L0pthcrack and wine or something native that does the trick?

[RageLtMan]

I recently had to use l0phtcrack to do a pass recovery at a client site for a users old domain password (OSX user, moved to new domain, changed his pass, left for vacation - we needed to pull his old data). Assaulting the SHA1 hash on his local machine was painfully slow using john (apparently running on 8 cores does little to help john - it doesnt seem to like parallelism), so i tried using fgdump, pwdump, etc to pull domain pass hashes from the old DC. The IT manager didnt want to reboot the server at all - its very unstable, hadnt come down in over 100 days, and was running SEP which was killing fgdump and such. I even tried pulling an mdd image, adding crypto patches to volatility, only to find that hashes on a dc aren't stored in ram the same way as on a local machine (4gb of transferred data later).

I ended up booting into a windows VM with a trial of l0phcrack to pull the hashes (i had the domain admin login). It worked like a charm so now i'm trying to figure out a way to package it in my personal backtrack iso but first i need it to run on wine as i'm not willing to stuff a virtualbox VM on the ISO (4gb limit). I've tried a few things, googled around, but its not too stable. I was wondering if anyone here has it working or knows of a linux equivalent to pull MS domain hashes without pushing files (which will eventually be flagged as malware and auto-removed/disabled) to the target machine.

I presume it's done through some sort of LDAP/DS query, though i dont know enough to put something like that together myself. Suggestions would be greatly appreciated, thanks.

EDIT: anyone? at all? even the crickets are looking around like they're not sure they belong on this thread

[Qsl1pKNOTP]

So are you looking for something to pull the registry hive to extract the hashes from? Wouldn't it be easier to dump the hashes with Wine (loading the remote registry then dumping)? Or Am I just confused?

[diablo69]

Rage,

Why even bother with Wine? In my experience wine is more or less garbage...so that tells me that you should just run a virtual machine of windows of which to install lophtrack on..works like a charm .

Diablo

[RageLtMan]

Domain accounts are stored in the NTDS database, not sure if you can remote reg-edit that, would worth a look though. I'm just saying that the capability to connect to a DC if you have privs and pull all the hashes would be very useful.

[Gitsnik]

I'm just saying that the capability to connect to a DC if you have privs and pull all the hashes would be very useful.

There are five or six versions of pwdump that you should keep on hand, if my memory is serving 6e is the one you are looking for.

The various versions dump locally, remotely, remotely with a service, remotely with credentials, and I'm sure there are nuances to them. I usually keep everything from 4 upwards available just in case.

A word of caution: I once saw pwdump bluescreen a terminal server with 90 users on it (unknown reason). The point is, be careful, test during scheduled maintenance before you start consistently using it.

Also Cain can do the same thing IIRC.

[purehate]

Also the "newest" version is called fgdump and works remotely as well if you have the proper creds.

fgdump: Take *THAT* LSASS!

[RageLtMan]

I tried FGdump as well to no avail, which made me rather sad. Gitsnick, thank you, i'll take a look at Cain and Abel again, havent used it in years.

[Gitsnik]

I tried FGdump as well to no avail, which made me rather sad. Gitsnick, thank you, i'll take a look at Cain and Abel again, havent used it in years.

It's a great tool, but probably not the best way to arp spoof if you have to go that way. In terms of network hash dumping it's probably one of the best available at the moment for the price.

It bears reiterating for anyone who stumbles across this thread: fgdump, and the predecessors of pwdump, all work slightly differently. I went back and checked my files, I have a copy of every pwdump from pwdump3.exe onwards, and judging by the last-accessed times, I use them all rather than just relying on one - pwdump6 is better than pwdump3e, but occasionally 3e comes through for me when 6 doesn't, and so on.

Also, I've no idea if cain will even run under wine, so please let us know if that does (I boot VM's if I need windows tools).