Jump to content

Passwords from 2003 Active Directory AD SystemState ntbackup

William Harper

Recommended Posts

Challenge to anyone to demonstrate how to recover AD usernames & passwords from a Windows 2003 active directory domain controller system state backup (eg. Out of the ntds.dit and/or associated files)


1) You don’t have access to the original hardware where the backup was performed.

2) The NTBackup is not password protected.

3) You can get the SYSKEY from the system hive in the backup (using any of the many available tools such as (OPHCrack, LCP, Advanced/Elcomsoft))



Link to comment
Share on other sites

if you just want us to tell you how to do it just ask. Yes you may get shot down but you never know.

If it is a genuine challenge however this sounds like a good one.

Its Genuine. I don’t know how to do it. As far as I'm aware (have done lots of searching the net) there is no documented method of doing it.

The NTDS.DIT is highly protected (perhaps it's security through obscurity, but none the less, the structure is encrypted and propriety to M$).

So the best way I can guess would be to get the AD restored to a working Domain Controller then use standard tools like SAMDUMP, FGDUMP, and the AD DC Administrator password reset trick http://www.petri.co.il/reset_domain_admin_...ver_2003_ad.htm

The problem is that you cant restore the AD alone from a System State. The NTBackup tool forces you to restore all the dll's and other system stuff at the same time, which usually kills the destination system because the hardware is different.

If anyone is going to play with this, it would be beneficial to everyone else if they could use some form of Virtual environment (VMWare Server(free) etc), so we can easily reproduce the results.



Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...