Hello everyone, I've just joined this forum…So I have a question.
Which is the best forensic approach for password recovery in Active Directory environment??
Should I image the whole disk and then extract just the NTDS.DIT file?? How can I extract the usernames and password hashes from the NTDS.DIT??
Or create a clone of the Domain Control hard drive then load up into a virtual machine and try to extract the usernames and password hashes?? How can I achieve it without a valid username and password for the domain??
I know that there are several tools for password cracking and dump the password hashes from the AD database, but I guess that all of them require valid username and password, or an user account with administrative privileges for the Domain.
Are there others options?
Thanks a lot!!
Bruno
I would say that if you are in an AD environment and tasked with forensics there are many easier methods for determining passwords than trying to crack them. Just a thought.
Yet another password question… can I ask why you need the password in this instance?
I went a while wondering what the point of this was, but then the use of it actually occured to me.
People, even when they are clever, are often inherently lazy, therefore, although they may have chosen a "strong" password, it may be used in multiple places. So asumming that there is an encrypted container that isn't elementary to break, and there is no clue as to the password, taking the time to decrypt the decryptable in the Windows hashes could yield the supposedly "strong" password to the container …
That, however, is the only think that I could think of 😉
Actually I’m doing computer forensics degree and this is my level 3 project subject…. I’m supposed to present a password analysis and a forensic password recovery in AD, I’m just trying to find out which would be the best way to achieve it…
I know if the LM hashes are available on the AD database, it is really very easy to crack it…the main point is how to extract the password hashes, either without or just a read access to the domain controller. Probably using command line tools such as LDIFDE that allows to manipulate the AD using LDAP data interchange format….
But all the procedure should be with forensically manner.
Thanks
Two quick thoughts!
1. At first glance you appear to be approaching this from the position of the user domain? Why? If you are performing a forensic recovery - you need to be at least local admin(off the network).
2. Why not examine the backup domain controller?
One last thought! From the information you have presented, you appear to be mixing and illogically matching approaches. You state "forensic password recovery", but you imply the machine is running on the network (LDAP Services) and forensically sound manner – Imagined and off the network. You are wanting forensically sound procedures but want to utilize AD and Windows services - in my opinion that is a oxymoron.
So! Really, what are you after? Recovery of the password or cracking the password for use in a forensic investigation? Then I must ask why - changing the password would be quicker and easier for the purpose of the investigation (data/system analysis).
Just some points to think about! Good Luck!