.

Cracking Active Directory Passwords

<<

tekt

Newbie
Newbie

Posts: 2

Joined: Thu Apr 09, 2009 7:33 am

Post Mon Apr 13, 2009 7:31 am

Cracking Active Directory Passwords

I am trying to figure out how to crack a users cached active directory password. I need to load a forensic image in a VM and log in as the user to show exactly what he see's.

A Windows tool is preferred because I am not that familiar with Linux. I have tried Cain and Able with not much luck in trying to figure it out. I think the same person wrote that user guide that wrote the manual for EnCase.

Does anyone know where to get a set of rainbow tables with the .rt extension?

Thanks!

-=T=-
<<

LSOChris

Post Mon Apr 13, 2009 8:29 am

Re: Cracking Active Directory Passwords

i dont know of any rainbow tables for cached passwords.  you'll have to use either Cain or John the Ripper
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Apr 13, 2009 9:17 am

Re: Cracking Active Directory Passwords

Have you already extracted the cached LM hashes?  I would love to know how you can do that from a forensic image.  I am aware of techniques of extracting hashes from RAM, and possibly SWAP file, such as this:

http://www.governmentsecurity.org/SecurityHackingNews/Dumping_Memory_to_Extract_Password_Hashes

Cain is very easy to use.  Your best bet is not Rainbow tables however.  I would dump every usable word and phrase in either EnCase or FTK and use that as your word list.  The password has to be cached somewhere.  In Cain, just hit the little Plus icon from the Cracker tab to import your hashes Then right-click to set option and crack away.  You will want to use a Dictionary attack in this case with your custom wordlist.

I think that an alternate option could be using WinLockPwn.  It allows you to bypass authentication using a firewire DMA attack.  This doesn't work well on Vista, but does work on XP sp2 and sp3, the later with a modification of the script.
~~~~~~~~~~~~~~
Ketchup
<<

CadillacGolfer

Newbie
Newbie

Posts: 36

Joined: Thu Dec 14, 2006 1:58 pm

Post Mon Apr 13, 2009 3:44 pm

Re: Cracking Active Directory Passwords

Use fgdump which should export the cached credentials (note, you do need to run fgdump against the machine with admin privs), then use John The Ripper or your favorite password cracker.
<<

tekt

Newbie
Newbie

Posts: 2

Joined: Thu Apr 09, 2009 7:33 am

Post Wed Apr 15, 2009 7:46 am

Re: Cracking Active Directory Passwords

I used network password recovery wizard to extract the hashes from the system and security registry files. I exported the files from a forensic image using FTK Imager.

I have the hash values... I just need to crack them... I continue to play with Cain and Able but I don't have 37 years to wait for them to crack. :-)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Apr 15, 2009 9:27 am

Re: Cracking Active Directory Passwords

You really need that wordlist.  Your AD password should be in the SWAP file or somewhere in drive free space.
~~~~~~~~~~~~~~
Ketchup
<<

kennut

User avatar

Newbie
Newbie

Posts: 46

Joined: Thu Apr 16, 2009 10:41 pm

Post Sun Apr 19, 2009 10:00 am

Re: Cracking Active Directory Passwords

Ok, here's the trick, I've been cracking AD password for donno how many companies I've worked for here's the rule of thumb:

1) You need administrator priviledges, make sure you got that in hand.

2) use fgdump.exe on the local system (it will save it to a text.file), ensure that any anti-virus is disabled first (trend micro will zapped it before you'll able to copy it to c: drive of the server).

3) if the AD password hashes contains a list of users with their histories enabled, you need to use Excel to remove all those users with their histories before you start to crack (so use Find->Replace-> *.history* to remove the redundant histories password hashes.

4) search for torrent for the Rainbow crack files, the one I have for alphanumeric (which is good enough), however the full table is around 34gb which is huge! -> http://rainbowtables.shmoo.com/

5) load up either John the Ripper , or google for the now defunct symantec lophtcrack 5.0, I think the *.exe file is still around somewhere. (however, do note that John the ripper cannot differenciate between upper and lowercase).

6) crack the file with the rainbow tables which should take you less than 15-30mins depends how many AD users are there in the AD.

Hope that helps.

kennut :)
Last edited by kennut on Sun Apr 19, 2009 10:02 am, edited 1 time in total.
Done all 3 certs, now going for CISSP.....

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software