Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AD password Auditing

From: Joey Peloquin <joeyp () cotse net>
Date: Sun, 07 Aug 2005 15:53:37 -0500
Rochford, Paul wrote:


You used to get the SAM file off a running server by running rdisk /s-,
it will make a copy on the existing one. It's the copy of the SAM you
retrieve. Also not sure AD stores credentials in the same way as Classic
NT Domains, so you may be looking in the wrong place. Someone I'm sure
can verify this.


Kind Regards,
Paul Rochford
Good point, Paul. Won't grabbing a copy of the DC's SAM just provide its local accounts?
Active Directory stores user accounts and other information in its database file, NTDS.dit. This file can grow HUGE, so even if you can get it without being spotted and cut-off by the client, it could take a while. I've done a few google queries, and only read of capturing ntds.dit through physical access. On top of that, according to a post by an "MVP", as of Dec. '03, there was no _known_ tools to crack the db offline.
According to the same post, however, you can use pwdump3 to inject the LSASS process, and export a crackable hash. I believe you have to be a local Admin on the DC as well. 

Good luck.

Joey

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: