Windows Password Audit with Kali Linux

I recently went through an exercise trying to audit passwords in an Active Directory domain and found that quite a lot of the documentation available online appears to have aged to the point of being quite inaccurate. Conducting a password audit straight from a domain controller usually consists of the following high-level tasks:

  1. Extract the NTDIS database from the domain controller.
  2. Unpack the NTDIS database to get the tables we want.
  3. Run a tool to extract the hashes.
  4. Feed the hashes into your password analysis tool of choice.

I’m only really going to be talking about items (2) and (3) here (meaning – I’m assuming you have an extracted NTDS.dit and SYSTEM file already). I wasn’t really looking at any commercial products for this, so I was attempting to do this quickly (and for free) with Kali Linux. I looked at a few sources and found a few issues trying to follow them:

  • NTDSXtract – most of the guides I was reading pointed to use the password dumping scripts located in ntds_dump_hash.zip. This file isn’t actually available to download anymore. It appears that is part of main package now as dsusers.py.
  • libesedb – most of the guides linked to the Google code project (now gone!) and talked about the esedbdumphash tool. This doesn’t seem to exist anymore – and appears to have been superseded by esedbexport.

For the purpose of this guide, I used the following versions:

Optional Basics

I just did a basic install of Kali in a VM, than ensured that everything was up-to-date. I originally went down the path of trying to get open-vm-tools to work, but ended up giving up and just ended up mounting a small FAT32 virtual disk between the Windows host and Kali guest.

apt-get update && apt-get dist-upgrade && apt-get autoremove

Extracting NTDS.dit using libesedb

  1. Download libesedb from GitHub, extract the zip file and navigate to the root directory:

    wget https://github.com/libyal/libesedb/archive/5d9a91340cfaeae344d989bb613db495e82b512f.zip
    unzip 5d9a91340cfaeae344d989bb613db495e82b512f.zip
    cd libesedb-5d9a91340cfaeae344d989bb613db495e82b512f/
  2. Install the pre-requisites, compile it, install it!

    apt-get install git autoconf automake autopoint libtool pkg-config build-essential
    ./synclibs.sh
    ./autogen.sh
    ./configure
    make
    make install
    ldconfig
  3. There should be installed binaries in /usr/local/bin now. You can use this to extract your NTDS.dit file now. After this runs you’ll see a folder called ntds.dit.export created in the PWD.

    root@kali:/usr/local/bin# esedbexport -m tables /root/Desktop/ntds.dit
    esedbexport 20150703

    Opening file.
    Exporting table 1 (MSysObjects) out of 14.
    Exporting table 2 (MSysObjectsShadow) out of 14.
    Exporting table 3 (MSysObjids) out of 14.
    Exporting table 4 (MSysLocales) out of 14.
    Exporting table 5 (datatable) out of 14.
    Exporting table 6 (hiddentable) out of 14.
    Exporting table 7 (link_history_table) out of 14.
    Exporting table 8 (link_table) out of 14.
    Exporting table 9 (sdpropcounttable) out of 14.
    Exporting table 10 (sdproptable) out of 14.
    Exporting table 11 (sd_table) out of 14.
    Exporting table 12 (MSysDefrag2) out of 14.
    Exporting table 13 (quota_table) out of 14.
    Exporting table 14 (quota_rebuild_progress_table) out of 14.
    Export completed.

NTDSXtract Setup

  1. Download NTDSXtract from GitHub, extract the zip and navigate to the root directory:

    wget https://github.com/csababarta/ntdsxtract/archive/e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip
    unzip e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip
    cd ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip/
  2. The next step is simply to run the dsusers.py python script and plug in the files from the ntds.dis.export folder from before. In my case, I’m being messy and leaving it in /usr/local/bin. What you’re doing here is passing the locations of the data table, link table, SYSTEM file, provide a working folder for it to write to, a filename to output LM hashes to, a filename to output NT hashes to and specifying what format you want the resulting output files in.

    root@kali:~/Desktop/ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262# python dsusers.py /usr/local/bin/ntds.dit.export/datatable.4 /usr/local/bin/ntds.dit.export/link_table.7 /root/Desktop/hashdumpwork --syshive /root/Desktop/SYSTEM --passwordhashes --lmoutfile /root/Desktop/lm-out.txt --ntoutfile /root/Desktop/nt-out.txt --pwdformat ophc

    [+] Started at: Tue, 07 Jul 2015 14:08:54 UTC
    [+] Started with options:
    [-] Extracting password hashes
    [-] LM hash output filename: /root/Desktop/lm-out.txt
    [-] NT hash output filename: /root/Desktop/nt-out.txt
    [-] Hash output format: ophc
    The directory (/root/Desktop/hashdumpwork) specified does not exists!
    Would you like to create it? [Y/N] y

    [+] Initialising engine...
    [+] Loading saved map files (Stage 1)...
    [!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/Desktop/hashdumpwork/offlid.map'
    [+] Rebuilding maps...
    [+] Scanning database - 0% -> 5 records processed
    [!] Warning! There is more than one Schema object! The DB is inconsisten!
    [+] Scanning database - 100% -> 3641 records processed
    [+] Sanity checks...
    Schema record id: 2030
    Schema type id: 10
    [+] Extracting schema information - 100% -> 1738 records processed
    [+] Loading saved map files (Stage 2)...
    [!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/Desktop/hashdumpwork/links.map'
    [+] Rebuilding maps...
    [+] Extracting object links...

  3. Crack open one of the files (hopefully only the NT hash file has any content) and you should see the extracted hash dumps to play with.

