Re: hacking ntds.dit

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 12/28/03 

Date: Sun, 28 Dec 2003 10:22:56 -0500

The problem is they have to yank the password hashes out of the DIT which isn't trivial when it is offline and only a
raw file. If you can inject into the LSASS process on a running domain controller (a la pwdump3) you can easily strip
the hashes out to be cracked and I have done it on several occasions in test labs to prove how easy it really is. Then
the AD Database engine is being used to read the DIT, it isn't a raw read of the file. What this means is if someone has
physical access to install and start a service on a Domain Controller, they can easily have your password database, if
they only have physical access to the DIT file at this point in time there is no readily known tool to crack in and get
the hashes to crack them.

Once someone works out a program that can fire up the DIT file outside of Active Directory, it will become possible to
pull out anything they have mapped and also modify same. However again, I think that is a ways off as I haven't even
seen anything doing raw reads of the DIT file other than raw sector level reads which isn't even close. 

-- 
Joe Richards
www.joeware.net
--
"Steve" <reddsoda@hotmail.com> wrote in message news:O3odlGNzDHA.1412@TK2MSFTNGP11.phx.gbl...
> thanks.  i suspected the answers but it's nice to hear from other people in
> the know.  i just wanted to know if someone using l0pht crack or something
> similar can't hack into the database that simply.
>
>