Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 02 Feb 2007 18:15:32 +0000
From: Hari Sekhon <hpsekhon@...glemail.com>
To:  john-users@...ts.openwall.com
Subject: Re: Windows Domain Account Cracking

Ok, googling I found pwdump2 which is supposed to be able to dump 
Windows AD domain accounts. I tried it on a spare domain controller. 
Unfortunately it just croaked and caused the lsass.exe process to crash 
and went to reboot automatically. I  I aborted the shutdown but now the 
lsass proc is dead I can't actually shut down the server properly. hmmm. 
I think I had a similar experience that last time I tried this sort of 
thing about a year and a half ago at my previous job.


The system process 'C:\WINDOWS\system32\lsass.exe' terminated 
unexpectedly with status code -1073741819.  The system will now shut 
down and restart.


I think it's possible that the Windows security upgrades that have been 
happening the last couple of years have broken this. I even tried 
disabling DEP for lsass but got the same result...

Anybody know if there is a way for me to disable any protections 
temporarily to allow me to do this?

Or another way of doing it possibly?


Thanks

Hari Sekhon



Hari Sekhon wrote:
> Hi,
>   I've used jtr for quite some time now and previously I have used 
> pwdump and cachedump on windows to get the hashes to crack. However, I 
> would like to do something a little grander this time to get all the 
> domain account/hashes dumped from my Windows 2003 Active Directory 
> domain. I have admin access to the domain controllers (not surprising 
> since I'm the primary admin of the domain) and expect I can probably 
> do this by running something similar to pwdump or cachedump.
>
> If I recall correctly, pwdump only works for local accounts and 
> cachedump only works for cached domain accounts.
> So what I am looking for is a way of going to the domain controller, 
> running some command and have it dump all the accounts and their 
> hashes for auditing.
>
> Does anybody know of such a program/method to get the hashes?
>
>
> Thanks
>
> -h
>

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.