    Administrator:::HASH_WILL_BE_HERE:S-1-5-21-2672162783-2291035921-4253142556-500::
    Joel:::HASH_WILL_BE_HERE:S-1-5-21-2672162783-2291035921-4253142556-1001::

Other sources: [1], [2]

22 thoughts on “Windows Password Audit with Kali Linux”

  1. When i run the make command, my make fails with the below. Any idea on steps to fix the below error?

    libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../common -I../include -I../common -I../libcstring -I../libcerror -I../libclocale -I../libcnotify -I../libuna -g -O2 -Wall -MT libcfile_support.lo -MD -MP -MF .deps/libcfile_support.Tpo -c libcfile_support.c -fPIC -DPIC -o .libs/libcfile_support.o
    libcfile_support.c:742:2: error: #error Missing file remove function
    #error Missing file remove function
    ^
    Makefile:657: recipe for target ‘libcfile_support.lo’ failed
    make[1]: *** [libcfile_support.lo] Error 1
    make[1]: Leaving directory ‘/root/libesedb-20151213/libcfile’
    Makefile:777: recipe for target ‘all-recursive’ failed
    make: *** [all-recursive] Error 1

    1. Solved my own problem. Before the ./configure command, i needed to run a “chmod +x configure” command.

      apt-get install git autoconf automake autopoint libtool pkg-config build-essential
      ./synclibs.sh
      ./autogen.sh
      chmod +x configure
      ./configure
      make
      make install
      ldconfig

  2. Hi, I am currently running using kali linx 2.0. Everything was the same until it gets to “make”. I have an error when use “make”:
    collect2: error: ld returned 1 exit status
    Makefile 449: recipe for target ‘esedexport’ failed
    make[1]: *** [esedbexport] Error 1
    Makefile 464: recipe for target ‘install-recursive’ failed
    make[1]: *** [install-recursive] Error 1

    Can you help plz?

    1. This was written up a while ago – I haven’t had a chance to update this at all for the new version of Kali that’s come out since. I’ll look into updating this guide – but I’d need to find some time to get a test AD environment set up again.

  3. Thx for your reply, sorry about the bad english.
    I think it’s the problem with compiler (gcc) and libesedb. Because there is no newer version of AD recently.
    I will try to use the older Kali linux such as 1.1.0a and compile libesedb again.
    :)

  4. Hi Joel, sadly, with Kali Linux 1.1.0a only made me ran into more problems. I would just stick with 2016 then. Can you help give out a solution? (from my research, you are probably the only blog that talks about audit AD, soooooo) plzzz
    Thanks a lot!!!

    1. Actually, I got the same problem as john:
      libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../common -I../include -I../common -I../libcstring -I../libcerror -I../libclocale -I../libcnotify -I../libuna -g -O2 -Wall -MT libcfile_support.lo -MD -MP -MF .deps/libcfile_support.Tpo -c libcfile_support.c -fPIC -DPIC -o .libs/libcfile_support.o
      libcfile_support.c:742:2: error: #error Missing file remove function
      #error Missing file remove function
      ^
      Makefile:657: recipe for target ‘libcfile_support.lo’ failed
      make[1]: *** [libcfile_support.lo] Error 1
      make[1]: Leaving directory ‘/root/libesedb-20151213/libcfile’
      Makefile:777: recipe for target ‘all-recursive’ failed
      make: *** [all-recursive] Error 1

      When i am using the exact same Kali Version (1.1.0a) and exact same lib. And obviously adding chmod +x configure didn’t solve it. Not sure y, but i guess i will wait for your update post then.
      Anyways, thx!

  5. To fix the “missing file remove function” error, add this:

    #define HAVE_UNLINK 1

    to the top of this file: libcfile/libcfile_support.c

  6. Thank you so much, it worked for me on Kali 2.0,

    How could we prevent to storage the hashes of the AD users?

  7. Hi,

    Great guide, but sadly enough I’m facing a small problem on the last step. I think I misunderstand something.

    if I execute this comment:

    root@kali:~/Desktop/ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262# python dsusers.py /usr/local/bin/ntds.dit.export/datatable.4 /usr/local/bin/ntds.dit.export/link_table.7 /root/Desktop/hashdumpwork –syshive /root/Desktop/SYSTEM –passwordhashes –lmoutfile /root/Desktop/lm-out.txt –ntoutfile /root/Desktop/nt-out.txt –pwdformat ophc

    It complains about the “–syshive /root/Desktop/SYSTEM” is gives the following error:

    No such file or directory: ‘/root/Desktop/SYSTEM’

    So it looks like I need to change the path, but I have no idea.

    Also, Google isn’t really helpful this time, can anyone help me out?

    Thanks :)

    1. The command looks correct if that’s where you placed the SYSTEM file, I’m guessing you didn’t extract the SYSTEM file?

      You need to extract the SYSTEM file (C:\Windows\System32\Config\SYSTEM) when you extract the ntds.dit file.

  8. Stepping though this on Kali 2017.1 and receiving a error running “Make” command for libesedb.

    512f/libcerror’
    /bin/bash ../libtool –tag=CC –mode=compile gcc -DHAVE_CONFIG_H -I. -I../common -I../include -I../common -g -O2 -Wall -MT libcerror_error.lo -MD -MP -MF .deps/libcerror_error.Tpo -c -o libcerror_error.lo libcerror_error.c
    libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../common -I../include -I../common -g -O2 -Wall -MT libcerror_error.lo -MD -MP -MF .deps/libcerror_error.Tpo -c libcerror_error.c -fPIC -DPIC -o .libs/libcerror_error.o
    libcerror_error.c:24:27: fatal error: narrow_string.h: No such file or directory
    #include

    Any help is appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *