djoin.exe savefile format

0

Relying on the rudimentary info of $ djoin.exe /help and this web page:

The blob written to the path passed in the /savefile flag contains the machine account credentials. I presume that includes the randomly generated machine password necessary to derive the machine’s Kerberos keys. Exactly what I need.

However, I can’t make heads or tails of the decoded blob. It starts with this:

        - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF  comment
        0x00000000  0110 0800 cccc cccc 6003 0000 0000 0000  ........`.......
        0x00000010  0000 0200 0100 0000 0100 0000 0400 0200  ................
        0x00000020  0100 0000 0100 0000 3803 0000 0800 0200  ........8.......
        0x00000030  3803 0000 0110 0800 cccc cccc 2803 0000  8...........(...
        0x00000040  0000 0000 80c2 54ac d0a0 55ac 309b 55ac  ......T...U.0.U.

and then contains recognizable UTF-16 strings, one of which I gather might hold the password.

Is this format documented anywhere?

windows
automation
active-directory
windows-domain
asked on Super User Feb 23, 2018 by phg

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0