Re: AD password Auditing

From: Joey Peloquin (
Date: 08/07/05

  • Next message: goenw: "Application Assessment"
    Date: Sun, 07 Aug 2005 15:53:37 -0500
    To: "Rochford, Paul" <>

    Rochford, Paul wrote:

    >You used to get the SAM file off a running server by running rdisk /s-,
    >it will make a copy on the existing one. It's the copy of the SAM you
    >retrieve. Also not sure AD stores credentials in the same way as Classic
    >NT Domains, so you may be looking in the wrong place. Someone I'm sure
    >can verify this.
    >Kind Regards,
    >Paul Rochford
    Good point, Paul. Won't grabbing a copy of the DC's SAM just provide
    its local accounts?

    Active Directory stores user accounts and other information in its
    database file, NTDS.dit. This file can grow HUGE, so even if you can
    get it without being spotted and cut-off by the client, it could take a
    while. I've done a few google queries, and only read of capturing
    ntds.dit through physical access. On top of that, according to a post
    by an "MVP", as of Dec. '03, there was no _known_ tools to crack the db

    According to the same post, however, you can use pwdump3 to inject the
    LSASS process, and export a crackable hash. I believe you have to be a
    local Admin on the DC as well.

    Good luck.


    FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

    Learn the hacker's secrets that compromise wireless LANs. Secure your
    WLAN by understanding these threats, available hacking tools and proven
    countermeasures. Defend your WLAN against man-in-the-Middle attacks and
    session hijacking, denial-of-service, rogue access points, identity
    thefts and MAC spoofing. Request your complimentary white paper at:

  • Next message: goenw: "Application Assessment"