Attacking Local Accounts (Server Edition)

I was making a recommendation some time back that we could check user AD passwords against lists of known common passwords.

This recommendation soon turned into a debate amongst my colleagues about how possible this would even be.

Of course, not one to shy away from a challenge I set out to prove all the nay-sayers wrong. Heres some excerpts from that report + some added comments so it will make sense to all you outsiders!





From a sysadmin perspective, this writeup may just be an interesting read and possibly something you might even consider doing.

From an attackers perspective, gaining a particular hash could be that sprinkling of gold dust you were waiting on. Perhaps you already have system level access on every server in the kingdom. But what’s that rule I keep going back to: Golden Rule #8: Users recycle passwords.

So that high value target your eyeballing. If he’s in the habit of recycling passwords it might be worth your while putting the time and effort into cracking his hash if you can get your hands on it.

With this knowledge in hand you can generate a customised password list and start spraying his various accounts. In particular his personal accounts- you the know the accounts that he would never login to with his work laptop because it would be an obvious violation of company policy. Yep. Those accounts.


In the beginning….


…… there was an AD for And inside the Users OU the Good Admin created 5 users.



And the Good Admin faced a problem… for he wanted to get access to those user hashes. But search hard as he might, there was no-where to be found an easy .txt file that he could open and hit ctrl-a, ctrl-c, ctrl-v.

The problem is that these hashes are stored in NTDS.dit which is essentially locked in use by AD.

There are various ways to get your hands on those hashes but for my purposes, and for what I’m trying to achieve, the best way is to take a snapshot of the NTDS (with NTDSUtil) which I can then work on offline. Away from any annoying restrictions.


As you can see above. I was able to save a copy of the database into a folder called NTDS on the C drive. Even though we have the database saved offline, it’s still not a straight forward process to open it up.

Fortunately there are multiple ways that it can be done and Google has an endless supply of tools on offer. The one I used and found to be excellent is NtdsAudit (Link)

As you can see in the following screenshot, using NtdsAudit I was able to dump the hashes into a file called dump.txt



Seeing as what Im doing at the moment is only ‘proof-of-concept’ Im just going to run the dump file through a John The Ripper dictionary attack based on rockyou.txt

If I was doing this more regularly I would see about hashing all the entries in rockyou.txt (or maybe even compose my own dictionary file from online password dumps) and then its simply a case of grepping hashes but for now running through John is fine.

The passwords I set on the user accounts were very straight forward:


User1 = Hello21

User2 = Hello22

User3 = Hello23

User4 = Hello24

User5 = Hello25


Notice below John was able to crack User2 through to User5 with rockyou.txt in less than 2 minutes. Not bad!



At this stage, I think its safe to say ‘I win’.

Both tasks, extracting the hashes and then comparing against well known passwords has just been shown to be a fairly straight forward task.


Leave a Reply

Your email address will not be published. Required fields are marked *