01-03-2020, 11:37 AM
(01-03-2020, 03:21 AM)TurboMatt Wrote: First and foremost, this is an ethical hack. Unfortunately we are in a situation where a co-worker has reset the AD credentials on a very important account. Because of this, we are locked out of several devices that use LDAP for authentication. Lucky enough, nobody knows the local passwords for the devices. So that's where we are.
I have restored the NTDS.dit and system32\config folders from a few of the domain controllers dating about a week ago. The NTDS.dit should have the old account password.
After this, I extracted the hashes for the account in question using DSInternals.
So, I have the NTLM hashes and the LM hashes. I have been trying to use hashcat to crack these but I honestly don't know the best way to go about this.
Any advice on the best method or command strings to run?
Thanks!
Matt
If it's at all modern, the LM hashes won't hold anything useful. To crack the NTLM hashes, I would run this on my laptop to start with.
Code:
hashcat64.exe -a0 -m 1000 ntlm-hashes dict\Top32Million-probable.txt -r rules\l33tpasspro.rule --loopback -O -w3
That is, dict and rules mode, -m 1000 is NTLM, then actual hash file, then dictionary, then -r rules file (substitute rules/best64.rule maybe to start with and see how you go ? )
--loopback feeds any answers you get back into a second run.
-O optimised kernel
-w3 work factor (reasonable for windows laptop, -w4 is OK for unix CLI interaction)
If you have something a bit bigger than a laptop, use bigger dictionary and/or rules I guess.
Alternatively, incremental mode, like this, but I'd try the other method first:
Code:
hashcat64.exe -m 1000 -O -a3 -i ntlm-hashes