Often times people will call a help desk because they have forgotten their password. I know this because I worked at help desk for three years and those kind of calls came all the time. In that type of situation, most help desk agents will just reset the password in active directory once they have verified the identity of the user calling in. Simple right?
There are some times when you need to know that password, and not just change it. For instance, if the user has any encrypted files. By resetting the password as an administrator for a user, that can break the encryption key pair used to encrypt those files. So how does one obtain that users password?
I know of one way. That way involves using a little gem of a program called pwdump2 and using the Rainbow tables on Plain-Text.info. I wrote about using Rainbow tables before a while back. It really is a fast way to crack passwords.
What you need to do is, RDP into your domain controller with a domain administrator account. Download pwdump2, and extract the contents. Open a command prompt and change directory into the directory you extracted the pwdump2.zip contents into. Create a one time scheduled task for a few minutes into the future, and have it run the run.bat script in that directory. The reason for this is that pwdump2 will error out when ran using a terminal services session. This has been fixed in pwdump3, but I think pwdump2 is easier to use. The script will generate a pwdump.txt file for you (You're welcome!).
bpower:1266:e52cac67419a9a2238f10713b629b565:64f12cddaa88057e06a81b54e73b949b:::
[Note, the user's name will replace bpower.]
Now copy everything after the username, and browse to http://Plain-Text.info. Click on the "Add Hashes" link on the left. Paste the hash in the box, choose lm from the drop down box, enter the captcha code and press send. In about five minutes or less you should see the password on the top of the list. It really is that simple.
There are other ways of doing this. If you do it a different way, let me know how in the comments.
Mar 6, 2008
Recovering A Domain Password
3:02 PM
El DiPablo
Posted in: 
