pwdump / hashdump from pc connected to domain

[sjors86]

I'm wondering if it is possible to make a pwdump or hashdump from a computer which is connected to a domain?

Whenever an account is on the computer and the password is simple enough I can easly get it by just the live cd from ophcrack or by booting with bt and use bkhive and samdump.

But what if the account is a network account on some active directory, ophcrack won't see these accounts and I guess using bkhive and samdump won't work either.

When you remove the pc from the netwerk (remove utp) it can still login with the right user and pass so I assume it is stored somewhere on the pc. Is there any possibility to get the user information from it?


Also would like to know if there is a way to get the user information from an active directory when you have remote access?

[KMDave]

I'm wondering if it is possible to make a pwdump or hashdump from a computer which is connected to a domain?

Whenever an account is on the computer and the password is simple enough I can easly get it by just the live cd from ophcrack or by booting with bt and use bkhive and samdump.

But what if the account is a network account on some active directory, ophcrack won't see these accounts and I guess using bkhive and samdump won't work either.

When you remove the pc from the netwerk (remove utp) it can still login with the right user and pass so I assume it is stored somewhere on the pc. Is there any possibility to get the user information from it?

Also would like to know if there is a way to get the user information from an active directory when you have remote access?

Remote access to the AD as in admin account on the DC?

[sjors86]

yes thats right I have access as admin on the

[KMDave]

Just look for an AD dump util then

[sjors86]

I'm wondering if it is possible to make a pwdump or hashdump from a computer which is connected to a domain?

Whenever an account is on the computer and the password is simple enough I can easly get it by just the live cd from ophcrack or by booting with bt and use bkhive and samdump.

But what if the account is a network account on some active directory, ophcrack won't see these accounts and I guess using bkhive and samdump won't work either.

When you remove the pc from the netwerk (remove utp) it can still login with the right user and pass so I assume it is stored somewhere on the pc. Is there any possibility to get the user information from it?

I managed to pull out the cache hash, but it seems hard to crack this (because it is salted).
Only ways I found are bruteforce and dictonary attack. I tried it on a password/account I created myself with pass: Arjanpap11 (its our policie to have numbers and capital letters) with brute force it run 2 days and haven't found it yet so it's not really efficient and with a dictonary attack I don't think it will find it, because its not a common word or combination.

My question isn't there anything to speed it up and/or make cracking it more easy (don't say rainbow tables as they don't work unless you make one for each user you wanne do). and what is the best/biggest/most complete dictonary you guys know of?

[godcronos]

It depends on the length of the password also. It matters if your Group Policy for the domain is set to a certain length or complexity. Some passwords are just not crackable or you may crack them partially. You probably need a password generator, hard drive space, CPU power and most of all , time!
Also, I think I read once about this, some time ago, but it's pretty hard or maybe impossible to get the passwords for the domain users, while the server is running in "normal" mode, I remember something about rebooting in Directory Services. Not sure if sniffing would work.
You could get the SAM file, just to get an idea of what passwords people used before the server was promoted to a domain controller. Maybe they never changed.