A Simple Way To Crack Passwords Across Your Domain for Compliance
Every quarter or more, you may have to figure out if everyone in your enterprise is being compliant with passwords. Sometimes Active Directory's password policy doesn't take into account some things you feel are more secure, such as not being able to use any words from the dictionary in your password. Password security is always a thing to worry about in any organization
So here is a simple guide to cracking passwords across the domain with pwdump3 and ophcrack.
In my example I am using a virtual Win7 machine with no anti-virus installed and running the dumps against the Active Directory server
1. You MUST uninstall your antivirus. Any AV will find pwdump3 as a virus. Or better yet, create a virtual machine to run as your password cracker because this process will make a machine become unusable for a few hours.
2. Download pwdump3v2 & ophcrack live cd. The download for pwdump3 is available on the attachments towards the bottom of this page
3. Unzip pwdump3v2 into a directory
4. Go to Run -> cmd -> cd to the directory of the unzipped files.
5. time to grab those password hashes. here is the syntax to type: pwdump3.exe ADserver output.txt DOMAIN\adminaccount
press enter and you will be prompted for the adminaccount's password. this process takes a whole 3 seconds to complete.
6. you will now have a new txt file in that directory called output.txt that contains the hashes for all the AD passwords. copy that output.txt to the root of the C: drive (not necessary but easier to find after booting the live cd).
7. boot up your live CD of ophcrack. at the time, i used live cd 2.3.0
8. stop the current scan against the passwords currently on the system. Go to load -> PWDUMP output -> and find your output.txt file. It is going to be in mnt\sd1\ and you will see your C: drive. Click on output.tx. Another option is to email the file to a web-based account (gmail, yahoo), then use firefox within ophcrack live cd to download it. You can also try using a flash drive. /Media/flash
9. Once the output.txt has populated, go towards the bottom of the output and you will notice that not only the users from AD are in the list, but also the computers and servers. Go ahead and delete the computers and servers from the list.
10. download the tables_xp_free_fast.zip from the ophcrack file downloads page. extract that zip file onto the VM or computer you are using to run ophcrack. after booting into the live cd of ophcrack, install the xp_free_fast table from the Tables button. Alternatively, you can burn the extracted tables_xp_free_fast.zip to a DVD, and once the Live CD boots, insert the DVD to load the tables into RAM.
11. press crack and let it go for a few hours
12. save the output and go bug those people who use passwords like SunMoon123
NOTE: if ophcrack ever crashes. open up a terminal prompt and type "ophcrack" for the program to reload.