RE: ntds.dit, john and pwdump2

["Roger A. Grimes" <roger () banneretcs com>]

Dave,

I did a paper on password crackers against Windows a few months ago and
looked at all the different password tools I could find. I found about
20 of them.  Most are resetters and most only reset local SAM accounts.
Only two, Lophtcrack and Windows XP/2000/NT Key can do domain account
manipulation. Lophtcrack is the best choice of course, if you can afford
it (although strangely their tech support/marketing folks did not reply
to my email queries).  But even Lophtcrack needs NTLM or LM hashes to
crack...NTLMv2 hashes are too strong. The other choice, Windows
XP/2000/NT Key, http://www.lostpassword.com/windows-xp-2000-nt.htm, is a
commercial password resetter product. It needs Windows install boot
diskettes to work, but claims to reset domain administrator passwords,
too.  Works with Windows Server 2003. I didn't test it though so I can't
vouch for its accuracy.

If all you need is to get access, a resetter will work fasters and
better than a cracker. Unfortunately, in both cases the solution is
commercial.

Good luck with your problem.  Please let me know how it turns out.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****



-----Original Message-----
From: Dave Dyer [mailto:ddyer () enspherics com] 
Sent: Tuesday, January 25, 2005 12:17 PM
To: 'the.soylent'; ddyer () ciber com
Cc: security-basics () securityfocus com
Subject: RE: ntds.dit, john and pwdump2

Hey Soylent, thanks for the tip on Cain.  Nice tool.  However, for
future information, it wants a hashed txt file to crack as well.  It's
looking like the only way to do this is to run pwdump2 on a syskey'd
volume and export it to a file that you can then crack using l0pht, john
or cain.

Thanks for all the help.
dd 

-----Original Message-----
From: the.soylent [mailto:the.soylent () gmail com]
Sent: Monday, January 24, 2005 11:22 AM
To: ddyer () ciber com
Cc: security-basics () securityfocus com
Subject: Re: ntds.dit, john and pwdump2

*** PGP SIGNATURE VERIFICATION ***
*** Status:   Good Signature from Invalid Key
*** Alert:    Please verify signer's key before trusting signature.
*** Signer:   soylent (the.soylent) <the.soylent () gmail com> (0x10BDD9C8)
*** Signed:   1/24/2005 11:22:20 AM
*** Verified: 1/25/2005 9:44:35 AM
*** BEGIN PGP VERIFIED MESSAGE ***

hi!
have you tried cain?

in the online-manuel (http://www.oxid.it/ca25um/) theres the talk of a
cracker and a converter

here`s the link -> http://www.oxid.it/cain.html

cheers, soylent



Dave Dyer schrieb:

| Hello List,
|
| I am cracking a password file for a client, and have a copy of the
NTDS.DIT
| file from a domain controller (win2k/Active Directory). We do not have

| access to L0phtcrack currently, and I'm on a deadline. I was going to 
| use John the Ripper with some plugins written by 3rd parties to crack 
| the password file, but apparently the NTDS.DIT file isn't really a 
| hashed file that John can read
|
| After some research, I found that you can use PWDUMP2 to actually
export the
| user/pw information on the DC to a hashed file that you can then crack
with
| John (even if syskey is used after SP2). However, in order for PWDUMP 
| to work, you have to run it as an administrator from the DC itself, 
| where it injects its own .dll into the lsass.exe process, which I no 
| longer have access to. My question is this:
|
| Does anyone know if there is a way to extract the user/pw information 
| from the NTDS.DIT file (rather than from lsass.exe on the server) into

| a hashed file that I can then crack with John?
|
| If not, does anyone have any other suggestions on what I can do with 
| this NTDS.DIT file to crack it?
|
| Thanks in Advance,
|
| dave
|
| ***********
|
| Dave Dyer
|
| <mailto:ddyer () enspherics com <mailto:ddyer () enspherics com> >
|
| "So you'll bring experts in to water the company's plants but you'll
do the
| security thing yourself?"
|
| -QinetiQ in the Financial Times
|
|
|


*** END PGP VERIFIED MESSAGE ***