Home arrow Microsoft arrow Microsoft Security arrow Exporting (and maybe decrypting) hashes from AD
Exporting (and maybe decrypting) hashes from AD Print E-mail
Written by Jason   
Oct 14, 2011 at 01:14 PM

I recently ran into an interesting issue. A domain controller was dropped off on my doorstep from a company that closed their office in the area. I was asked to get on the server and connect it to their remote network in another state, only I didn't have any credentials to log onto it...

It's not difficult these days (for someone that knows how to search Google anyway) to use any number of utilities to reset the password for the local accounts on a Windows server. But getting into the Active Directory accounts of a domain controller is another story.

I wrote about doing this awhile back, but that scenario requires you to already have an administrator account you can log on to the server with.

The best tool I've for this is a product from Passcape. The version in that link is a shareware version that works to dump the Active Directory hashes from a local copy of the ntds.dit file. The full version allows you to make changes to the account, but for my purpose I didn't need that feature.

Booting off of the CD burned from the ISO in the link, it took about five minutes to get a file with the usernames and hashes stored on the local drive. I then booted up with a random live CD with a Linux distribution on it and SSH'd the files from the drive to another server. After that it was just as simple as decrypting the hashes with Rainbow Tables.

The moral of the story? Physical access is king and if your Microsoft Active Directory password is less than 14 characters you can consider it cracked very easily. Yet another reason not to use the same password on different accounts!

Last Updated ( Oct 14, 2011 at 01:37 PM )
� http://www.roboguys.com, Mambo and Designed by Siteground