I am needing some clarity on what I am looking at in a fgdump file. My hash dump shows me the usernames and hashes that I can successfully load and crack, but usually at the bottom of my hash file it has some computer names and hashes. I don't really understand what those are, can someone help? Are they NTLM hashes? They never seem to crack though.
So the AD assigns the random password? What would these hashes be useful for as far as penetration testing goes?
i believe machine hashes are used to join machines to the domain, so if you crack a machine hash, then i believe you can use it to join a rogue machine to the domain.
edit: but you are very unlikely to crack one hashed as ntlm, i believe the keyspace is 62^14. so you really can only crack them if you have lm hashes.
Thanks for the info. I guess one last question on this is:
Is there any way to tell fgdump to ignore the machine accounts, so that they don't crowd up my hash file?
(11-12-2014, 08:26 PM)slawson Wrote: [ -> ]Thanks for the info. I guess one last question on this is:
Is there any way to tell fgdump to ignore the machine accounts, so that they don't crowd up my hash file?
Typically we remove these entries through a quick "grep -v" on the file for a $, provided no legitimate domain accounts contain this character.
As far as I know fgdump does not support skipping machine accounts.
The likelihood of cracking one of these is exceedingly low as epixoip stated. You're best off ignoring them and focusing on users.
Great information. Thanks for not using demeaning sarcasm on a newbie.