?
Solved

Crack users passwords on 2003 Domain Controller

Posted on 2005-04-19
24
Medium Priority
?
15,711 Views
Last Modified: 2009-08-03
    I want to crack users passwords off our windows 2003 domain controller to show weaknesses that exist. I thought that if i used pwdump or Winternals ERD Commander along with LC5 i might be able to accomplish this. At least it sounds good. Does anyone have any suggestions or comments that I might be on the right track or not. I dont want to purchase any software but i'm open to cheap ($) suggestions. I allready own LC5 and am willing to purchase anything from them or winternals.
0
Comment
Question by:Fubyou
  • 5
  • 4
  • 4
  • +8
24 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13819333
take that this question might be against the EE policies! so don't expect ready to use suggestions.

Using a password cracker against the SAM file should be sufficient. Think you know how to search the web for other tools ;-)
0
 

Expert Comment

by:d_ww
ID: 13820227
if you have the sam file thats all you need.  
0
 
LVL 12

Expert Comment

by:kneH
ID: 13821914
LC5 will do the trick.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 3

Assisted Solution

by:x4h
x4h earned 400 total points
ID: 13823419
We audit the passwords on the network here on quite a regular basis, i've found the best way to achieve this in a reasonable amount of time is by using pre-computated hashes (more setup time but in the long run it will save you ALOT of time).

Rainbow tables: http://www.antsight.com/zsl/rainbowcrack/

Rainbow tables basically are a list of pre-computated hashes which mean you don't need to brute force just check if the hash exists and you will know the plaintext password. They can be used either through the tool provided with the rainbow tables or they can be imported into LC5 if you have the administrator version.

So...

1. Dump passwords from SAM database using PWDUMP (requires admin privs)
2. Load rainbow tables after generating them (or downloading)
3. Sit back and relax :)
0
 

Author Comment

by:Fubyou
ID: 13827525
This is a legit security question and shouldn't be against any EE policies. I am the administrator and I need a way to audit passwords so that our users will learn to select better passwords than lame easy ones that can fall prey to a dictionary type attack. In my case its not as simple as reconfiguring the Default domain policy (W2003) to only allow strong passwords. There would be utter choas and it would be a head on stick senoiro. My plan is to create a script that emails the user to change their password with in a week or so if they dont change it ill have a password auto-generated and a ds tool would finish the job; a email would be sent to the user that their password will be changed the following week. Problem solved in my eyes. Then once everyone is using good passwords I can change the default domain policy back to enforcing strong passwords.
0
 
LVL 3

Expert Comment

by:x4h
ID: 13827677
It may inconvinience some users when they are told to change their password to something more complex but thats life and they will have to accept that. What if during these weeks that your slowly migrating things across and emailing users somebody does actually manage to hack into your system using an easy to guess password and gets hold of confidential information, I think that would be a much more 'head on stick scenario'.

I can understand where your comming from not wanting to migrate things across straight away but at the end of the day part of your job is making sure that the data on the network is kept secure and if doing that temporarily inconviniences some users then so be it. I would suggest that most people won't object to the move as they will realise its in their best interests.
0
 
LVL 8

Expert Comment

by:ViRoy
ID: 13838720

well i think you have most of the bases already covered. the SAM is gonna be the target for obtaining passwords. this run against LC5.

other common weaknesses that are exploitable all the way up to the latest service pack, DCOM RPC, LSASS are the main 2 im seeing used. i have a working copy of the DCOM RPC and i was able to get root and send the SAM without the 2K SP4 server showing an active connection (except in netstat and sniffers).

other password issues would be a client being compromised and a sniffer installed as MITM for gathering passwords.
0
 
LVL 8

Expert Comment

by:ViRoy
ID: 13838731

ethereal is what i use for sniffing.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1600 total points
ID: 13844907
Rainbow crack as mentioned above is the fastest- Ophcrack may actually compute the hash's faster though
http://ophcrack.sourceforge.net/ The added benefit is you can obtain the tables automatically
but with a subscription or some junk you can to the same at rainbowcrack.com

However Rainbowcrack (from antsight) has a certain advantage over ophcrack, RC can find NTLM encrypted passes by using the  LanMan hashes, then without you having to compute the NTLM rainbow tables, RC will try to match the NTLM hash given the case insensitive LM hash. If the pass is over 14chars, then there is no LM hash in the first place.

