Windows (windblows) password audit notes

By /

2017-06-30

Well, it’s that time of the year/quarter/month…. whatever policy you have on performing the password audit…  Some of my notes are from references that are a few years old, so not sure if they will be around much longer, I hope so, they have good info.  Keep in mind I am using kali 2017.1 for my fun today.

First Windows password audit, or as I call it, Windblows Password Audit.

Retrieve the ntds.dit and SYSTEM file: – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html

C:\>ntdsutil

ntdsutil: Activate Instance ntds

ntdsutil: ifm

ifm: create full c:\cool-pass-pentest-audit

ifm: quit

ntdsutil: quit

copy the c:\cool-pass-pentest-audit folder to your kali box

install the libesedb-utils

apt install libesedb-utils

export the ntds tables – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html

esedbexport -m tables ntds.dit

(this may take a while…a long while)

Now we need to extract the hashes….

currently I am using this: https://github.com/csababarta/ntdsxtract

git clone https://github.com/csababarta/ntdsxtract.git

python ntdsxtract/dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.6 hashdumpwork –syshive SYSTEM –passwordhashes –lmoutfile lm-out.txt –ntoutfile nt-out.txt –pwdformat ocl

Now we can do some cracking, using hashcat (since I like to use GPUs)

We will start with the rockyou.txt.gz wordlist that came with my kali install

cd /usr/share/wordlists; gunzip rockyou.txt.gz; cd –

hashcat -a 0 -m 1000 –username hashdumpwork/nt-out.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule

I like to use most of the rule sets that come with the hashcat install on kali, I tend to get a bit of success with the different ones, but I will just give the example using the rockyou-30000.rule

you want to see what passwords you got when it is over?  just do the same hashcat command but add the –show flag in there and presto!

PREV

SSH proxy through my VM cloud …

NEXT

Create a targeted wordlist &#8…

Lance Grover

© 2015-2023 Lance Grover

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top