0

Is there a way to determine a user's previous passwords? say the last 5 passwords from a Windows Server 2008? The machine is setup as the domain controller and it has AD on it as well.

The passwords needed are for regular user accounts and not the administrator account.

Thank you

EDIT: If you are wondering why I want to do this. I have a user who used one of his last domain password for something outside the network. He doesn't remember and can't recover that so he asked me if I can tell him what his last 5 domain passwords were. I don't think it's possible to determine that as far as I know, but I posted this question to make sure and maybe learn something new.

del.ave
  • 115
  • 1
  • 4
  • 1
    Why would you even want to do this? I'm struggling to come up with a single *honest* reason. – Izzy Aug 19 '10 at 14:33
  • @izzy-if you're not familiar with security or implications of such a question, it is actually logical for people to think this because they forgot their password (what was my password again?) or they're trained to expect it (a la' websites that email your password to you) or they have a policy saying you can't use your last X passwords as your new password and they can't remember what they've last used and just want a list of them so they know what not to choose. – Bart Silverstrim Aug 19 '10 at 16:37
  • @Izzy-not to mention that they expect sysadmins to already know this stuff...after all, the sysadmin can read their email! And make the aggression box on the desk magically work correctly for them! And there's a good chance that at work they don't always care what their passwords are, so they don't care who knows it, and don't see how important it can be to not let the FedEx guy know the password that gains access to the company's administrative memos and documents. – Bart Silverstrim Aug 19 '10 at 16:39
  • @Izzy - I have edited the question to include my reason. It is not critical, but like I was curious to find whether it is possible or not. – del.ave Aug 19 '10 at 20:04

4 Answers4

1

I don't know if you can fetch the passwords but i do know that if you don't have them configured to be reversible its probably not possible.

jer.salamon
  • 449
  • 4
  • 11
0

You would need something that can decrypt the windows password hash file.

DanBig
  • 11,393
  • 1
  • 28
  • 53
0

It used to be that you can crack passwords in the SAM registry file. In AD I'm not so sure that it would be that easy.

NT is specifically designed to NOT give you passwords. It stores them as hashes so the text isn't even available, and when users forget their password the admin can reset the password, not view the stored password. It also means that users know if someone's been goofing with their password because they would need to reset it or it's no longer what it was before.

So practically speaking, no, you can't retrieve passwords and there's no mechanism to do so. Technically speaking yes. You can mount a dictionary attack and hope there's no lockouts set in AD or you can try dumping account info with hacking tools and mount an offline brute force attack, and if your users had decent passwords, you might have your results in a couple days.

Side note-you might not WANT that ability anyway. In our organization, whoever has the password/account info is responsible for what's done in that account. We don't care if your friend was the one emailing that so and so looked hot in that skirt or that your buddy borrowed your account to visit hotandsweaty.com...you're on the hook if you have the account and you're not supposed to be sharing it. If you have that info then your users have plausible deniability that you have their password and could have been doing XYZ in their name, since all accounting stops at that account. But that's a policy question in your organization on how to handle it. We just would rather not deal with possible legal ramifications. NT preventing even admins from having that ability to view and catalog passwords is one of the few things I readily acknowledge that MS did right with their OS.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • Yes, I agree on the fact that I don't want to do that sort of thing. – del.ave Aug 19 '10 at 20:06
  • You can still do this in AD. The password are held in the SAM on all of the DCs. You can run L0phtcrack or what have you against it. Also, in AD, there is an option (off by default, thankfully) to store passwords in reversible encryption. – mfinni Aug 19 '10 at 20:28
0

AD is designed to not enable you to do this. I'm sure that it's possible, but for what you're describing (user convenience), it's just not worth the risk or effort. You're actually much more likely to be able to crack the password on the thing he's trying to get into. For instance, if it's a password-protected PDF, try opening it in an open-source PDF reader. PST password tools are also fairly common out there in the wild. If it's a personal computer, password reset tools are easier (by far) than trying to brute-force it.

-Waldo

gWaldo
  • 11,887
  • 8
  • 41
  • 68