This should be pretty obvious, but a lot of people don’t seem to be aware of this old trick. Normally, if you try to guess another user’s password and it fails, the attempt will show up in the event viewer of the domain controller. However, there is a way you can try to guess an account’s password without the attempts ever being logged.

It’s actually pretty simple: just unplug your network cable.

Duh, if your system cannot contact the domain controller, it cannot track failed logins. Ok, there is a little bit more to it. Your system has to cache domain login credentials and the account you are targeting has to have logged in to your local system.

Windows lets you cache domain login credentials so that if a network problem prevents you from contacting the domain controller, you can still log in to your account. An admin can determine exactly how many different credentials Windows will cache. You can check to see if your system caches domain logins by unplugging the network cable and trying to log in with your own domain account. If you login with no problems, your system caches the credentials. If it says it cannot contact your domain controller, there is no cache and this trick won’t work for you.

So if your system does allow cached logins, you next need to see if the account you want to target is in the cache. With the network cable unplugged, try logging in to that account with a random password. If you see a message box like the one below, then the credentials are cached and you are all set to begin an attack.

If you see a different message box saying that the domain cannot be contacted, then you need to get that person to log in to yoursystem. That really shouldn’t be too hard. You might, for example, tell an admin your pc has some strange problem and get him log in with his domain account.

Once you have the credentials cached, you can unplug the network cable and start guessing away. If you don’t feel like typing a bunch of passwords, you could easily write up a script or program to automate a brute force password attack. And no, I am not going to give you a free script or program to do this for you. As long as your network cable is unplugged, nothing is logged on the domain controller and it doesn’t update the event logs once you plug back in.

Keep in mind, however, that the local system might also log these if the local policy enables failed login auditing. If you know no one well ever check these logs you should probably be okay. If you have local admin access you can easily clear your own event logs. If you don’t have admin access on your own system, you have a bit more work to do to gain that. Perhaps you could try the program.exe trick.

Related posts

• No related posts.