Open Meatballs1 opened 7 years ago
Hey @Meatballs1
Do you know the target OS for the DC? (So I can test it). How did you run secretsdump.py? DRSUAPI or VSS method?
Are you sure what DSInternals is showing are the supplementalCredentials CLEARTEXT property or maybe it is pulling stuff from somewhere else (that secretsdump doesn't). Bottom line, I'm trying to understand whether this is a bug, or a new feature that needs to be implemented.
Any chance to share the DIT/hives?
No chance to share the dit unfortunately :)
It wasn't via VSS - files were created via NTBackup on a 2003SP2 DC.
Ok.. no problem.
So you specified the files to secretdump.py
correct? (No DRSUAPI method).
I'll try to replicate it down here.
Btw.. did you check if dsinternal's cleartext are coming from supplementalCredentials? (maybe it does mention it in the output)
Yes, the cleartext output from DSInternals is definitely being listed under SupplementalCredentials, along with the Kerberos credentials.
Thanks @christopher-panayi for the feedback.
Just tested this functionality and couldn't reproduce this issue. Will try to get a 2003SP2 DC to verify whether there's a different behavior there.
So used secretsdump.py and the .ntds.cleartext file was empty.
However a colleague used dsinternalsl and most users had clear text creds in the file...