Hello!
I am trying to recover some passwords from a Windows SBS 2003, Active Directory database, and I am unable to successfully get the clear text passwords from the LM Hashes, I have written this as a guide so that you know what I have done and we can fix it together.
I have Cygwin installed and in my PATH, also downloaded QuarksPWDump and of course oclhashcat.
I was using AMD CCC 14.2 but I downgraded to 13.2 so I could use oclhashcat. (Just used the normal CCC uninstaller, reboot, installed 13.2, reboot, all working fine)
Other bits are that I am using Windows 8.1 x64, have a AMD FX-9590 and 16gb of 2133mhz 10t memory and a AMD R9 290x. Drives layout is a 2x64GB SSD System RAID-0 and a 4x2TB WD Black Data RAID-10.
Benchmarks: (No idea why its showing as 2048MB, perhaps something to do with OverDrive?)
Run command prompt as Administrator (might not be required for all), and run the following to use the commands, or just replacing %WORKDIR% with your working directory:
I started by copying the Active Directory Database to my Working Directory:
To successfully use quarkspwdump I had to fix the database (I learned after my first attempt, solution here):
I then needed to run QuarksPWDump against my working, and fixed, ntds.dit file and write it to a text file (--history is optional):
The output is not directly usable by oclHashcat 1.02, so I had to extract the LM hashes and split them up into blocks of 16 (thanks):
It is simply laid out User:UID:LM:NTLMv1::: to extract the NTLMv1 here is the sed:
I then ran oclhashcat in brute force mode against the LM hashes, Upper-case, Digits and Symbols only:
However the results are as follows:
I did go out for a beer with my college while this was running, the final 100MH/s is probably just the spinning down, but if its not then it was perhaps because I locked my PC and the screens turned off?
I forgot to use increment so I did the following as of writing this (if you are doing this from scratch, do all 7 with increment):
And the results:
So, why are none of my hashes being matched up with anything?
Could the extracted hashes be invalid for some reason?
I did try NTLM (-m 1000) with the ntds_ntlm1.txt file, and the following rules (ntlm.hcmask) but got nothing, but I tributed that to the passwords perhaps being more complicated, which is why I kept to LM:
Any help would be much appreciated!
Many Thanks,
MadCatter
I am trying to recover some passwords from a Windows SBS 2003, Active Directory database, and I am unable to successfully get the clear text passwords from the LM Hashes, I have written this as a guide so that you know what I have done and we can fix it together.
I have Cygwin installed and in my PATH, also downloaded QuarksPWDump and of course oclhashcat.
I was using AMD CCC 14.2 but I downgraded to 13.2 so I could use oclhashcat. (Just used the normal CCC uninstaller, reboot, installed 13.2, reboot, all working fine)
Other bits are that I am using Windows 8.1 x64, have a AMD FX-9590 and 16gb of 2133mhz 10t memory and a AMD R9 290x. Drives layout is a 2x64GB SSD System RAID-0 and a 4x2TB WD Black Data RAID-10.
Benchmarks: (No idea why its showing as 2048MB, perhaps something to do with OverDrive?)
Code:
oclHashcat-1.01>oclHashcat64.exe -b
oclHashcat v1.01 starting in benchmark-mode...
