"The question is not whether we will be extremists, but what kind of extremists we will be. . . The nation and the world are in dire need of creative extremists." -- Martin Luther King Jr.
ok, this is a re-submission, since i noticed my article on this is no long present here. not sure what happened to it though.
____________________________
Hey guys.
I did do a search on existing articles to see if this had been posted, but i dident come up with anything so I guess I'll cover it.
Sometimes, when you want to extract hashes from a network, but have no access to the main server, only a terminal workstation, you have no access to the network administrative account, and thus cannot pipe the hashes from pwdump, or fgdump for that matter. When this happens you are somewhat limeted in your options. However, its posible for even the most beginning or beginners to gain local administrator access with a boot CD. often time you can do this with someone present, as you just say you need to install a program for your work, and the network wont let you. Thats a good excuse, which incindently happened to be true for me, which enabled me to find it out. I wont go into that in much detail, but the boot CD I would reccomend is dreampackpl (google it, it was on the first page last time i checked complete with operation intructions) as not only can you change the administrator password or add an account, you can set it to log you in on the local machine with just a username, or set a god password, much to the same affect. it also has a logon logger, which is the only logon logger ive ever actually encountered. the tutorial that comes on the site doesent go into much detail on those points, but its easy to figure out how to use it with a few mins of playing around, thanks to its helpful GUI.
Anyways, Windows by default logs a ms-cache hash or the last ten network users. (In case of network failure and people still needing access to a terminal.) this value can be changed in the registery. the key this is located at comes in a .txt file with cachedump, or at least it did when I downloaded it. (If its not in the download link im about to give you shortly and you want to know, PM me and ill be happy to PM you back with the key.)
You may download cachedump here:
http://meshier.com/2007/03/08/auditing-cached-credentials-with-cachedump/
NOTE: I have not checked this download link, I just trawled through google until I found a site offering download, as the original site doesent allow public access of cachedump anymore.
Once you have downloaded cachedump, place its folder in your flashdrive. Then when logged in as a local administrator, navigate to the folder in CMD and run the line:
cachedump.exe >something.txt
You may change something to anything that takes your fancy, thats just the one I use. (<sarcasm>very imaginative I know :P</sarcasm>)
Now the hashes youve just piped into your flashdrive can be cracked in one of two ways, to my knowledge.
You can either download a patch for JTR.. just google for it, i think its called bigpatch or something..
Or you can crack them in Cain, which is my personal choice. Now Cain has its own ms-cache ripper, but it has to be installed and all sorts of things that you dont want to bother with. The one problem, is that it has its own format fr hashes, which is expects. We can get around this, however.
I take -NO- credit for the method of conversion and importing the hashes into Cain, I found this part off an article on www.irongeek.com (which I suggest you visit, if you havent already. its a great site, with some very informative tutorials, plus the owner, one Adrian Crenshaw if memory serves, is very helpful and if you email him with any problems you have about his tutorials he trys his best to help.)
The link for this article is:
http://www.irongeek.com/i.php?page=security/cachecrack&mode=print
The part on conversion and implementing is half way down the page, but I'll do my best to explain it here as well. I would, however, like to point out that I was using cachedump before I read this article, and only used it for the conversion and addition to Cain, so I'm NOT copying :P.
Anyways, the brunt of that article means that you have to convert your hashes, which you can do automatically at this site:
http://mp3host.serveftp.com:8888/pages/cache.php
This server is a privatly owned one, and its never been down when I've used it, but dont be surprised if it has some downtime at times. Once youve go your converted hashes, go to Cain's program files, and when your there, youl find a file called CACHE which is a MASM listing. open this up in notepad and paste in your converted hashes and save. Load up Cain and swith to the cracker, and they should be there.
A note about ms-cache hashes:
ms-cache hashes use a much more complicated algorthym(SP?) than LM hashes, and consequently are far more difficult to crack. They are also salted, which makes rainbow tables too large and cumbersome, unless you have a supercomputer, in which case youl probably have them done anyways inside the hour :P. This of course, makes it far more important to have a decent wordlist while cracked them, and alse means that LM's are always preferable.
As a last point, I use batch scripts to make gaining the hashes easier, so i thought I would include them here.
Put the drive letter your flashdrive will be on the target machine on the first line.
cd\hacking stuff\cachedump (Hacking stuff is just the folder I have the cachedump folder in, if yours is just in the main flashdrive, ignore the hacking stuff part.)
cachedump.exe >>something.txt
I know that was a simple batch script, and that most people here could have written that themselves inside of a few seconds, but this is just for the people that are new to this sort of thing. If you are one of those people, take note that to make this work you type it into notepad, and save it as a filename.bat
As a final point, if you have ANY questions on the above article, or it is written imroperly, please PM me, and I'll get back to you as soon as i am able.
-Simon
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 11 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.