search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.37k stars 3.56k forks source link

secretsdump.py empty output when dumping AD hashes. #1750

Closed D33-J3sus closed 1 month ago

D33-J3sus commented 4 months ago

Configuration

impacket version: v0.11.0 Python version: Python3 Target OS: Kali Linux

Hello. I am attempting to dump active directory password hashes for cracking, but after running secretsdump, all of the output files are empty. There seem to be no errors indicated, but no hashes are parsed also. Below I will provide a sample of the command string and debugged output, as well as a screenshot showing the empty output files.

Any pointers or advice would be greatly appreciated, as I can't decipher what I might be doing wrong. I've followed multiple walkthroughs and guides to a T, and this seems to be the defacto method.

secretsdump_output

empty_files

Debug Output With Command String

secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL -outputfile hashdump

Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket [+] Retrieving class info for JD [+] Unknown type 0xb'a\x00' [+] Retrieving class info for Skew1 [+] Unknown type 0xb'c\x00' [+] Retrieving class info for GBG [+] Unknown type 0xb'8\x00' [+] Retrieving class info for Data [+] Unknown type 0xb'9\x00' [] Target system bootKey: 0x83e9cff7f913a8e6a2acb2915eb14f98 [+] Checking NoLMHash Policy [+] LMHashes are NOT being stored [+] Mounting DB... [+] Trying to fetch page -1 (0x0) [+] Database Version:0x620, Revision:0x14 [+] Page Size: 8192 [+] Total Pages in file: 1534 [+] Trying to fetch page 4 (0xa000) [+] Trying to fetch page 13 (0x1c000) [+] Trying to fetch page 14 (0x1e000) [+] Trying to fetch page 19 (0x28000) [+] Trying to fetch page 20 (0x2a000) [+] Trying to fetch page 21 (0x2c000) [+] Trying to fetch page 22 (0x2e000) [+] Trying to fetch page 23 (0x30000) [+] Trying to fetch page 126 (0xfe000) [+] Trying to fetch page 151 (0x130000) [+] Trying to fetch page 152 (0x132000) [+] Trying to fetch page 153 (0x134000) [+] Trying to fetch page 154 (0x136000) [+] Trying to fetch page 157 (0x13c000) [+] Trying to fetch page 159 (0x140000) [+] Trying to fetch page 160 (0x142000) [+] Trying to fetch page 158 (0x13e000) [+] Trying to fetch page 155 (0x138000) [+] Trying to fetch page 156 (0x13a000) [+] Trying to fetch page 31 (0x40000) [+] Trying to fetch page 36 (0x4a000) [+] Saving output to hashdump [] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [+] Trying to fetch page 880 (0x6e2000) [+] Trying to fetch page 64 (0x82000) [+] Trying to fetch page 65 (0x84000) [+] Trying to fetch page 66 (0x86000) [+] Trying to fetch page 67 (0x88000) [+] Trying to fetch page 68 (0x8a000) [+] Trying to fetch page 69 (0x8c000) [+] Trying to fetch page 70 (0x8e000) [+] Trying to fetch page 71 (0x90000) [+] Trying to fetch page 72 (0x92000) [+] Trying to fetch page 73 (0x94000) [+] Trying to fetch page 74 (0x96000) [+] Trying to fetch page 75 (0x98000) [+] Trying to fetch page 76 (0x9a000) [+] Trying to fetch page 77 (0x9c000) [+] Trying to fetch page 78 (0x9e000) [+] Trying to fetch page 79 (0xa0000) [+] Trying to fetch page 80 (0xa2000) [+] Trying to fetch page 81 (0xa4000) [+] Trying to fetch page 82 (0xa6000) [+] Trying to fetch page 83 (0xa8000) [+] Trying to fetch page 84 (0xaa000) [+] Trying to fetch page 85 (0xac000) [+] Trying to fetch page 86 (0xae000) [+] Trying to fetch page 87 (0xb0000) [+] Trying to fetch page 88 (0xb2000) [+] Trying to fetch page 89 (0xb4000) [+] Trying to fetch page 90 (0xb6000) [+] Trying to fetch page 91 (0xb8000) [+] Trying to fetch page 92 (0xba000) [+] Trying to fetch page 93 (0xbc000) [+] Trying to fetch page 94 (0xbe000) [+] Trying to fetch page 95 (0xc0000) [+] Trying to fetch page 96 (0xc2000) [+] Trying to fetch page 97 (0xc4000) [+] Trying to fetch page 98 (0xc6000) [+] Trying to fetch page 99 (0xc8000) [+] Trying to fetch page 100 (0xca000) [+] Trying to fetch page 101 (0xcc000) [+] Trying to fetch page 102 (0xce000) [+] Trying to fetch page 103 (0xd0000) [+] Trying to fetch page 104 (0xd2000) [+] Trying to fetch page 105 (0xd4000) [+] Trying to fetch page 106 (0xd6000) [+] Trying to fetch page 107 (0xd8000) [+] Trying to fetch page 108 (0xda000) [+] Trying to fetch page 109 (0xdc000) [+] Trying to fetch page 110 (0xde000) [+] Trying to fetch page 111 (0xe0000) [+] Trying to fetch page 112 (0xe2000) [+] Trying to fetch page 113 (0xe4000) [+] Trying to fetch page 114 (0xe6000) [+] Trying to fetch page 115 (0xe8000) [+] Trying to fetch page 116 (0xea000) [+] Trying to fetch page 117 (0xec000) [+] Trying to fetch page 118 (0xee000) [+] Trying to fetch page 119 (0xf0000) [+] Trying to fetch page 120 (0xf2000) [+] Trying to fetch page 191 (0x180000) [+] Trying to fetch page 192 (0x182000) [+] Trying to fetch page 193 (0x184000) [+] Trying to fetch page 194 (0x186000) [+] Trying to fetch page 195 (0x188000) [+] Trying to fetch page 196 (0x18a000) [+] Trying to fetch page 197 (0x18c000) [+] Trying to fetch page 198 (0x18e000) [+] Trying to fetch page 199 (0x190000) [+] Trying to fetch page 200 (0x192000) [+] Trying to fetch page 201 (0x194000) [+] Trying to fetch page 202 (0x196000) [+] Trying to fetch page 203 (0x198000) [+] Trying to fetch page 204 (0x19a000) [+] Trying to fetch page 205 (0x19c000) [+] Trying to fetch page 206 (0x19e000) [+] Trying to fetch page 207 (0x1a0000) [+] Trying to fetch page 208 (0x1a2000) [+] Trying to fetch page 209 (0x1a4000) [+] Trying to fetch page 210 (0x1a6000) [+] Trying to fetch page 211 (0x1a8000) [+] Trying to fetch page 212 (0x1aa000) [+] Trying to fetch page 213 (0x1ac000) [+] Trying to fetch page 214 (0x1ae000) [+] Trying to fetch page 215 (0x1b0000) [+] Trying to fetch page 216 (0x1b2000) [+] Trying to fetch page 217 (0x1b4000) [+] Trying to fetch page 218 (0x1b6000) [+] Trying to fetch page 219 (0x1b8000) [+] Trying to fetch page 220 (0x1ba000) [+] Trying to fetch page 221 (0x1bc000) [+] Trying to fetch page 222 (0x1be000) [+] Trying to fetch page 223 (0x1c0000) [+] Trying to fetch page 224 (0x1c2000) [+] Trying to fetch page 225 (0x1c4000) [+] Trying to fetch page 226 (0x1c6000) [+] Trying to fetch page 227 (0x1c8000) [+] Trying to fetch page 228 (0x1ca000) [+] Trying to fetch page 229 (0x1cc000) [+] Trying to fetch page 230 (0x1ce000) [+] Trying to fetch page 231 (0x1d0000) [+] Trying to fetch page 232 (0x1d2000) [+] Trying to fetch page 233 (0x1d4000) [+] Trying to fetch page 234 (0x1d6000) [+] Trying to fetch page 235 (0x1d8000) [+] Trying to fetch page 236 (0x1da000) [+] Trying to fetch page 237 (0x1dc000) [+] Trying to fetch page 238 (0x1de000) [+] Trying to fetch page 239 (0x1e0000) [+] Trying to fetch page 240 (0x1e2000) [+] Trying to fetch page 241 (0x1e4000) [+] Trying to fetch page 242 (0x1e6000) [+] Trying to fetch page 243 (0x1e8000) [+] Trying to fetch page 244 (0x1ea000) [+] Trying to fetch page 245 (0x1ec000) [+] Trying to fetch page 246 (0x1ee000) [+] Trying to fetch page 247 (0x1f0000) [+] Trying to fetch page 248 (0x1f2000) [+] Trying to fetch page 249 (0x1f4000) [+] Trying to fetch page 250 (0x1f6000) [+] Trying to fetch page 251 (0x1f8000) [+] Trying to fetch page 252 (0x1fa000) [+] Trying to fetch page 253 (0x1fc000) [+] Trying to fetch page 254 (0x1fe000) [+] Trying to fetch page 531 (0x428000) [+] Trying to fetch page 532 (0x42a000) [+] Trying to fetch page 533 (0x42c000) [+] Trying to fetch page 534 (0x42e000) [+] Trying to fetch page 535 (0x430000) [+] Trying to fetch page 536 (0x432000) [+] Trying to fetch page 537 (0x434000) [+] Trying to fetch page 538 (0x436000) [+] Trying to fetch page 539 (0x438000) [+] Trying to fetch page 540 (0x43a000) [+] Trying to fetch page 541 (0x43c000) [+] Trying to fetch page 542 (0x43e000) [+] Trying to fetch page 543 (0x440000) [+] Trying to fetch page 544 (0x442000) [+] Trying to fetch page 545 (0x444000) [+] Trying to fetch page 546 (0x446000) [+] Trying to fetch page 547 (0x448000) [+] Trying to fetch page 548 (0x44a000) [+] Trying to fetch page 549 (0x44c000) [+] Trying to fetch page 550 (0x44e000) [+] Trying to fetch page 551 (0x450000) [+] Trying to fetch page 552 (0x452000) [+] Trying to fetch page 553 (0x454000) [+] Trying to fetch page 554 (0x456000) [+] Trying to fetch page 555 (0x458000) [+] Trying to fetch page 556 (0x45a000) [+] Trying to fetch page 557 (0x45c000) [+] Trying to fetch page 558 (0x45e000) [+] Trying to fetch page 559 (0x460000) [+] Trying to fetch page 560 (0x462000) [+] Trying to fetch page 561 (0x464000) [+] Trying to fetch page 562 (0x466000) [+] Trying to fetch page 563 (0x468000) [+] Trying to fetch page 564 (0x46a000) [+] Trying to fetch page 565 (0x46c000) [+] Trying to fetch page 566 (0x46e000) [+] Trying to fetch page 567 (0x470000) [+] Trying to fetch page 568 (0x472000) [+] Trying to fetch page 569 (0x474000) [+] Trying to fetch page 570 (0x476000) [+] Trying to fetch page 571 (0x478000) [+] Trying to fetch page 572 (0x47a000) [+] Trying to fetch page 573 (0x47c000) [+] Trying to fetch page 574 (0x47e000) [+] Trying to fetch page 575 (0x480000) [+] Trying to fetch page 576 (0x482000) [+] Trying to fetch page 577 (0x484000) [+] Trying to fetch page 578 (0x486000) [+] Trying to fetch page 579 (0x488000) [+] Trying to fetch page 580 (0x48a000) [+] Trying to fetch page 581 (0x48c000) [+] Trying to fetch page 582 (0x48e000) [+] Trying to fetch page 583 (0x490000) [+] Trying to fetch page 584 (0x492000) [+] Trying to fetch page 585 (0x494000) [+] Trying to fetch page 586 (0x496000) [+] Trying to fetch page 587 (0x498000) [+] Trying to fetch page 588 (0x49a000) [+] Trying to fetch page 589 (0x49c000) [+] Trying to fetch page 590 (0x49e000) [+] Trying to fetch page 591 (0x4a0000) [+] Trying to fetch page 592 (0x4a2000) [+] Trying to fetch page 593 (0x4a4000) [+] Trying to fetch page 594 (0x4a6000) [+] Trying to fetch page 595 (0x4a8000) [+] Trying to fetch page 596 (0x4aa000) [+] Trying to fetch page 597 (0x4ac000) [+] Trying to fetch page 598 (0x4ae000) [+] Trying to fetch page 599 (0x4b0000) [+] Trying to fetch page 600 (0x4b2000) [+] Trying to fetch page 601 (0x4b4000) [+] Trying to fetch page 602 (0x4b6000) [+] Trying to fetch