Device #1: Hawaii, 2048MB, 1000Mhz, 44MCU
Hashtype: MD4
Workload: 1024 loops, 256 accel
Speed.GPU.#1.: 23907.3 MH/s
Hashtype: MD5
Workload: 1024 loops, 256 accel
Speed.GPU.#1.: 11991.6 MH/s
Hashtype: SHA1
Workload: 512 loops, 256 accel
Speed.GPU.#1.: 3735.3 MH/s
Hashtype: SHA256
Workload: 256 loops, 256 accel
Speed.GPU.#1.: 1532.4 MH/s
Hashtype: SHA512
Workload: 128 loops, 256 accel
Speed.GPU.#1.: 92496.5 kH/s
Hashtype: SHA-3(Keccak)
Workload: 256 loops, 256 accel
Speed.GPU.#1.: 215.7 MH/s
Hashtype: RipeMD160
Workload: 256 loops, 256 accel
Speed.GPU.#1.: 2428.8 MH/s
Hashtype: Whirlpool
Workload: 256 loops, 256 accel
Speed.GPU.#1.: 19168.8 kH/s
Hashtype: GOST R 34.11-94
Workload: 256 loops, 256 accel
Speed.GPU.#1.: 145.1 MH/s
Hashtype: SHA-1(Base64), nsldap, Netscape LDAP SHA
Workload: 512 loops, 256 accel
Speed.GPU.#1.: 3736.0 MH/s
Hashtype: SSHA-1(Base64), nsldaps, Netscape LDAP SSHA
Workload: 512 loops, 256 accel
Speed.GPU.#1.: 3701.5 MH/s
ERROR: clEnqueueNDRangeKernel() -4 // Dunno what happened hereRun command prompt as Administrator (might not be required for all), and run the following to use the commands, or just replacing %WORKDIR% with your working directory:
Code:
set WORKDIR=c:\your\working\directoryI started by copying the Active Directory Database to my Working Directory:
Code:
cp "%SystemRoot%\NTDS\ntds.dit" "%WORKDIR%\ntds.dit"To successfully use quarkspwdump I had to fix the database (I learned after my first attempt, solution here):
Code:
esentutl /p %WORKDIR%\ntds.ditI then needed to run QuarksPWDump against my working, and fixed, ntds.dit file and write it to a text file (--history is optional):
Code:
quarkspwdump.exe --ntds-file %WORKDIR%\ntds.dit --dump-hash-domain --history -o %WORKDIR%\ntds.txtThe output is not directly usable by oclHashcat 1.02, so I had to extract the LM hashes and split them up into blocks of 16 (thanks):
Code:
sed -rn 's/.*:.*:(.{16})(.{16}):.*/\1\r\n\2/p' %WORKDIR%\ntds.txt > %WORKDIR%\ntds_lm.txtIt is simply laid out User:UID:LM:NTLMv1::: to extract the NTLMv1 here is the sed:
Code:
sed -rn 's/.*:.*:.*:(.{32}):.*/\1/p' %WORKDIR%\ntds.txt > %WORKDIR%\ntds_ntlm1.txtI then ran oclhashcat in brute force mode against the LM hashes, Upper-case, Digits and Symbols only:
Code:
oclHashcat64.exe -m 3000 %WORKDIR%\ntds_lm.hash -a 3 -1 ?u?d?s ?1?1?1?1?1?1?1However the results are as follows:
Code:
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1?1) [7]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Thu Apr 24 22:40:45 2014 (3 secs)
Time.Estimated.: Fri Apr 25 00:19:39 2014 (1 hour, 38 mins)
Speed.GPU.#1...: 1346.8 MH/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 4907859968/7446353252589 (0.07%)
Rejected.......: 0/4907859968 (0.00%)
Session.Name...: oclHashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1?1?1?1?1) [7]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Thu Apr 24 22:40:45 2014 (1 hour, 29 mins)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 100.4 MH/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 7446353252589/7446353252589 (100.00%)
Rejected.......: 0/7446353252589 (0.00%)I did go out for a beer with my college while this was running, the final 100MH/s is probably just the spinning down, but if its not then it was perhaps because I locked my PC and the screens turned off?
I forgot to use increment so I did the following as of writing this (if you are doing this from scratch, do all 7 with increment):
Code:
oclHashcat64.exe -m 3000 F:\_users\ntds_lm.hash --increment -a 3 -1 ?u?d?s ?1?1?1?1?1?1And the results:
Code:
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1) [1]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...: 0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/69 (0.00%)
Rejected.......: 0/0 (0.00%)
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1) [2]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...: 0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/4761 (0.00%)
Rejected.......: 0/0 (0.00%)
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1) [3]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...: 0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/328509 (0.00%)
Rejected.......: 0/0 (0.00%)
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1) [4]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...: 0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/22667121 (0.00%)
Rejected.......: 0/0 (0.00%)
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1) [5]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Fri Apr 25 02:09:50 2014 (1 sec)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/1564031349 (0.00%)
Rejected.......: 0/0 (0.00%)
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1) [6]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Fri Apr 25 02:09:50 2014 (1 min, 21 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/107918163081 (0.00%)
Rejected.......: 0/0 (0.00%)So, why are none of my hashes being matched up with anything?
Could the extracted hashes be invalid for some reason?
I did try NTLM (-m 1000) with the ntds_ntlm1.txt file, and the following rules (ntlm.hcmask) but got nothing, but I tributed that to the passwords perhaps being more complicated, which is why I kept to LM:
Code:
?u?l?l?l?l?d
?u?l?l?l?l?l?d
?u?l?l?l?l?l?l?d
?u?l?l?l?l?l?l?l?d
?u?l?l?l?l?d?d
?u?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?l?d?dAny help would be much appreciated!
Many Thanks,
MadCatter