Thursday, December 29, 2011

Dumping Hashes from Active Directory NTDS.dit


I will get password hashes from the Active Directory database NTDS.dit using two tools: libesedb and NTDXtract. I used an Ubuntu box for this so I started by downloading and extracting the two tools. I also backed up the System State of a running domain controller and restored it to a different location on the same server. Then I copied the ntds.dit file and the System registry hive file. After that I ran the following commands:


$ cd libesedb
$ chmod +x configure
$ ./configure && make


The previous commands build the sources into the Linux box. Then I ran the following to export the AD tables:


cd esedbtools
./esedbexport ../../ntds.dit


The previous commands build the sources into the Linux box. Then I use dsusers.py to extract the hashes from the datatable:


$ cd ../../NTDSXtract/
$ python ./dsusers.py ../libesedb-20111220/esedbtools/ntds.dit.export/datatable.3 ../libesedb-20111220/esedbtools/ntds.dit.export/link_table.4 --passwordhashes ../system > ../AD-dump.txt


I received the error about pycrypto was not installed, so I went ahead and installed python-setuptools and installed pycrypto:


$ sudo apt-get install python-setuptools
$ sudo easy_install pycrypto


I ran the dsusers.py again and command completed successfully. This is the first entry from the results:



Running with options:
Extracting password hashes

List of users:
==============


Record ID:           38410
User name:           user01,
User principal name: user01@domain.local
SAM Account name:    user01
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: c77de96a-4056-48bb-bddf-2ac67afb88bb
SID:  S-1-5-21-454326967-959678081-45468671-1346
When created:         2009-10-27 22:53:43
When changed:         2011-01-13 20:03:56
Account expires:      Never
Password last set:    2009-10-27 22:53:43.406250
Last logon:           Never
Last logon timestamp: 2009-10-27 22:54:32.593750
Bad password time     Never
Logon count:          -1
Bad password count:   -1
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ domain local Domain-Users OTHER user01, 
Password hashes:
user01,:$NT$6fdcdcfbddbbb847d93bf186a164441e:::


As you see, the "Password hashes" field contains the information that I was looking for. Searching I found this article from Tim Tomes who modified dsusers.py to get the hashes in an usable form, the file is called dshashes.py.

Afetr using the new file with the same options, I get the results in this format:


Running with options:
Extracting password hashes

List of hashes:
==============
User01,:5161:51c185931454376f1d71060d896b7a46:6fdcdcfbddbbb847d93bf186a164441e:::

Using this hash, I can use hashcat or JTR to discover the password for this user.
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)