LC5 is slow. If you can, use a linux box running johntheripper, if not- johntheripper on win32 is still much faster than LC5. By default, John will crack LanMan pass's and can be patched to crack NTLM. LC5 as with RC, will crack the LM pass, then try each case permutation to find the matching NTLM hash. John does not do this by default, but can find the LM hash quickly, and if you feed john a short list of the LM passwords, apply the NTLM patch, and john will give you the case sensitive NTLM pass in seconds.

John can also be modified to do an even better job if you modify the john.conf file (fomerly the john.ini file) I have made the modifications I used available here in the john.conf file http://xinn.org/images/john.conf

I use rainbowcrack almost exclusively now, and just and FYI computing the 64gig's of tables for LM takes about 12 days, on SIXTY-FOUR 2.66Ghz P4's. But if you have only 8 machines or so, then your looking at 2.5 months or so. John, and even l0pht will find the pass's before that for the mostpart. But if you have the tables around all the time, then it takes only minutes to obtain LM hashes, no matter how many, and no matter what the pass is.
-rich
0
 
LVL 1

Expert Comment

by:dtocco
ID: 13846789
Microsoft Baseline Security is a Windows network vulnerability tool.  It's free and will assess your Windows network for vulnerabilities:  lack of OS/APP updates, unneccessary running services, WEAK PASSWORDS, etc.  

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Good Luck
0
 
LVL 5

Expert Comment

by:mnb93
ID: 13884171
0
 
LVL 12

Expert Comment

by:kneH
ID: 13884251
>>This is a legit security question and shouldn't be against any EE policies. I am the administrator and I need a way to audit passwords so that our users will learn to select better passwords than lame easy ones that can fall prey to a dictionary type attack.

Then do a dictionary attack and you'll find the bad ones.
If you really want to crack the passwords using a brute force tool you will eventually get ANY password....
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13885165
>If you really want to crack the passwords using a brute force tool you will eventually get ANY password....

ALT code pass's, espically ALT+255 passwords cannot be cracked, give it a try
hold the alt key and on the number pad type 255, that one charcter pass cannot be cracked by any of the password crackers I've ever found.
But alt code passes aren't good to use, since you can't send them to an IIS login, or if using vnc or other remote control software.

Just FYI.
-rich
0
 
LVL 12

Expert Comment

by:kneH
ID: 13885239
LOL I only knew that one as ALT+0160...

It CAN however be cracked!
Rainbowtables can include all the altcodes though...
at least if I remember corretly they can.

Lastly... if you are afraid of passes being insecure and want to crack em for that reason.... the ones you can't get don't need to get cracked :)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13885359
> .. the ones you can't get ..
there're no passwords which can't be cracked :-D
0
 
LVL 12

Expert Comment

by:kneH
ID: 13885644
And if there are passwords which cannot be cracked it means they cannot be cracked right now.
Time is against all security.

Just some more info to get you paranoid :)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13885897
> .. get you paranoid ..
right now I'm ;-)
0
 
LVL 12

Expert Comment

by:kneH
ID: 13886009
I'm not...
I can see what you're doing so I'm not afraid ;)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13886268
If you load that password of the single char of alt+255 into L0pht, or john, or other "conventional" password cracker, they ALL think the pass is 3 chars long. I've used every tool I can to find the correct HEX code for the keystroke ALT+255 (every keylogger, fakeGina, SoftIce etc...) and I've yet to find out how to do it with ALT+255 only. It's an UNprintable ascii code, but it must have a hex value, if it did- THEN perhaps it would be able to be added to the char list of rainbow/ophcrack.
Again this doesn't work for other OS's it seems to be a windows thing... this is way off topic and we are wasting the author's time with this discussion. If you figure out the hex code of the "character" ALT+255 you let me know, it's not as simple as you think... change your font, and you change the hex code...
I'm closing my trap now.
-rich
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13886522
> ALT+255
0xff
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13886758
I wish that were it! And if it is... doesn't work in john, l0pht or rainbow/ophcrack.
-rich
0
 
LVL 2

Expert Comment

by:bboy77
ID: 13965686
pwdump and LC5 should work just fine. But the best thing to do is disable LM hashing on the 2003 server in the first place. That's one of the first things I do when deploying a new domain controller.
http://emea.windowsitpro.com/Windows/Article/ArticleID/43416/43416.html
0
 

Author Comment

by:Fubyou
ID: 13998135
Thanks guys!!!!!!!!!
0
 
LVL 5

Expert Comment

by:biscuit3
ID: 25756548
http://plain-text.info/

Saves you time and effort dealing with the Rainbow tables.  If you have the hash, plug it into this site, and it will give you the password.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question