You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When testing on Server 2016, I am also experiencing the issue this previous thread mentioned. I've tested a few different scenarios.
The .dit files and system registry are dumped with: ntdsutil.exe "ac i ntds" "ifm" "create full .\snapshot" q q
And I am running impacket like so: python secretsdump.py -history -ntds ".\snapshot\Active Directory\ntds.dit" -system ".\snapshot\registry\SYSTEM" LOCAL
I set a user account with a password "Password123", or NTLM: 58a478135a93ac3bf058a5ea0e8fdb71
Then reset it to something randomly generated. I then set it back to Password123. I repeat this process a few times and here is what I'll get:
As you can see, the hash history changes entirely every time the password is reset. Is this some feature within Server 2016? Or am I missing something?
The hash for Password123 never appears. However if it is the currently set password, it appears as normal. When loading my test domain I intentionally pick hashes that I know are vulnerable and set them to the users history by changing their password a couple of times. I am not able to crack any histories, but i can crack the currently set passwords no problem.
Edit: Grabbed some of the raw bytes, if you need them:
I have experienced the same thing here:
#395
When testing on Server 2016, I am also experiencing the issue this previous thread mentioned. I've tested a few different scenarios.
The .dit files and system registry are dumped with:
ntdsutil.exe "ac i ntds" "ifm" "create full .\snapshot" q q
And I am running impacket like so:
python secretsdump.py -history -ntds ".\snapshot\Active Directory\ntds.dit" -system ".\snapshot\registry\SYSTEM" LOCAL
I set a user account with a password "Password123", or NTLM:
58a478135a93ac3bf058a5ea0e8fdb71
Then reset it to something randomly generated. I then set it back to
Password123
. I repeat this process a few times and here is what I'll get:Run a few times:
Run some more times:
As you can see, the hash history changes entirely every time the password is reset. Is this some feature within Server 2016? Or am I missing something?
The hash for
Password123
never appears. However if it is the currently set password, it appears as normal. When loading my test domain I intentionally pick hashes that I know are vulnerable and set them to the users history by changing their password a couple of times. I am not able to crack any histories, but i can crack the currently set passwords no problem.Edit: Grabbed some of the raw bytes, if you need them:
or if you prefer:
These should match up to the second list I posted when using
hexlify
.The text was updated successfully, but these errors were encountered: