Windows Cached logons exploit

Cached logons are stored in LSA Secrets and NL$ hidden keys. Basically, it is a saltedhash : NTLMHash( username + NTLMHash(password) ) so you have to bruteforce. The salt keyis the username, so if you have N accounts to crack, it takes N times the time to crack one account.Since this attack is very time-consuming and has little chance to succeed if userpassword > 6 chars, there is no public exploit available.