fgdump layout
#1
I am needing some clarity on what I am looking at in a fgdump file. My hash dump shows me the usernames and hashes that I can successfully load and crack, but usually at the bottom of my hash file it has some computer names and hashes. I don't really understand what those are, can someone help? Are they NTLM hashes? They never seem to crack though.
#2
they are called machine accounts.

http://blogs.technet.com/b/askds/archive...test2.aspx

yes, they are ntlm hashes. iirc they are 14-character random passwords.
#3
So the AD assigns the random password? What would these hashes be useful for as far as penetration testing goes?
#4
i believe machine hashes are used to join machines to the domain, so if you crack a machine hash, then i believe you can use it to join a rogue machine to the domain.

edit: but you are very unlikely to crack one hashed as ntlm, i believe the keyspace is 62^14. so you really can only crack them if you have lm hashes.
#5
Thanks for the info. I guess one last question on this is:

Is there any way to tell fgdump to ignore the machine accounts, so that they don't crowd up my hash file?
#6
(11-12-2014, 08:26 PM)slawson Wrote: Thanks for the info. I guess one last question on this is:

Is there any way to tell fgdump to ignore the machine accounts, so that they don't crowd up my hash file?

Typically we remove these entries through a quick "grep -v" on the file for a $, provided no legitimate domain accounts contain this character.
As far as I know fgdump does not support skipping machine accounts.

The likelihood of cracking one of these is exceedingly low as epixoip stated. You're best off ignoring them and focusing on users.
#7
Great information. Thanks for not using demeaning sarcasm on a newbie.