I have a laptop given to me by my school, and on it i have a user account that is part of the school network. But i can log in to the computer even when its not connected to the network. So it stands to reason that the password hash is stored on the computer. I have booted it into ubuntu and cracked the sam file using ophcrack, but my user account isn't there. so where is the password hash of my account stored on the computer?
This indicates that the computer is part of a windows domain. The SAM database is used for local accounts.
Cached domain credentials are stored under: HKEY_LOCAL_MACHINE\SECURITY\Cache
This path is hidden for everyone else than SYSTEM.
You can run regedit as system by using PsExec: http://technet.microsoft.com/en-us/sysi ... s/bb897553
- Code: Select all
psexec -d -i -s regedit
By default windows will cache the last ten credentials, they will be listet as 'NL$1' and so forth.
You should take a look at this: http://technet.microsoft.com/en-us/libr ... 10%29.aspx