So if you are looking to audit password strength in a Windows Domain environment, there are two tools that will be of help to you. FGDump is a compilation of PWDump and Cachedump. It also has a some useful switches, but documentation for those can be found here. PWdump will pull hashes for local accounts such as Administrator. Cachedump however will pull the cached hashes from network users who have logged into the machine.
Here is how to grab the hashes.
Download FGDump from here and place the executable on a flashdrive (if you have a U3 device, I will soon be posting how to run fgdump without any user interaction).
Plug the flashdrive into the target computer and open up a command prompt.
Navigate to your flashdrive and execute fgdump.exe.
Wait for it to finish and once it is successful, open up the 127.0.0.1.cachedump file in notepad to see the hashes.
Copy the hashes to a file and save in this format: filename.txt.
Next download John:
wget http://openwall.com/john/f/john-1.7.2.tar.gz
tar xzf john-1.7.2.tar.gz
Now we are going to have to patch it to let it recognize the cachedump format:
wget http://openwall.com/john/contrib/john-1.7.2-mscash-alainesp-4.1.diff.gz
cd john-1.7.2
zcat ../john-1.7.2-mscash-alainesp-4.1.diff.gz | patch -p1 -Z
If you do not have the zcat command, then patch it with gzip:
gzip -dc ../john-VERSION-WHAT-REVISION.diff.gz | patch -p1
cd src
make
make clean SYSTEM (which ever system type you have as displayed with make)
Once successful:
cd run
./john --test
Now lets crack the cached file
./john -format:mscash hashes.txt
or
./john -w:passwordlist.txt -format:mscash hashes.txt
Give me some feedback if this helped you.
Here is how to grab the hashes.
Download FGDump from here and place the executable on a flashdrive (if you have a U3 device, I will soon be posting how to run fgdump without any user interaction).
Plug the flashdrive into the target computer and open up a command prompt.
Navigate to your flashdrive and execute fgdump.exe.
Wait for it to finish and once it is successful, open up the 127.0.0.1.cachedump file in notepad to see the hashes.
Copy the hashes to a file and save in this format: filename.txt.
Next download John:
wget http://openwall.com/john/f/john-1.7.2.tar.gz
tar xzf john-1.7.2.tar.gz
Now we are going to have to patch it to let it recognize the cachedump format:
wget http://openwall.com/john/contrib/john-1.7.2-mscash-alainesp-4.1.diff.gz
cd john-1.7.2
zcat ../john-1.7.2-mscash-alainesp-4.1.diff.gz | patch -p1 -Z
If you do not have the zcat command, then patch it with gzip:
gzip -dc ../john-VERSION-WHAT-REVISION.diff.gz | patch -p1
cd src
make
make clean SYSTEM (which ever system type you have as displayed with make)
Once successful:
cd run
./john --test
Now lets crack the cached file
./john -format:mscash hashes.txt
or
./john -w:passwordlist.txt -format:mscash hashes.txt
Give me some feedback if this helped you.
Posts
0 comments:
Post a Comment