search

csababarta / ntdsxtract

Active Directory forensic framework
http://www.ntdsxtract.com
GNU General Public License v3.0
319 stars 108 forks source link

I can not get the password hashes from the Windows Server 2012 "ntds.dit" file #29

Open insinfo opened 6 years ago

insinfo commented 6 years ago

I can not get the password hashes from the Windows Server 2012 "ntds.dit" file

commands

in windows Server 2012 cscript vssown.vbs /create c cscript vssown.vbs /list copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM

in linux Debian 8 apt-get install libesedb-utils cd /root esedbexport -m tables /root/ntds.dit wget "https://github.com/csababarta/ntdsxtract/archive/e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip" unzip "e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip"

python ./ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262/dsusers.py $dir/ntds.dit.export/datatable.4 $dir/ntds.dit.export/link_table.7 $dir/results --passwordhashes --passwordhistory --syshive $dir/SYSTEM --ntoutfile $dir/AD_NT_pass --pwdformat john --lmoutfile $dir/AD_LM_pass

output

...

Record ID:            5201
User name:            Vinicius Ferro Araujo
User principal name:
SAM Account name:     vinicius.araujo
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 e668db2e-073b-4d22-b200-f297163bb49d
SID:                  S-1-5-21-2337669984-3197530991-546699991-2079
When created:         2018-08-15 15:16:28+00:00
When changed:         2018-08-15 15:16:28+00:00
Account expires:      Never
Password last set:    Never
Last logon:           Never
Last logon timestamp: Never
Bad password time     Never
Logon count:          0
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
        ACCOUNTDISABLE
        PWD_NOTREQD
        NORMAL_ACCOUNT
Ancestors:
        $ROOT_OBJECT$, info, labti, PMRO, TI, Administradores, Vinicius Ferro Araujo
Password hashes:
Password history:

files "ntds.dit" and "SYSTEM" to download https://drive.google.com/file/d/1NA0sHgmwNKxYGUQy6iyXIqO4E4hTxs9P/view?usp=sharing https://drive.google.com/file/d/1qpCRdytDOYibE-fJvAE2ppMnGgEc0_Hk/view?usp=sharing

wgroenewold commented 5 years ago

esedbexport -m tables /home/administrator/gitt/ntds.dit python dsusers.py /usr/local/bin/ntds.dit.export/datatable.4 /usr/local/bin/ntds.dit.export/link_table.7 /usr/local/bin/hashdumpwork1 --syshive /home/administrator/gitt/SYSTEM --passwordhashes --lmoutfile /home/administrator/gitt/lm-out.txt --ntoutfile /home/administrator/gitt/nt-out.txt --pwdformat ophc

https://pastebin.com/8AWzJe1e