Home > Information > Forum > Show Topic
Show thread topic
01.03.2024
New blog post
Dumping the history of users' IP addresses in Windows
20.02.2024
Reset Windows Password v14.1
IP addresses history viewer, fast disk search, local security editor and some more
02.01.2024
Wireless Password Recovery v6.9.0
A revision of the GPU health monitor along with some minor updates
23.12.2023
HAPPY NEW YEAR!
Happy New Year greetings and holidays discount

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Cloning $MACHINE.ACC

Nazaf, 11:48:47 10.09.2015 Rating: 0 #1

Cloning $MACHINE.ACC  

I used LSA plugin to export the value of  $MACHINE.ACC and import it on a different machine, but I keep getting an error KRB5KDC_ERR_PREAUTH_FAILED. It seems the value is wrong.  Is this value reusable on other machines ?? I made sure the computer name is the same but it did not work.

I was reading this excellent articlehttps://www.passcape.com/index.php?section=docsys&cmd=details&id=23 and decided to test some theory.

Thanks.
 
Passcape_Admin, 15:31:41 10.09.2015 Rating: 0 #2

RE: Cloning $MACHINE.ACC  

That's right. You changed your target's system credentials. So any further authentication/decryption will fail.
 
Nazaf, 20:45:05 10.09.2015 Rating: 0 #3

RE: Cloning $MACHINE.ACC  

Can you elaborate more? Shouldn't the encryption/decryption be identical? The password looks the same as viewed by WPR on both machines.

Thanks.
 
Passcape_Admin, 08:26:19 11.09.2015 Rating: 0 #4

RE: Cloning $MACHINE.ACC  

The machine credentials is like a password for a user account. The password is used to derive other encryptions keys. So, for example, even if you can reset a password by simply setting new hash value in SAM, you will not be able to decrypt any data encoded with DPAPI. Because the DPAPI subsystem uses its own primary encryption key which is based on user password.

Machine credentials work the same way. The $MACHINE.ACC data is used to derive other encryption keys for various modules in Windows. If you simply change the machine credentials, other keys will not be validated and thus will not be generated correctly.
 
Nazaf, 00:33:01 12.09.2015 Rating: 0 #5

RE: Cloning $MACHINE.ACC  

I see. The machine to which i imported the password did not have a $machine.acc, so I assume derived keys do no exist on that machine. I think it's something else to do with Kerberos authentication.

Anyways, does copying and pasting an LSA secret using Unicode work well? I couldn't find any other way to import a hex string.

Thanks
 
Passcape_Admin, 09:25:20 12.09.2015 Rating: 0 #6

RE: Cloning $MACHINE.ACC  

It looks like it has something to do with Kerberos authentication. At least that is what the error reads. To say the truth, I don't know the details. By the way, is it a domain PC?

No, the current version does not support binary data when adding LSA secrets. I'll put this feaure in our todo list for the next release.
 
Nazaf, 02:39:11 13.09.2015 Rating: 0 #7

RE: Cloning $MACHINE.ACC  

The Unicode copy-paste of LSA secrets worked like a charm. It's a temporary hack to import binary data for now. 

Thanks.
 
Passcape_Admin, 10:20:26 10.11.2015 Rating: 0 #8

RE: Cloning $MACHINE.ACC  

The new version includes some additional capabilities to copy/paste hex and Regedit buffers in LSA secrets.
 
Entries 1 to 8 from 8  [ <<  1  >> ]