Dumping Domain Password Hashes Using Metasploit

Dumping Domain Password Hashes Using Metasploit (ntds_hashextract.rb)

Author: Royce Davis Posted In Metasploit On: 2012/11/16 Comments: 6
Dumping Domain Password Hashes Using Metasploit (ntds_hashextract.rb)

Earlier this week I released a blog post on the Accuvant website explaining at a high level some of the techniques and use cases for my recently developed Metasploit modules. This article will be the first in a series of tutorials where I plan to do a deeper dive into the individual modules and some of their many uses during an Information Security Assessment or Penetration Testing exercise.

The ntds_hashextract.rb script is a standalone tool that can be used to quickly and efficiently extract Active Directory domain password hashes from the exported datatable of an NTDS.dit database. As it turns out, exporting the datatable can sometimes be tricky so here is a detailed tutorial covering the methodology that I use and continue to have success with.

Step 1 – Install Libesedb

Libesedb is an open source C library developed to forensically extract information from Extensible Storage Engine (ESE) database files. In order to get what we need out of NTDS.dit we will first have to download and install the library using the following URL

http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz

Next we will need to extract the tarball, configure, make and install the library using the command line.

  • $tar xvzf libesedb-alpha-20120102.tar.gz
  • $cd libesedb-20120102
  • $./configure
  • $make && make install

This is what the finished output looked like for me after everything was done on a fresh copy of Backtrack 5.

Step 2 – Export Tables From NTDS.dit

Now that you have a working install of the Libesedb library make sure you’ve got a proper copy of the NTDS.dit database as well as the SYSTEM registry hive file on your machine. In case you weren’t already aware, you can use another one of my modules ntdsgrab.rb to obtain these items from a Windows Domain Controller, provided you have proper credentials or course. Here is what they look like on my system after downloading them via the Metasploit Framework.

Change into whatever directory contains your loot, in my case the /tmp/NTDS_Grab directory and run esedbexport from the libesedb/esedbtools directory against your NTDS.dit database. It will export all of the tables and store them in a newly created directory called ntds.export.

Step 3 – Dump All The Hashes

At this point you’re ready to run ntds_hashextract.rb against the datatable (Table #4) and the SYSTEM registry hive file in order to grab all of the domain password hashes. If the domain is large enough (several thousand unique users) the command might take a few minutes to finish on your system so go grab a cup of coffee. When it’s done it should look something like this.

That’s all for now, check back soon for more in this series.

Thanks for reading.

Share this article

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmail
6 Comments
  • this should do it check spaces between datatable.3 & the script before. Place your file in the right directory. :D

    ruby /opt/metasploit/msf3/tools/ntds_hashextract.rb ntds.export datatable.3 sys

  • Hi,
    thanks for the write-up. I’m stresstesting the tools with an 8GB ntds.dit. The esedbexport process seems to be doing fine. 8 hours are past and my datatable.3 file is still growing steadily towards a similar size. Once this is finished there are multiple options to go. Do you have any recommendations or experience to confirm that this will work in a large scale environment ?
    Thanks
    Don

  • Hi,

    I run this command:
    ruby /opt/metasploit/msf3/tools/ntds_hashextract.rb ntds.export/datatable.3 sys

    and get this result:
    /opt/metasploit/msf3/tools/ntds_hashextract.rb:101:in `update’: can’t convert nil into String (TypeError)
    from /opt/metasploit/msf3/tools/ntds_hashextract.rb:101:in `decrypt_pek’
    from /opt/metasploit/msf3/tools/ntds_hashextract.rb:175:in `’

    Do you have any idea why?

    • Yeah so this isn’t included in the metasploit framework yet. I am still workting things out with the developers. If you want it to work you need to clone the entire pentestgeek repo and run from there.

      git clone https://github.com/pentestgeek/metasploit-framework.git
  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Share This

    Recent Posts

    Subscribe To Our Mailing List

    The Ultimate Burp Suite Training Program

    Penetration Testing

    Categories

    Metasploit

    Web Application Hacking


    Copyright 2019

    css.php

    Are You Using the Top 5 Pentest Tools?

    Enter your email address to download your copy of our FREE e-book and find out now!

    Thank you, now go check your email!!