Security Basics mailing list archives
RE: ntds.dit, john and pwdump2
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Wed, 26 Jan 2005 08:03:02 -0500
Dave, I did a paper on password crackers against Windows a few months ago and looked at all the different password tools I could find. I found about 20 of them. Most are resetters and most only reset local SAM accounts. Only two, Lophtcrack and Windows XP/2000/NT Key can do domain account manipulation. Lophtcrack is the best choice of course, if you can afford it (although strangely their tech support/marketing folks did not reply to my email queries). But even Lophtcrack needs NTLM or LM hashes to crack...NTLMv2 hashes are too strong. The other choice, Windows XP/2000/NT Key, http://www.lostpassword.com/windows-xp-2000-nt.htm, is a commercial password resetter product. It needs Windows install boot diskettes to work, but claims to reset domain administrator passwords, too. Works with Windows Server 2003. I didn't test it though so I can't vouch for its accuracy. If all you need is to get access, a resetter will work fasters and better than a cracker. Unfortunately, in both cases the solution is commercial. Good luck with your problem. Please let me know how it turns out. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: Dave Dyer [mailto:ddyer () enspherics com] Sent: Tuesday, January 25, 2005 12:17 PM To: 'the.soylent'; ddyer () ciber com Cc: security-basics () securityfocus com Subject: RE: ntds.dit, john and pwdump2 Hey Soylent, thanks for the tip on Cain. Nice tool. However, for future information, it wants a hashed txt file to crack as well. It's looking like the only way to do this is to run pwdump2 on a syskey'd volume and export it to a file that you can then crack using l0pht, john or cain. Thanks for all the help. dd -----Original Message----- From: the.soylent [mailto:the.soylent () gmail com] Sent: Monday, January 24, 2005 11:22 AM To: ddyer () ciber com Cc: security-basics () securityfocus com Subject: Re: ntds.dit, john and pwdump2 *** PGP SIGNATURE VERIFICATION *** *** Status: Good Signature from Invalid Key *** Alert: Please verify signer's key before trusting signature. *** Signer: soylent (the.soylent) <the.soylent () gmail com> (0x10BDD9C8) *** Signed: 1/24/2005 11:22:20 AM *** Verified: 1/25/2005 9:44:35 AM *** BEGIN PGP VERIFIED MESSAGE *** hi! have you tried cain? in the online-manuel (http://www.oxid.it/ca25um/) theres the talk of a cracker and a converter here`s the link -> http://www.oxid.it/cain.html cheers, soylent Dave Dyer schrieb: | Hello List, | | I am cracking a password file for a client, and have a copy of the NTDS.DIT | file from a domain controller (win2k/Active Directory). We do not have | access to L0phtcrack currently, and I'm on a deadline. I was going to | use John the Ripper with some plugins written by 3rd parties to crack | the password file, but apparently the NTDS.DIT file isn't really a | hashed file that John can read | | After some research, I found that you can use PWDUMP2 to actually export the | user/pw information on the DC to a hashed file that you can then crack with | John (even if syskey is used after SP2). However, in order for PWDUMP | to work, you have to run it as an administrator from the DC itself, | where it injects its own .dll into the lsass.exe process, which I no | longer have access to. My question is this: | | Does anyone know if there is a way to extract the user/pw information | from the NTDS.DIT file (rather than from lsass.exe on the server) into | a hashed file that I can then crack with John? | | If not, does anyone have any other suggestions on what I can do with | this NTDS.DIT file to crack it? | | Thanks in Advance, | | dave | | *********** | | Dave Dyer | | <mailto:ddyer () enspherics com <mailto:ddyer () enspherics com> > | | "So you'll bring experts in to water the company's plants but you'll do the | security thing yourself?" | | -QinetiQ in the Financial Times | | | *** END PGP VERIFIED MESSAGE ***
Current thread:
- ntds.dit, john and pwdump2 Dave Dyer (Jan 24)
- Re: ntds.dit, john and pwdump2 the.soylent (Jan 24)
- RE: ntds.dit, john and pwdump2 Dave Dyer (Jan 25)
- <Possible follow-ups>
- RE: ntds.dit, john and pwdump2 Beauford, Jason (Jan 24)
- RE: ntds.dit, john and pwdump2 Klotz, Brian (Jan 24)
- RE: ntds.dit, john and pwdump2 Dave Dyer (Jan 25)
- Re: ntds.dit, john and pwdump2 miguel . dilaj (Jan 25)
- RE: ntds.dit, john and pwdump2 Roger A. Grimes (Jan 26)
- RE: ntds.dit, john and pwdump2 Roger A. Grimes (Jan 27)
- Re: ntds.dit, john and pwdump2 the.soylent (Jan 24)