Find the PID of the Gwise.exe service. Then:
psexec \\hostname -u -p password -s -f -c pmdump PID PID_dump.txt
This will dump the memory to \\hostname\c$\windows\system32
Open the dump file in a hex editor and search for an organizational string, like an OU in the targets memory dump file.
From there you can find the Novell password for the user within the file.
To simplify this, if you have already found one Novell password, dump the PID for gwise of that user and search for the password. From there, you can work backwards to find the OU format, and apply it to other targets. For instance, at this particular location, the client's OU is similar to clientname.AA_FINANCE.AA_NW
If you do a search for AA_FINANCE.AA_NW in the memory dump you will see the password in plain text. Suppose the CFO is whomever.AA_FINANCE.AA_NW. By dumping his memory, you can search for the OU and reference your original dump, match up the location and password.