I've read a few tutorials on rainbow tables...and I get the basic fundamental concept of how they work.  My question is...if you're doing some pen testing and you uncover some administrator accounts where you're able to obtain the first seven characters of the password but not the rest of it...is there a way to start a rainbow table cracking job where you can ultimately say "I have the first seven characters, so take this hash and only crack from character space 8 to 10"?

I'm simply trying to squeeze out the other few so I can make some best guesses, if I'm using just a simple alpha numeric table.  I wasn't sure if you can tell a cracker to only crack from this character space to this...if you already have a portion of it.

ok...we have had some great progress, including several RDP and TS sessions into servers on the client network.  We've managed to extract some SAM data, but so far have not been able to capture any administrator (for the domain) credentials.  we've placed keyloggers and have other things going, but no luck so far.

I do have one question with regards to NTLM, LM password cracking.  We've managed to extract two separate administrator ID password hashes from two separate servers.  Unfortunately the password policy is at least 8 characters long.  Using LM Hashes, we've managed to get the first 7 characters of both accounts...but no more than that.  Is there anyone with hashing experience who can provide guidance on what to do after capturing the first 7 characters of a LM hash?  we've in the process of creating our own rainbow table, including alpha numberic, complex characters.  we decided to just do three more spaces, and start at index space 8...so that the hash may give us characters 8-10 and we could possible start some brute force combos from there.

If anyone has any other advice, it would be much appreciated.

Can anyone suggest a wireless network card for a mobile laptop for wireless pen testing (including capture and cracking)?  There are several chipsets/cards available that work with most of the free tools out there, but just curious if a few stood above the rest?

Geeky...yeah we definitely tried that as well...and they did lock down access to the Internet on that Citrix browser...that would have made life very easy for us!   

There is no such thing as one 'server' password.  If you're working for a company, undoubtedly you have users.  Which users have administrative privileges?  You should be able to manage the machine remotely with any privileged account.  If you're saying he was the only administrator equivalent and left the company out to dry, first of all, shame on your company for poor disaster recovery planning. 

Secondly...you said "I tried breaking in with ERD commander but I can't".  What about it didn't work?  What does "I can't", mean?  If you purchased it, did you ask support?  Did you research your problem?  ERD Commander works fine with 2003. 

Bottom line is that you're not providing enough information for anyone to help. 

In the middle of a black box test, external network, social engineering, client-side attacks, the whole nine yards.  We started off with an external recon of open ports and services and then to the social engineering.  We've already obtained several usable usernames and passwords, but the issue externally is that only a few open ports and services are available.  No golden nuggests such as RDP unfortunately.  THere is a Citrix portal which we managed to discover that one user has access to (the rest do not).  We installed the Citrix client and are able to open a Windows Explorer window on the Citrix box itself for this one user.  I've already tried all the basics to create local users and even launching AD Users and Computers for their domain and adding IDs or changing permissions on acounts but the environment is fairly locked down and the user does not have permission to install software on the box, etc.

I can attempt to map drives and try some light brute forcing, since ive been enable to enumerate who the domain admins are, etc, etc and i have a list of every internal host name.  I just don't yet have that 'in' that affords me access to a desktop or internal domain.  I simply have 'domain user' creds in a locked down environment and a citrix portal...so far.  We're still in the middle of testing but I was wondering if anyone had guidance on things we can do from this Citrix server since its officially some sort of internal session.  I can also browse network drives and I've been downloading sensitive information left and right...so we're partly successful but we would like to eventually add ourselves as a domain user or admin/domain admin (would be our end game). 

Chris,

That was my goal...but I was thinking I'm missing something with the SAM and local logins vs. domain logins.  On several of the servers, dumping the passwords from the SAM only produces local users.  However, with those local creds, when I map drives and browse the C: drive, I notice that several profiles have been created for domain users, sometimes even the Admin ID for the domain.  But, no such credentials exist in the SAM. 

Also..this is a 2003/2000 mixed domain. 

Are there any Windows commands or privilege escalation techniques one might be able to employ in order to gain access to add a domain user?  In a mixed mode (Windows 2000 and 2003) environment, I've successfully gained access to many Windows 2000 servers thanks to some unpatched vulnerabilities and weak local administrator passwords.  However none of the 2000 hosts are DCs. 

My question is, with either the local admin account or even the "system" shell I gain through the exploits, is there a way for me to somehow access AD and add start making my way into the directory instead of simply winning access to the local machines?  Short of ARP poisoning or sniffing telnet sessions to network hardware devices and attemtping to guess/use those captured admin credentials in the domain, I'm curious if I can bridge the gap somehow between local admin and domain user (eventually domain admin)?  Obviously local creds and AD are two different repositories...but I feel I may be missing something in the Windows world.