Dumping Hashes from Active Directory NTDS.dit

I will get password hashes from the Active Directory database NTDS.dit using two tools: libesedb and NTDXtract. I used an Ubuntu box for this so I started by downloading and extracting the two tools. I also backed up the System State of a running domain controller and restored it to a different location on the same server. Then I copied the ntds.dit file and the System registry hive file. After that I ran the following commands:


$ cd libesedb
$ chmod +x configure
$ ./configure && make


The previous commands build the sources into the Linux box. Then I ran the following to export the AD tables:


cd esedbtools
./esedbexport ../../ntds.dit


The previous commands build the sources into the Linux box. Then I use dsusers.py to extract the hashes from the datatable:


$ cd ../../NTDSXtract/
$ python ./dsusers.py ../libesedb-20111220/esedbtools/ntds.dit.export/datatable.3 ../libesedb-20111220/esedbtools/ntds.dit.export/link_table.4 --passwordhashes ../system > ../AD-dump.txt


I received the error about pycrypto was not installed, so I went ahead and installed python-setuptools and installed pycrypto:


$ sudo apt-get install python-setuptools
$ sudo easy_install pycrypto


I ran the dsusers.py again and command completed successfully. This is the first entry from the results:

Running with options:

Extracting password hashes

List of users:

==============

Record ID:           38410
User name:           user01,
User principal name: user01@domain.local
SAM Account name:    user01
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: c77de96a-4056-48bb-bddf-2ac67afb88bb
SID:  S-1-5-21-454326967-959678081-45468671-1346
When created:         2009-10-27 22:53:43
When changed:         2011-01-13 20:03:56
Account expires:      Never
Password last set:    2009-10-27 22:53:43.406250
Last logon:           Never
Last logon timestamp: 2009-10-27 22:54:32.593750
Bad password time     Never
Logon count:          -1
Bad password count:   -1
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ domain local Domain-Users OTHER user01, 
Password hashes:
user01,:$NT$6fdcdcfbddbbb847d93bf186a164441e:::

As you see, the "Password hashes" field contains the information that I was looking for. Searching I found this article from Tim Tomes who modified dsusers.py to get the hashes in an usable form, the file is called dshashes.py.

Afetr using the new file with the same options, I get the results in this format:

Running with options:

Extracting password hashes

List of hashes:

==============

User01,:5161:51c185931454376f1d71060d896b7a46:6fdcdcfbddbbb847d93bf186a164441e:::

Using this hash, I can use hashcat or JTR to discover the password for this user.

Unix text editor with color highlighting

I use to edit all my config files or firewall rules using the great and powerful text editor "vi" which is bult-in in almost all UNIX flavors. Some times is boring editing large files or I get lost with a lot of comments..


I installed "vim" in FreeBSD and its like if I'm using vi but with more friendly features. I installed vim without using X by running the following command:


$ cd /usr/ports/editors/vim
$ make WITHOUT_X11=yes install clean


The WITHOUT_X11=yes option tells make to build vim without all the X11 dependencies which saves time compiling the port and saves space on disk. Once it finishes installing, you must add one line to the file .vimrc in order to enable the color highlighting:



$ cd ~/
$ echo "syntax on" >> ~/.vimrc


Vim recognizes many programming languages and configuration files or firewall rules like OpenBSD's pf. This tool its used by many experienced programmers, advanced sysadmins and bby anyone who wants to use a friendy view text editor. This image is from the example file pf.conf located in /usr/share/examples/pf/pf.conf

As you can see its a better look of the file..  Don't wait..  if you use vi, install vim and take a look at it, it has a lot of more features, check its web page.

Quick and Easy setup MySQL Server on FreeBSD

One of the first problems that I had was run a MySQL service up and running. A lot of applications that I use and test require a database engine and I don't want to spend time on installing and configuring these. I want to share how to install and run a new installation of MySQL server on FreeBSD 8.2 from the packages repository in a quick and easy matter.

Logged on as root or su to root and run the pkg_add command to fetch MySQL 5.5 Server from the packages repository:

$ pkg_add -r mysql55-server

After finishes installation, just run these commands and you will have a running instance of MySQL:

$ mysql_install_db --user=mysql

$ chown -R mysql /var/db/mysql/

$ chgrp -R mysql /var/db/mysql/

$ /usr/local/bin/mysqld_safe -user=mysql &

$ cp /usr/local/share/mysql/my-medium.cnf /usr/local/etc/my.cnf

If you want to run MySQL only local, yo can modify the file my.cnf copied before and add the following line:

bind-address = 127.0.0.1

To start MySQL for the first time run the following:

$ /usr/local/etc/rc.d/mysql-server onestart

To run mysql each time the machine reboot, add the following line to the file /etc/rc.conf:

mysql-server_start="YES"

You can verify that mysql is running using the ps command:

ps -ax | grep mysql

788 ?? Is 0:00.02 /bin/sh /usr/local/bin/mysqld_safe --defaults-extra-f

1054 ?? I 0:01.50 [mysqld]

21113 1 S+ 0:00.00 grep mysql

If you configure the server to run only on localhost, you can verify this with the following comand:

$ sockstat -4 | grep mysql

mysql mysqld 1054 11 tcp4 127.0.0.1:3306 *:*

You have a MySQL instance up and running now.. Remmember that the default user is "root" with blank password, you can login with the command:

$ mysql -u root

and change the password, create databases, tables, etc..

Hope this quick MySQL setup help you and you can spend time testing your applications instead of setting up mysql each time.