|
-
May 20th, 2005, 01:43 PM
#11
I'll be reading Irongeek's tutorial for John the Ripper tonight, though I may grab a 300mb text file for rainbowcrack instead since that's supposed to be way faster.
Might want to look at ophtcrack which uses a small or large rainbow table dependent on your CPU speed. Actually looks rather nifty (haven't had a full chance to abuse it!) 
-
May 20th, 2005, 02:56 PM
#12
Reset the local admin password. I don't see how the SAM will help you any. In a Domain environment the authtentication takes places against a Domain controller. In the event a DC is unreachable Windows caches the last 10 accounts in LSA secrets (By default that is, GP can overide this) Allowing users to log in when a DC is unreachable. However if you removed yourself from the Domain, the cached credentials will be invalid. Local accounts will be all that are available, so just set your local Admin account.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
May 20th, 2005, 03:21 PM
#13
Unfortunately, I believe I'll need physical access to the domain if I want to join it again, even with the admin password. My account is locked until my next contract in a month and I have some hackering and crackering to do before then, so I'm just brute forcing the SAM to see if I can do it. I'm going to format it and tell them I got a Norton-crippling virus and didnt' want to take chances.
You will need a domain admin account to rejoin the domain. Your local admin account won't be able to do it. Othewise, once you get the local admin account you should be good to go until you need to log into the domain again.
If you can't get the wlan to work and don't have a floppy, then try a flash drive. They are pretty simple to use. There are several how tos out there on how to mount/use them.
Normally as simple as
su
mkdir /mnt/flash
mount -t vfat /dev/sda /mnt/flash
After you have your sam file, then you can use ophcrack (which uses rainbow tables).
http://ophcrack.sourceforge.net/ (Same that MsM posted above, just the "official site")
It is pretty damn fast. I cracked my local accounts in seconds! After I changed the complexitiy and length of the passwords... I was unable to crack them. My P4 3.2ghz hyperthreaded box acually shut itself off due to overheating... I need to get another fan in that sucker.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
May 20th, 2005, 04:21 PM
#14
a real handy device to have around is the "Offline NT Password and Registry Editor" found here: http://home.eunet.no/~pnordahl/ntpasswd/
it allows you to change or reset the password in NT/2k/XP/2003. and is really simple to use. so if its a really strong password and is hard to crack or you just dont want to be bothered this is the way to go.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
May 20th, 2005, 05:16 PM
#15
Tedob1: I've had problems using that ntoffline on a XP SP2 box. After using it... every time I booted that box, it would put itself through a chkdisk. Then I was unable to make changes to the user profile. I had to delete the profile and let the system create a new one.... In one case I had to rebuild the box. (no ghost images... home user)
Anyone else had problems with ntoffline since XP SP2? I used to use it and trust it completely... but with ophcrack and an auditor cd... its just as easy to grab the sam and crack the passwords than it is to have to possibly reinstall the box. 
At the time, I was using the latest version...
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
June 9th, 2005, 12:37 PM
#16
Member
As you are conducting an investigation, you should really image the HDD using a forensics tool like EnCase or Vogon, and analyse the data from the image, not from the original HDD. Otherwise your evidence is open to challenge by the employee in question.
Also, does the HDD have a username and password unique to the individual under suspicion, or does it have a generic logon? If the latter, then the "suspect" may squirm out of it by claiming that "someone" else must have used the laptop for nefarious purposes. They may also use this defence if the laptop has been stored somewhere where other members of staff had access. A police officer in the UK under investigation for viewing paedophile material on the net successfully defended themselves in court using exactly this defence.
I also seem to remember that a suspected "hacker" successfully defended themselves in court by claiming that a trojan was on their PC that may have been used by someone else to perpetrate the hacks in question.
From the defence point of view, its all about reasonable doubt, and when a judge/jury or even an internal disciplinary committee don't understand the technical issues, then that reasonable doubt is fairly easy to establish.
On the plus side, my experience is that if all you're after is bringing the employee into line, then confronting them with whatever evidence you've gathered usually results in them blubbing and confessing all. If they don't understand the issues surrounding the integrity of evidence, they usually consider themselves caught "bang to rights" even if you do more than show them the contents of their IE History folder. But a more savvy employee may brazen this out, and then your evidence handling becomes an issue.
In short, your internal procedures for handling evidence (which must stand up to third party scrutiny if necessary) are as important as the actual evidence you collect.
-
June 9th, 2005, 02:35 PM
#17
If the guy doesn't seem technologically apt enough to choose a secure password, use pwdump, or Cain, or SAMInside and post the LM hash here. I have 9 Rainbow tables to use that cover:
abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()
Though to complete the set, I need 71 tables, I'm only on the 9th right now. But 0-8 are sorted and ready to rip. I've cracked several passes already with it.
A_T
Geek isn't just a four-letter word; it's a six-figure income.
-
June 9th, 2005, 02:50 PM
#18
I find it odd that a company would have to break into one of their own computers. I would expect that the admins would have the admin password for any machine on their network. If its not their system and its his personal machine and they are doing this, well that opens a whole new can of worms that could blow up in their face.
Secondly, I find it odd that you're breaking the password for the system instead of the "Corporate security" team. In any case this thread is somewhat old and he has said that he was able to obtain it so I guess the issue is past the point of no return.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
