Hi,

I just emailed some source code to the author of samdump to add the functionality of dumping cached credentials using linux. Why are cached credentials important? They are important because Windows 2008 has new functionality called Read-Only Domain Controllers. These RODCs don't store any passwords so dumping their copies of AD won't get you anything. The only place left to find the password is the cached credentials on each PC.

With windows 2003 all DCs are equal. If someone wanted a copy of the AD all they would have to do is find the least secure location and hack that server or physically steal the server. You now have every username and password in the domain. Of course stealing the server lets people know that someone has been there and the administrators will force everyone to change their passwords.

RODCs are used in places where you want a DC but the location is not secure. So you install a RODC that only supports the accounts necessary for that location. So if someone hacks or steals a RODC no passwords are compromised. At best you only get the usernames of that location. So where will you get your passwords now? The local PCs in the form of cached credentials.

Once you have the cached credentials you can use john the ripper to crack the passwords. The password is salted with the lowercase username so making rainbow tables is not advisable.