page 603 (0x4b8000) [+] Trying to fetch page 604 (0x4ba000) [+] Trying to fetch page 605 (0x4bc000) [+] Trying to fetch page 606 (0x4be000) [+] Trying to fetch page 607 (0x4c0000) [+] Trying to fetch page 608 (0x4c2000) [+] Trying to fetch page 609 (0x4c4000) [+] Trying to fetch page 610 (0x4c6000) [+] Trying to fetch page 611 (0x4c8000) [+] Trying to fetch page 612 (0x4ca000) [+] Trying to fetch page 613 (0x4cc000) [+] Trying to fetch page 614 (0x4ce000) [+] Trying to fetch page 615 (0x4d0000) [+] Trying to fetch page 616 (0x4d2000) [+] Trying to fetch page 617 (0x4d4000) [+] Trying to fetch page 618 (0x4d6000) [+] Trying to fetch page 619 (0x4d8000) [+] Trying to fetch page 620 (0x4da000) [+] Trying to fetch page 673 (0x544000) [+] Trying to fetch page 674 (0x546000) [+] Trying to fetch page 675 (0x548000) [+] Trying to fetch page 676 (0x54a000) [+] Trying to fetch page 677 (0x54c000) [+] Trying to fetch page 678 (0x54e000) [+] Trying to fetch page 679 (0x550000) [+] Trying to fetch page 680 (0x552000) [+] Trying to fetch page 681 (0x554000) [+] Trying to fetch page 682 (0x556000) [+] Trying to fetch page 683 (0x558000) [+] Trying to fetch page 684 (0x55a000) [+] Trying to fetch page 685 (0x55c000) [+] Trying to fetch page 686 (0x55e000) [+] Trying to fetch page 687 (0x560000) [+] Trying to fetch page 688 (0x562000) [+] Trying to fetch page 689 (0x564000) [+] Trying to fetch page 690 (0x566000) [+] Trying to fetch page 691 (0x568000) [+] Trying to fetch page 692 (0x56a000) [+] Trying to fetch page 693 (0x56c000) [+] Trying to fetch page 694 (0x56e000) [+] Trying to fetch page 695 (0x570000) [+] Trying to fetch page 696 (0x572000) [+] Trying to fetch page 697 (0x574000) [+] Trying to fetch page 698 (0x576000) [+] Trying to fetch page 699 (0x578000) [+] Trying to fetch page 700 (0x57a000) [+] Trying to fetch page 701 (0x57c000) [+] Trying to fetch page 702 (0x57e000) [+] Trying to fetch page 703 (0x580000) [+] Trying to fetch page 704 (0x582000) [+] Trying to fetch page 705 (0x584000) [+] Trying to fetch page 706 (0x586000) [+] Trying to fetch page 707 (0x588000) [+] Trying to fetch page 708 (0x58a000) [+] Trying to fetch page 709 (0x58c000) [+] Trying to fetch page 710 (0x58e000) [+] Trying to fetch page 711 (0x590000) [+] Trying to fetch page 712 (0x592000) [+] Trying to fetch page 713 (0x594000) [+] Trying to fetch page 714 (0x596000) [+] Trying to fetch page 715 (0x598000) [+] Trying to fetch page 716 (0x59a000) [+] Trying to fetch page 717 (0x59c000) [+] Trying to fetch page 718 (0x59e000) [+] Trying to fetch page 719 (0x5a0000) [+] Trying to fetch page 720 (0x5a2000) [+] Trying to fetch page 721 (0x5a4000) [+] Trying to fetch page 722 (0x5a6000) [+] Trying to fetch page 723 (0x5a8000) [+] Trying to fetch page 724 (0x5aa000) [+] Trying to fetch page 725 (0x5ac000) [+] Trying to fetch page 726 (0x5ae000) [+] Trying to fetch page 727 (0x5b0000) [+] Trying to fetch page 728 (0x5b2000) [+] Trying to fetch page 729 (0x5b4000) [+] Trying to fetch page 730 (0x5b6000) [+] Trying to fetch page 731 (0x5b8000) [+] Trying to fetch page 732 (0x5ba000) [+] Trying to fetch page 733 (0x5bc000) [+] Trying to fetch page 734 (0x5be000) [+] Trying to fetch page 735 (0x5c0000) [+] Trying to fetch page 736 (0x5c2000) [+] Trying to fetch page 737 (0x5c4000) [+] Trying to fetch page 738 (0x5c6000) [+] Trying to fetch page 739 (0x5c8000) [+] Trying