Home > Information > Forum > Show Topic
Show thread topic
24.06.2019
Reset Windows Password v9.3
Support for Windows 10 1903, Trusted Boot Auto-Logon, Microsoft Edge Dev ...
11.06.2019
New article
DPAPI security flaw in Windows 10
10.06.2019
Windows Password Recovery 11.7
Support for Windows 10 1903, Trusted Boot Auto-Logon, etc.
24.05.2019
Wireless Password Recovery v6.0.1
New GPU engine and automated multi-mode for recovery

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Cloning $MACHINE.ACC

Nazaf, 11:48:47 10.09.2015 Rating: 0 #1

Cloning $MACHINE.ACC  

I used LSA plugin to export the value of  $MACHINE.ACC and import it on a different machine, but I keep getting an error KRB5KDC_ERR_PREAUTH_FAILED. It seems the value is wrong.  Is this value reusable on other machines ?? I made sure the computer name is the same but it did not work.

I was reading this excellent article https://www.passcape.com/index.php?section=docsys&cmd=details&id=23 and decided to test some theory.

Thanks.
 
Passcape_Admin, 15:31:41 10.09.2015 Rating: 0 #2

RE: Cloning $MACHINE.ACC  

That's right. You changed your target's system credentials. So any further authentication/decryption will fail.
 
Nazaf, 20:45:05 10.09.2015 Rating: 0 #3

RE: Cloning $MACHINE.ACC  

Can you elaborate more? Shouldn't the encryption/decryption be identical? The password looks the same as viewed by WPR on both machines.

Thanks.
 
Passcape_Admin, 08:26:19 11.09.2015 Rating: 0 #4

RE: Cloning $MACHINE.ACC  

The machine credentials is like a password for a user account. The password is used to derive other encryptions keys. So, for example, even if you can reset a password by simply setting new hash value in SAM, you will not be able to decrypt any data encoded with DPAPI. Because the DPAPI subsystem uses its own primary encryption key which is based on user password.

Machine credentials work the same way. The $MACHINE.ACC data is used to derive other encryption keys for various modules in Windows. If you simply change the machine credentials, other keys will not be validated and thus will not be generated correctly.
 
Nazaf, 00:33:01 12.09.2015 Rating: 0 #5

RE: Cloning $MACHINE.ACC  

I see. The machine to which i imported the password did not have a $machine.acc, so I assume derived keys do no exist on that machine. I think it's something else to do with Kerberos authentication.

Anyways, does copying and pasting an LSA secret using Unicode work well? I couldn't find any other way to import a hex string.

Thanks
 
Passcape_Admin, 09:25:20 12.09.2015 Rating: 0 #6

RE: Cloning $MACHINE.ACC  

It looks like it has something to do with Kerberos authentication. At least that is what the error reads. To say the truth, I don't know the details. By the way, is it a domain PC?

No, the current version does not support binary data when adding LSA secrets. I'll put this feaure in our todo list for the next release.
 
Nazaf, 02:39:11 13.09.2015 Rating: 0 #7

RE: Cloning $MACHINE.ACC  

The Unicode copy-paste of LSA secrets worked like a charm. It's a temporary hack to import binary data for now. 

Thanks.
 
Passcape_Admin, 10:20:26 10.11.2015 Rating: 0 #8

RE: Cloning $MACHINE.ACC  

The new version includes some additional capabilities to copy/paste hex and Regedit buffers in LSA secrets.
 
Entries 1 to 8 from 8  [ <<  1  >> ]