Hi,
In Win9x, we can access the network password list of the currently logged-on user by calling WNetEnumCachedPasswords. What is the equivalent way - if any - to read the password list in NT/Win2k/XP?
Thanks for any hints.
Max
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> In Win9x, we can access the network password list of the currently
logged-on user by
WNetEnumCachedPasswords. What is the equivalent way - if any - to read the
password list
in NT/Win2k/XP?
Surely NT has no such an idiotic security hole which seems to be implemented
in Win9x with the only purpose of helping BackOrifice-like trojans
There is no API in NT to read the cached passwords. LocalSystem account (and
only it) can read them from the registry from NL$Cache subkey in
HKLM\SECURITY, but any sane sysadmin will disable the password caching on NT
desktops at all - no NL$Cache in this case at all, the domain password and
its hash is not saved to any nonvolatile storage on the desktop in this
case.
The only thing how you can access the current user’s NT password information
is SSP API, but you can IIRC only generate the auth protocol (NTLM or
Kerberos) BLOBs this way, not access the password itself.
You can also add an “auth filter” or “sub auth package” to LSA, there
modules will receive the passwords in cleartext.
See Platform SDK for details on them.
Max
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com