to fetch page 740 (0x5ca000) [+] Trying to fetch page 741 (0x5cc000) [+] Trying to fetch page 742 (0x5ce000) [+] Trying to fetch page 743 (0x5d0000) [+] Trying to fetch page 744 (0x5d2000) [+] Trying to fetch page 745 (0x5d4000) [+] Trying to fetch page 746 (0x5d6000) [+] Trying to fetch page 747 (0x5d8000) [+] Trying to fetch page 748 (0x5da000) [+] Trying to fetch page 749 (0x5dc000) [+] Trying to fetch page 750 (0x5de000) [+] Trying to fetch page 751 (0x5e0000) [+] Trying to fetch page 752 (0x5e2000) [+] Trying to fetch page 753 (0x5e4000) [+] Trying to fetch page 754 (0x5e6000) [+] Trying to fetch page 755 (0x5e8000) [+] Trying to fetch page 756 (0x5ea000) [+] Trying to fetch page 757 (0x5ec000) [+] Trying to fetch page 758 (0x5ee000) [+] Trying to fetch page 759 (0x5f0000) [+] Trying to fetch page 760 (0x5f2000) [+] Trying to fetch page 761 (0x5f4000) [+] Trying to fetch page 762 (0x5f6000) [+] Trying to fetch page 867 (0x6c8000) [+] Trying to fetch page 868 (0x6ca000) [+] Trying to fetch page 869 (0x6cc000) [+] Trying to fetch page 870 (0x6ce000) [+] Trying to fetch page 871 (0x6d0000) [+] Trying to fetch page 872 (0x6d2000) [+] Trying to fetch page 873 (0x6d4000) [+] Trying to fetch page 874 (0x6d6000) [+] Trying to fetch page 875 (0x6d8000) [+] Trying to fetch page 876 (0x6da000) [+] Trying to fetch page 877 (0x6dc000) [+] Trying to fetch page 878 (0x6de000) [+] Trying to fetch page 879 (0x6e0000) [+] Trying to fetch page 881 (0x6e4000) [+] Trying to fetch page 882 (0x6e6000) [+] Trying to fetch page 883 (0x6e8000) [+] Trying to fetch page 884 (0x6ea000) [+] Trying to fetch page 885 (0x6ec000) [+] Trying to fetch page 886 (0x6ee000) [+] Trying to fetch page 887 (0x6f0000) [+] Trying to fetch page 888 (0x6f2000) [+] Trying to fetch page 889 (0x6f4000) [+] Trying to fetch page 890 (0x6f6000) [+] Trying to fetch page 891 (0x6f8000) [+] Trying to fetch page 892 (0x6fa000) [+] Trying to fetch page 893 (0x6fc000) [+] Trying to fetch page 894 (0x6fe000) [+] Trying to fetch page 895 (0x700000) [] Reading and decrypting hashes from ntds.dit [+] Finished processing and printing user's hashes, now printing supplemental information [] Cleaning up...

I've seen only one other thread open for a similar issue, but the OP did not update, and therefore the results were inconclusive. Also, the integrity of the ntds.dit and SYSTEM files have been verified, and neither seem to be corrupted.

cashewkernchen commented 2 months ago

Any chance you're using the ntds.dit file you received from C:\Windows\system32\ (distribution copy of the default directory) instead of the one located in C:\Windows\NTDS\ that contains the data you want to dump? I can reproduce the behaviour you described by using the default ntds.dit from C:\Windows\system32\.

D33-J3sus commented 1 month ago

Any chance you're using the ntds.dit file you received from C:\Windows\system32\ (distribution copy of the default directory) instead of the one located in C:\Windows\NTDS\ that contains the data you want to dump? I can reproduce the behaviour you described by using the default ntds.dit from C:\Windows\system32\.

Thank you, for the lead! I confirmed with one of the engineers that this was indeed the case. After exporting the dit file from the correct path C:\Windows\NTDS\ I was able to run secretsdump against it to extract the ntlm hashes.

Thanks again for the help.