Hacking-Gurus » cachedump http://www.hacking-gurus.net Security Blog Thu, 19 Jan 2012 21:06:41 +0000 en hourly 1 http://wordpress.org/?v= Recover Active Directory Saved Passwords or mscash with John http://www.hacking-gurus.net/2009/05/17/recover-or-hack-active-directory-saved-passwords-or-mscash-with-john/ http://www.hacking-gurus.net/2009/05/17/recover-or-hack-active-directory-saved-passwords-or-mscash-with-john/#comments Sun, 17 May 2009 05:26:52 +0000 r00t http://www.hacking-gurus.net/?p=115

Hello Everyone ,

if you use active directory you may notice windows xp sometimes allows you to login to computer even if your network is unplugged. this is because microsoft save your active directory password hash into your system registry using some algorithm named as MSCASH . there are many tools availble on internet to dump or to get these password hashes from registry.Password hash is saved in the Windows registry and by default saved 10 hashes.you can read more about mscash here .

Tools :

cachedump:

i personally first used cachedump a great dos based tool with which u can get saved active directory password hash.

you can download cachedump here .

Cain & Abel :

the second great tool availble to dump AD {active directory} saved hashes is Cain & Abel you can download Cain & Abel here

Recover Password

Recover Password

.

Second Part Crack Password :

now as you have your lost password hash you can use john the ripper with a small patch to crack your lost password mscash hash.

first you need a linux (ubuntu will be ok ) machine to use john. offcourse u can use windows but i will preffer linux as i dont know how we can patch john for mscash support ( i think you can do it using cygwin ). ok lets download and install john and patch it.

Rule # 1 : Don’t install john using apt-get install john ( if u do have thats ok but we will not be using that ) .

Step # 1 : login to your linux box.

Step # 2: download john 1.72 using :

wget -c ftp://ftp.openwall.com/pub/projects/john/1.7.2/john-1.7.2.tar.gz

Step # 3: extract john using :

tar xzf john-1.7.2.tar.gz

Step # 4: download patch for mscash using :

wget http://coast.cs.purdue.edu/pub/tools/unix/pwdutils/john/contrib/john-1.7.2-mscash-alainesp-4.1.diff.gz

Step # 5: Rename john to :

mv john-1.7.2 john-1.7.2.orig

Step # 6: patch john using :

gunzip -c john-1.7.2-mscash-alainesp-4.1.diff.gz | patch -p0

Step # 7: make John the ripper

cd john-1.7.2.orig/src && make linux-x86-mmx (depend on your system architect)

Step # 8: start cracking password using :

../run/john -i:all -format:mscash [filepath]

I hope this would help you. Please post comments and feedback.

]]> http://www.hacking-gurus.net/2009/05/17/recover-or-hack-active-directory-saved-passwords-or-mscash-with-john/feed/ 2