Posts: 101
Threads: 34
Joined: Oct 2014
I am needing some clarity on what I am looking at in a fgdump file. My hash dump shows me the usernames and hashes that I can successfully load and crack, but usually at the bottom of my hash file it has some computer names and hashes. I don't really understand what those are, can someone help? Are they NTLM hashes? They never seem to crack though.
Posts: 2,936
Threads: 12
Joined: May 2012
they are called machine accounts.
http://blogs.technet.com/b/askds/archive...test2.aspx
yes, they are ntlm hashes. iirc they are 14-character random passwords.
Posts: 101
Threads: 34
Joined: Oct 2014
So the AD assigns the random password? What would these hashes be useful for as far as penetration testing goes?
Posts: 2,936
Threads: 12
Joined: May 2012
11-12-2014, 08:06 PM
(This post was last modified: 11-12-2014, 08:08 PM by epixoip.)
i believe machine hashes are used to join machines to the domain, so if you crack a machine hash, then i believe you can use it to join a rogue machine to the domain.
edit: but you are very unlikely to crack one hashed as ntlm, i believe the keyspace is 62^14. so you really can only crack them if you have lm hashes.
Posts: 101
Threads: 34
Joined: Oct 2014
Thanks for the info. I guess one last question on this is:
Is there any way to tell fgdump to ignore the machine accounts, so that they don't crowd up my hash file?
Posts: 7
Threads: 1
Joined: Nov 2014
(11-12-2014, 08:26 PM)slawson Wrote: Thanks for the info. I guess one last question on this is:
Is there any way to tell fgdump to ignore the machine accounts, so that they don't crowd up my hash file?
Typically we remove these entries through a quick "grep -v" on the file for a $, provided no legitimate domain accounts contain this character.
As far as I know fgdump does not support skipping machine accounts.
The likelihood of cracking one of these is exceedingly low as epixoip stated. You're best off ignoring them and focusing on users.
Posts: 101
Threads: 34
Joined: Oct 2014
Great information. Thanks for not using demeaning sarcasm on a newbie.