Re: Password management on Windows Domain Controller
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 10/16/04
- Next message: Joe Richards [MVP]: "Re: lastlogon attribute"
- Previous message: Karl Levinson [x y] mvp: "Re: Firewall/Redirection Issue"
- In reply to: Leena: "Re: Password management on Windows Domain Controller"
- Next in thread: Leena: "Re: Password management on Windows Domain Controller"
- Reply: Leena: "Re: Password management on Windows Domain Controller"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 16 Oct 2004 11:12:25 -0400
You are pretty much SOL. There is no API to do what you are asking and your only
option is to inject code into the LSA process which is not supported though the
pwdump guy figured out how to do it. His source code is available to look at
though so you could contact him and ask permission to write your own stuff based
on what he did. However, note that the injecting code into LSASS has a funny way
of making systems get unstable if you don't know what you are doing.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Leena wrote: > Hi All, > Thanks for ur help. > > I dont want to use any utility like pwdump or LC4. Instead I m trying to > write my own code to retrieve the passwords or password hashes(LM or NT). > > What I want to do is to check whether a particular user's password is "xyz" > without changing the user's logon statistics. If I use the LogOnUser() API to > chk this, the logon statistics (last logon time, bad password count etc) > changes. In case if u know any windows API that allows me to chk the user > password for a certain value without changing the logon statistics that will > also do. > > If there is no such API, then I need to know how to get the passwords from > AD programmatically, without using the above mentioned tools. > > Any information/links in this direction would be helpful. > > Thanks in advance, > Leena > > > "Miha Pihler" wrote: > > >>That is correct. Password in AD are stored in AD database. It is also true >>that tools like PWDump or LC5 don't care where this is stored. They don't >>look into AD database or registry od SAM database for the hashes since they >>are protected quite well within this files... >> >>What it uses is this (from PWDump site): >>*********************************** >>It uses a technique known as DLL injection. In general, one process >>(pwdump2.exe) forces another process (lsass.exe) to load a DLL (samdump.dll) >>and execute some code from the DLL in the other process's (lsass.exe's) >>address space and user context. In this specific case, once samdump.dll is >>loaded into lsass, it uses the same internal API that msv1_0.dll uses to >>access the password hashes. This means it can get the hashes without doing >>any of the 'hard' work of pulling them out of the registry and decrypting >>them. The program neither knows nor cares what the encryption algorithms or >>keys are. >>*********************************** >> >>Mike >> >>"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message >>news:OQnq3V4rEHA.3396@tk2msftngp13.phx.gbl... >> >>>In the Active Directory database. >>> >>>How to prevent Windows from storing a LAN manager hash of your password in >>>Active Directory and local SAM databases: >>>http://support.microsoft.com/?id=299656 >>> >>> >>>-- >>>Svyatoslav Pidgorny, MVP, MCSE >>>-= F1 is the key =- >>> >>> >>>"SysTray" <SysTray@discussions.microsoft.com> wrote in message >>>news:D7949E03-5A77-4B96-B75B-9E1A293D1699@microsoft.com... >>> >>>>Hy Miha >>>> >>>>Where are domain user's hashes on domain controller's located? Do you >> >>have >> >>>>the exact location? >>>> >>>>Thaaaaanks >>>> >>>>Marcel >>>> >>>>"Miha Pihler" wrote: >>>> >>>> >>>>>Hi Leena, >>>>> >>>>>By default Windows will store passwords as LM Hash (as long as they >> >>are >> >>>>>longer then 14 characters) and NTLM hash. LH Mashes are less secure >> >>and >> >>>can >>> >>>>>be usually cracked within two days or less if users use only normal >> >>set >> >>>of >>> >>>>>characters (but it also depends on hardware where you crack)... This >> >>is >> >>>not >>> >>>>>only on domain controllers, but also on local computers from e.g. >>> >>>Windows NT >>> >>>>>4.0 forward... >>>>> >>>>>I usually use tools like LC5 from @Stake to retrieve domain user's >>> >>>hashes on >>> >>>>>domain controller. For local users account that are stored in SAM >>> >>>database >>> >>>>>you can use tools like PWDump2. >>>>> >>>>>Mike >>>>> >>>>>"Leena" <Leena@discussions.microsoft.com> wrote in message >>>>>news:BEA7ABE8-AFDE-4585-BE65-084B7192DF5A@microsoft.com... >>>>> >>>>>>Hi All, >>>>>>Does anybody know where the domain user passwords are stored on a >>> >>>Windows >>> >>>>>>Domain Controller? >>>>>>According to my investigation, on Windows systems instead of storing >>> >>>the >>> >>>>>>passwords directly, password hashes (i.e. encrypted passwords) are >>> >>>stored >>> >>>>>on >>>>> >>>>>>the system. I would like to know where they are stored in Active >>> >>>directly >>> >>>>>and >>>>> >>>>>>is it possible to retrieve them. >>>>>>I know that there are these three attributes in the Active directory >>>>> >>>>>schema >>>>> >>>>>>- userPassword, dbcsPwd and unicodePwd, which are used to store >>> >>>password >>> >>>>>>related information. But I m not sure how these attributes are used >> >>by >> >>>the >>> >>>>>>system and is it possible to retrieve their values. >>>>>> >>>>>>Any help on this would be appreciated. >>>>>>Leena >>>>>> >>>>> >>>>> >>>>> >>> >> >>
- Next message: Joe Richards [MVP]: "Re: lastlogon attribute"
- Previous message: Karl Levinson [x y] mvp: "Re: Firewall/Redirection Issue"
- In reply to: Leena: "Re: Password management on Windows Domain Controller"
- Next in thread: Leena: "Re: Password management on Windows Domain Controller"
- Reply: Leena: "Re: Password management on Windows Domain Controller"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
