April 13, 2009 at 12:31 pm #3676tektParticipant
I am trying to figure out how to crack a users cached active directory password. I need to load a forensic image in a VM and log in as the user to show exactly what he see’s.
A Windows tool is preferred because I am not that familiar with Linux. I have tried Cain and Able with not much luck in trying to figure it out. I think the same person wrote that user guide that wrote the manual for EnCase.
Does anyone know where to get a set of rainbow tables with the .rt extension?
April 13, 2009 at 1:29 pm #23662AnonymousParticipant
i dont know of any rainbow tables for cached passwords. you’ll have to use either Cain or John the Ripper
April 13, 2009 at 2:17 pm #23663KetchupParticipant
Have you already extracted the cached LM hashes? I would love to know how you can do that from a forensic image. I am aware of techniques of extracting hashes from RAM, and possibly SWAP file, such as this:
Cain is very easy to use. Your best bet is not Rainbow tables however. I would dump every usable word and phrase in either EnCase or FTK and use that as your word list. The password has to be cached somewhere. In Cain, just hit the little Plus icon from the Cracker tab to import your hashes Then right-click to set option and crack away. You will want to use a Dictionary attack in this case with your custom wordlist.
I think that an alternate option could be using WinLockPwn. It allows you to bypass authentication using a firewire DMA attack. This doesn’t work well on Vista, but does work on XP sp2 and sp3, the later with a modification of the script.
April 13, 2009 at 8:44 pm #23664CadillacGolferParticipant
Use fgdump which should export the cached credentials (note, you do need to run fgdump against the machine with admin privs), then use John The Ripper or your favorite password cracker.
April 15, 2009 at 12:46 pm #23665tektParticipant
I used network password recovery wizard to extract the hashes from the system and security registry files. I exported the files from a forensic image using FTK Imager.
I have the hash values… I just need to crack them… I continue to play with Cain and Able but I don’t have 37 years to wait for them to crack. 🙂
April 15, 2009 at 2:27 pm #23666KetchupParticipant
You really need that wordlist. Your AD password should be in the SWAP file or somewhere in drive free space.
April 19, 2009 at 3:00 pm #23667kennutParticipant
Ok, here’s the trick, I’ve been cracking AD password for donno how many companies I’ve worked for here’s the rule of thumb:
1) You need administrator priviledges, make sure you got that in hand.
2) use fgdump.exe on the local system (it will save it to a text.file), ensure that any anti-virus is disabled first (trend micro will zapped it before you’ll able to copy it to c: drive of the server).
3) if the AD password hashes contains a list of users with their histories enabled, you need to use Excel to remove all those users with their histories before you start to crack (so use Find->Replace-> *.history* to remove the redundant histories password hashes.
4) search for torrent for the Rainbow crack files, the one I have for alphanumeric (which is good enough), however the full table is around 34gb which is huge! -> http://rainbowtables.shmoo.com/
5) load up either John the Ripper , or google for the now defunct symantec lophtcrack 5.0, I think the *.exe file is still around somewhere. (however, do note that John the ripper cannot differenciate between upper and lowercase).
6) crack the file with the rainbow tables which should take you less than 15-30mins depends how many AD users are there in the AD.
Hope that helps.
- You must be logged in to reply to this topic.