Results 1 to 8 of 8

Thread: L0pthcrack and wine or something native that does the trick?

  1. #1
    Member
    Join Date
    Feb 2007
    Posts
    229

    Default L0pthcrack and wine or something native that does the trick?

    I recently had to use l0phtcrack to do a pass recovery at a client site for a users old domain password (OSX user, moved to new domain, changed his pass, left for vacation - we needed to pull his old data). Assaulting the SHA1 hash on his local machine was painfully slow using john (apparently running on 8 cores does little to help john - it doesnt seem to like parallelism), so i tried using fgdump, pwdump, etc to pull domain pass hashes from the old DC. The IT manager didnt want to reboot the server at all - its very unstable, hadnt come down in over 100 days, and was running SEP which was killing fgdump and such. I even tried pulling an mdd image, adding crypto patches to volatility, only to find that hashes on a dc aren't stored in ram the same way as on a local machine (4gb of transferred data later).

    I ended up booting into a windows VM with a trial of l0phcrack to pull the hashes (i had the domain admin login). It worked like a charm so now i'm trying to figure out a way to package it in my personal backtrack iso but first i need it to run on wine as i'm not willing to stuff a virtualbox VM on the ISO (4gb limit). I've tried a few things, googled around, but its not too stable. I was wondering if anyone here has it working or knows of a linux equivalent to pull MS domain hashes without pushing files (which will eventually be flagged as malware and auto-removed/disabled) to the target machine.

    I presume it's done through some sort of LDAP/DS query, though i dont know enough to put something like that together myself. Suggestions would be greatly appreciated, thanks.

    EDIT: anyone? at all? even the crickets are looking around like they're not sure they belong on this thread
    Last edited by RageLtMan; 04-01-2010 at 07:09 AM.

  2. #2
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    17

    Default Re: L0pthcrack and wine or something native that does the trick?

    So are you looking for something to pull the registry hive to extract the hashes from? Wouldn't it be easier to dump the hashes with Wine (loading the remote registry then dumping)? Or Am I just confused?

  3. #3
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    4

    Default Re: L0pthcrack and wine or something native that does the trick?

    Rage,

    Why even bother with Wine? In my experience wine is more or less garbage...so that tells me that you should just run a virtual machine of windows of which to install lophtrack on..works like a charm .

    Diablo

  4. #4
    Member
    Join Date
    Feb 2007
    Posts
    229

    Default Re: L0pthcrack and wine or something native that does the trick?

    Domain accounts are stored in the NTDS database, not sure if you can remote reg-edit that, would worth a look though. I'm just saying that the capability to connect to a DC if you have privs and pull all the hashes would be very useful.

  5. #5
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: L0pthcrack and wine or something native that does the trick?

    Quote Originally Posted by RageLtMan View Post
    I'm just saying that the capability to connect to a DC if you have privs and pull all the hashes would be very useful.
    There are five or six versions of pwdump that you should keep on hand, if my memory is serving 6e is the one you are looking for.

    The various versions dump locally, remotely, remotely with a service, remotely with credentials, and I'm sure there are nuances to them. I usually keep everything from 4 upwards available just in case.

    A word of caution: I once saw pwdump bluescreen a terminal server with 90 users on it (unknown reason). The point is, be careful, test during scheduled maintenance before you start consistently using it.

    Also Cain can do the same thing IIRC.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  6. #6
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default Re: L0pthcrack and wine or something native that does the trick?

    Also the "newest" version is called fgdump and works remotely as well if you have the proper creds.

    fgdump: Take *THAT* LSASS!

  7. #7
    Member
    Join Date
    Feb 2007
    Posts
    229

    Default Re: L0pthcrack and wine or something native that does the trick?

    I tried FGdump as well to no avail, which made me rather sad. Gitsnick, thank you, i'll take a look at Cain and Abel again, havent used it in years.

  8. #8
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: L0pthcrack and wine or something native that does the trick?

    Quote Originally Posted by RageLtMan View Post
    I tried FGdump as well to no avail, which made me rather sad. Gitsnick, thank you, i'll take a look at Cain and Abel again, havent used it in years.
    It's a great tool, but probably not the best way to arp spoof if you have to go that way. In terms of network hash dumping it's probably one of the best available at the moment for the price.

    It bears reiterating for anyone who stumbles across this thread: fgdump, and the predecessors of pwdump, all work slightly differently. I went back and checked my files, I have a copy of every pwdump from pwdump3.exe onwards, and judging by the last-accessed times, I use them all rather than just relying on one - pwdump6 is better than pwdump3e, but occasionally 3e comes through for me when 6 doesn't, and so on.

    Also, I've no idea if cain will even run under wine, so please let us know if that does (I boot VM's if I need windows tools).
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

Similar Threads

  1. Wine update
    By File_1 in forum Tool Requests
    Replies: 4
    Last Post: 01-28-2010, 11:20 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •