I recently went through an exercise trying to audit passwords in an Active Directory domain and found that quite a lot of the documentation available online appears to have aged to the point of being quite inaccurate. Conducting a password audit straight from a domain controller usually consists of the following high-level tasks:
- Extract the NTDIS database from the domain controller.
- Unpack the NTDIS database to get the tables we want.
- Run a tool to extract the hashes.
- Feed the hashes into your password analysis tool of choice.
I’m only really going to be talking about items (2) and (3) here (meaning – I’m assuming you have an extracted NTDS.dit and SYSTEM file already). I wasn’t really looking at any commercial products for this, so I was attempting to do this quickly (and for free) with Kali Linux. I looked at a few sources and found a few issues trying to follow them:
- NTDSXtract – most of the guides I was reading pointed to use the password dumping scripts located in ntds_dump_hash.zip. This file isn’t actually available to download anymore. It appears that is part of main package now as dsusers.py.
- libesedb – most of the guides linked to the Google code project (now gone!) and talked about the esedbdumphash tool. This doesn’t seem to exist anymore – and appears to have been superseded by esedbexport.
For the purpose of this guide, I used the following versions:
- NTDSXtract – Commit e2fc6470cf54d9151bed394ce9ad3cd25be7c262
- libesed – Commit 5d9a91340cfaeae344d989bb613db495e82b512f
- Kali Linux – 1.1.0a
I just did a basic install of Kali in a VM, than ensured that everything was up-to-date. I originally went down the path of trying to get open-vm-tools to work, but ended up giving up and just ended up mounting a small FAT32 virtual disk between the Windows host and Kali guest.
apt-get update && apt-get dist-upgrade && apt-get autoremove
Extracting NTDS.dit using libesedb
- Download libesedb from GitHub, extract the zip file and navigate to the root directory:
- Install the pre-requisites, compile it, install it!
apt-get install git autoconf automake autopoint libtool pkg-config build-essential
- There should be installed binaries in /usr/local/bin now. You can use this to extract your NTDS.dit file now. After this runs you’ll see a folder called ntds.dit.export created in the PWD.
root@kali:/usr/local/bin# esedbexport -m tables /root/Desktop/ntds.dit
Exporting table 1 (MSysObjects) out of 14.
Exporting table 2 (MSysObjectsShadow) out of 14.
Exporting table 3 (MSysObjids) out of 14.
Exporting table 4 (MSysLocales) out of 14.
Exporting table 5 (datatable) out of 14.
Exporting table 6 (hiddentable) out of 14.
Exporting table 7 (link_history_table) out of 14.
Exporting table 8 (link_table) out of 14.
Exporting table 9 (sdpropcounttable) out of 14.
Exporting table 10 (sdproptable) out of 14.
Exporting table 11 (sd_table) out of 14.
Exporting table 12 (MSysDefrag2) out of 14.
Exporting table 13 (quota_table) out of 14.
Exporting table 14 (quota_rebuild_progress_table) out of 14.
- Download NTDSXtract from GitHub, extract the zip and navigate to the root directory:
- The next step is simply to run the dsusers.py python script and plug in the files from the ntds.dis.export folder from before. In my case, I’m being messy and leaving it in /usr/local/bin. What you’re doing here is passing the locations of the data table, link table, SYSTEM file, provide a working folder for it to write to, a filename to output LM hashes to, a filename to output NT hashes to and specifying what format you want the resulting output files in.
root@kali:~/Desktop/ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262# python dsusers.py /usr/local/bin/ntds.dit.export/datatable.4 /usr/local/bin/ntds.dit.export/link_table.7 /root/Desktop/hashdumpwork --syshive /root/Desktop/SYSTEM --passwordhashes --lmoutfile /root/Desktop/lm-out.txt --ntoutfile /root/Desktop/nt-out.txt --pwdformat ophc
[+] Started at: Tue, 07 Jul 2015 14:08:54 UTC
[+] Started with options:
[-] Extracting password hashes
[-] LM hash output filename: /root/Desktop/lm-out.txt
[-] NT hash output filename: /root/Desktop/nt-out.txt
[-] Hash output format: ophc
The directory (/root/Desktop/hashdumpwork) specified does not exists!
Would you like to create it? [Y/N] y
[+] Initialising engine...
[+] Loading saved map files (Stage 1)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/Desktop/hashdumpwork/offlid.map'
[+] Rebuilding maps...
[+] Scanning database - 0% -> 5 records processed
[!] Warning! There is more than one Schema object! The DB is inconsisten!
[+] Scanning database - 100% -> 3641 records processed
[+] Sanity checks...
Schema record id: 2030
Schema type id: 10
[+] Extracting schema information - 100% -> 1738 records processed
[+] Loading saved map files (Stage 2)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/Desktop/hashdumpwork/links.map'
[+] Rebuilding maps...
[+] Extracting object links...
- Crack open one of the files (hopefully only the NT hash file has any content) and you should see the extracted hash dumps to play with.