Get a client workstation, own the domain. Let's talk about workstation security for a second. I would guess that most companies don't even worry about completely securing client workstations. In most companies that level of attention would take waaaaay too much time. Besides, compromising a workstation only gives a few key pieces of information. None of which are that useful for compromising a domain. Check it out: 1. You can crack any local account passwords on the box. Chances are slim but the password for the local adminstrator account may be the same as the password for the local administrator account on all of the other workstations. The chances are even slimmer but the password may be the same as that on servers. 2. You can dump the LSA secrets which reveals clear text passwords for accounts that are used to run local services on the machine. The chance that this will reveal anything on a client machine will be slim. Lets be realistic though...your testing a fairly secure network here. You've compromised one workstation due to a default install of msde with a blank sa password. However, this is the only workstation that you've gotten into and you've already checked all the other machines in the domain. Where do you go from here? Now, thanks to Arnaud Pilon, you have a chance using a new tool called CacheDump (http://www.cr0.net:8040/misc/cachedump.html). Let me give you a little background first. When you log into Windows, it is kind enough to cache your password in the registry. This caching process can be disabled but by default it is enabled and for a good reason. Consider this...you have a laptop that you use at work. You log on to it using the username and password for your work domain. When you take your laptop home, even though you are not connected to the work domain you can still log into that laptop with the same username, password and domain. This is made possible by the password cache that is stored in the registry for your username. Nice functionality huh? Without it you would have to have a local user account to log in with and you would have to maintain two different passwords...one for your domain account and one for the local account. What a pain. So here is the classic case of security vs. functionality. So a Windows machine will cache domain user account passwords, big deal right? This is a huge deal. Let's say that a domain admin logs into your workstation. He/She leaves behind a cached password for a very privileged account. Even worse, let's say you use Altiris or Microsoft SMS to remotely install and administer applications on client workstations. The whole purpose for using these products is to facilitate an application setup by giving it administrative privileges for a user who is not an administrator. So Altiris/SMS is logging into almost all of your machines using a very privileged account and the cached password hash is being left behind on every machine. Now where were we...you've compromised one workstation and your stuck. What do you do now? You bust out CacheDump and run it as follows: c:\cachedump (wow, complicated isn't it) domadmin1:0E9A658F6132E709ED673458387E6892:work:work.comp.corp entadmin1:19E8B953689EFBC3222ABC599F835856:comp:comp.corp The output shows you the cached password hash for a domain admin account in your domain and an enterprise admin account in the parent domain. So you copy this information into a text file called hashs.txt and run a custom version of John and crack all the passwords as follows: c:\john -format:mscash hashs.txt It's only a matter of time now. The game is changing. Now your workstations are just a important as your domain controllers and you member servers. Want the tools discussed in this article? CacheDump v1.1, diffs for John that include the mscash format, and how to build the custom version of John can all be found here: http://www.cr0.net:8040/misc/cachedump.html To dump LSA secrets I prefer Cain & Able which can be found here: http://www.oxid.it/cain.html