Home > Information > Forum > Show Topic
Show thread topic
16.10.2019
Reset Windows Password v9.4
Plaintext password recovery using machine learning
02.10.2019
Windows Password Recovery 12.0
Support for Artificial Intelligence to decrypt Windows passwords
13.09.2019
Windows Mail Password Recovery v2.1
Support for Exchange password recovery
24.06.2019
Reset Windows Password v9.3
Support for Windows 10 1903, Trusted Boot Auto-Logon, Microsoft Edge Dev ...

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Cloning $MACHINE.ACC

Nazaf, 11:48:47 10.09.2015 Rating: 0 #1

Cloning $MACHINE.ACC  

I used LSA plugin to export the value of  $MACHINE.ACC and import it on a different machine, but I keep getting an error KRB5KDC_ERR_PREAUTH_FAILED. It seems the value is wrong.  Is this value reusable on other machines ?? I made sure the computer name is the same but it did not work.

I was reading this excellent article https://www.passcape.com/index.php?section=docsys&cmd=details&id=23 and decided to test some theory.

Thanks.
 
Passcape_Admin, 15:31:41 10.09.2015 Rating: 0 #2

RE: Cloning $MACHINE.ACC  

That's right. You changed your target's system credentials. So any further authentication/decryption will fail.
 
Nazaf, 20:45:05 10.09.2015 Rating: 0 #3

RE: Cloning $MACHINE.ACC  

Can you elaborate more? Shouldn't the encryption/decryption be identical? The password looks the same as viewed by WPR on both machines.

Thanks.
 
Passcape_Admin, 08:26:19 11.09.2015 Rating: 0 #4

RE: Cloning $MACHINE.ACC  

The machine credentials is like a password for a user account. The password is used to derive other encryptions keys. So, for example, even if you can reset a password by simply setting new hash value in SAM, you will not be able to decrypt any data encoded with DPAPI. Because the DPAPI subsystem uses its own primary encryption key which is based on user password.

Machine credentials work the same way. The $MACHINE.ACC data is used to derive other encryption keys for various modules in Windows. If you simply change the machine credentials, other keys will not be validated and thus will not be generated correctly.
 
Nazaf, 00:33:01 12.09.2015 Rating: 0 #5

RE: Cloning $MACHINE.ACC  

I see. The machine to which i imported the password did not have a $machine.acc, so I assume derived keys do no exist on that machine. I think it's something else to do with Kerberos authentication.

Anyways, does copying and pasting an LSA secret using Unicode work well? I couldn't find any other way to import a hex string.

Thanks
 
Passcape_Admin, 09:25:20 12.09.2015 Rating: 0 #6

RE: Cloning $MACHINE.ACC  

It looks like it has something to do with Kerberos authentication. At least that is what the error reads. To say the truth, I don't know the details. By the way, is it a domain PC?

No, the current version does not support binary data when adding LSA secrets. I'll put this feaure in our todo list for the next release.
 
Nazaf, 02:39:11 13.09.2015 Rating: 0 #7

RE: Cloning $MACHINE.ACC  

The Unicode copy-paste of LSA secrets worked like a charm. It's a temporary hack to import binary data for now. 

Thanks.
 
Passcape_Admin, 10:20:26 10.11.2015 Rating: 0 #8

RE: Cloning $MACHINE.ACC  

The new version includes some additional capabilities to copy/paste hex and Regedit buffers in LSA secrets.
 
Entries 1 to 8 from 8  [ <<  1  >> ]