This is something I wrote up a while back. Not that great but wanted to document it before I lost it.

Background: Its great gaining local admin on a windows box,but then you are limited to that box.
Its much more useful getting a Domain user or even Domain Enterprise Admin!
Assumming you are on a Domain.
Most Windows Domains have password caching turned on.
Which means anytime a domain user logs into the box it is cached in the registry with SYSTEM rights.
Now lets see how we can grab this and crack it.

Note: I only did this in Linux, I have no idea if it work in windows.
Also, I will not go into much technical details on the caching. Google if you want to learn more.
The info is out there.

Tools: 1. John The Ripper(1.6.37) – (you will need the src, we will patch it)
2. mscashdump –
3. John The Ripper Patch – (get “the big patch”)

Steps: 1. Compile and Patch John(john dir and patch must be in same dir)
-tar xfz john-1.6.37.tar.gz
-gunzip -c john-1.6.37-bigpatch-13.diff.gz | patch -p0 (should see it patching files)
-cd john-1.6.37/src/

Note: Now you have john patched,it can accept much more hashes such as mscash. Another favorite
of mine is Lotus Notes, its pretty easy to get anyone’s Notes hash without even being a user.
I’ll save that for a different doc, we’ll stick with mscash.

2. Get cached passwords from windows box (must be local admin)
-cachedump.exe -v (should first install a service to get SYSTEM rights)
-Output should look like the following.

CacheDump service successfully installed.
Service started.
Service successfully removed.

-copy and paste the hashs to a txt file for john.

3. Now we get to crack it. Your choice on brute or dict.
-./john -format:mscash ./mshashs.txt

Note: Now you just have to wait. Depending on how good the password is.
And that’s It. Have Fun