Penetration Testing mailing list archives
Re: AD password Auditing
From: Joey Peloquin <joeyp () cotse net>
Date: Sun, 07 Aug 2005 15:53:37 -0500
Rochford, Paul wrote:
Good point, Paul. Won't grabbing a copy of the DC's SAM just provide its local accounts?You used to get the SAM file off a running server by running rdisk /s-, it will make a copy on the existing one. It's the copy of the SAM you retrieve. Also not sure AD stores credentials in the same way as Classic NT Domains, so you may be looking in the wrong place. Someone I'm sure can verify this. Kind Regards,Paul Rochford
Active Directory stores user accounts and other information in its database file, NTDS.dit. This file can grow HUGE, so even if you can get it without being spotted and cut-off by the client, it could take a while. I've done a few google queries, and only read of capturing ntds.dit through physical access. On top of that, according to a post by an "MVP", as of Dec. '03, there was no _known_ tools to crack the db offline.
According to the same post, however, you can use pwdump3 to inject the LSASS process, and export a crackable hash. I believe you have to be a local Admin on the DC as well.
Good luck. Joey ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Re: AD password Auditing, (continued)
- Re: AD password Auditing Jerome Athias (Aug 06)
- Re: AD password Auditing okrehel (Aug 06)
- Re: AD password Auditing David Cravshaw (Aug 06)
- RE: AD password Auditing Tonie (Aug 06)
- RE: AD password Auditing Nick Duda (Aug 06)
- Re: AD password Auditing Joe Traband (Aug 06)
- Re: AD password Auditing Joel Folkerts (Aug 07)
- FW: AD password Auditing Brooks, Shane (Aug 06)
- RE: AD password Auditing Rochford, Paul (Aug 07)
- RE: AD password Auditing dave kleiman (Aug 08)
- Re: AD password Auditing Joey Peloquin (Aug 08)
- RE: AD password Auditing Cedric.Baechler (Aug 08)
- Re: RE: AD password Auditing gcehrh (Aug 08)
- RE: AD password Auditing Lohan Spies (Aug 08)
- Re: RE: AD password Auditing gcehrh (Aug 11)
- Re: AD password Auditing yfs us (Aug 11)
- RE: RE: AD password Auditing Beauford, Jason (Aug 11)
- RE: AD password Auditing Distler, Dennis (Aug 12)
- Re: Re: AD password Auditing gcehrh (Aug 12)
- RE: RE: AD password Auditing Rochford, Paul (Aug 12)
- Re: Re: AD password Auditing yfs us (Aug 16)
(Thread continues...)