|
fgdump layout
|
11-12-2014, 07:09 PM
I am needing some clarity on what I am looking at in a fgdump file. My hash dump shows me the usernames and hashes that I can successfully load and crack, but usually at the bottom of my hash file it has some computer names and hashes. I don't really understand what those are, can someone help? Are they NTLM hashes? They never seem to crack though.
11-12-2014, 07:46 PM
they are called machine accounts.
http://blogs.technet.com/b/askds/archive...test2.aspx yes, they are ntlm hashes. iirc they are 14-character random passwords.
11-12-2014, 07:51 PM
So the AD assigns the random password? What would these hashes be useful for as far as penetration testing goes?
i believe machine hashes are used to join machines to the domain, so if you crack a machine hash, then i believe you can use it to join a rogue machine to the domain.
edit: but you are very unlikely to crack one hashed as ntlm, i believe the keyspace is 62^14. so you really can only crack them if you have lm hashes.
11-12-2014, 08:26 PM
Thanks for the info. I guess one last question on this is:
Is there any way to tell fgdump to ignore the machine accounts, so that they don't crowd up my hash file? 
11-12-2014, 10:07 PM
(11-12-2014, 08:26 PM)slawson Wrote: Thanks for the info. I guess one last question on this is: Typically we remove these entries through a quick "grep -v" on the file for a $, provided no legitimate domain accounts contain this character. As far as I know fgdump does not support skipping machine accounts. The likelihood of cracking one of these is exceedingly low as epixoip stated. You're best off ignoring them and focusing on users. |
|
« Next Oldest | Next Newest »
|
