Integrate VSSOwn to get copy of NTDS.DIT

[GoogleCodeExporter]

Great idea to combine all the tools in one. 

I think you should also integrate VSSOwn in order to get a copy of the NTDS.DIT 
file. This way, your tool could replace all other tools.

Original issue reported on code.google.com by ector.du...@gmail.com on 18 May 2012 at 8:09

[GoogleCodeExporter]

Yes, that's a good idea and it will be added in a further release.

I have to use Volume Shadow Copy Service SDK 7.2 available at 
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=23490

Original comment by deessk@gmail.com on 21 May 2012 at 11:12

[GoogleCodeExporter]

Just to give you some information, I used VSSOwn to extract the NTDS.DIT file 
and tried to use Quarkspwdump on the copy, I get the following error:

[+] SYSKEY restrieving...[OK]
SYSKEY = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[+] Init JET engine...OK
[+] Open Database ntds.dit...ERROR : JetAttachDatabase() failed with JET_ERR = 
-550
Details : JET_errDatabaseDirtyShutdown, Database was not shutdown cleanly. 
Recovery must first be run to properly complete database operations for the 
previous shutdown.
[!] NTDS_OpenDatabase failed!

I hope it can help you to add this functionality faster.

Original comment by ector.du...@gmail.com on 21 May 2012 at 11:48

[GoogleCodeExporter]

Thanx, did you run the tool on the same OS?

Original comment by deessk@gmail.com on 21 May 2012 at 4:07

[GoogleCodeExporter]

Yes, both tools (VSSOwn and Quarks) were used with cmd in Admin on a DC with 
2008R2

Original comment by ector.du...@gmail.com on 22 May 2012 at 6:22

[GoogleCodeExporter]

Can you try to do a "eseutil /p" on the ntds database to repair it? 

Also, try to use the manual method written in README.txt which uses ntdsutil 
with VSS, it should resolve some conflicts between AD DS and standard VSS 
snapshots.

Original comment by deessk@gmail.com on 22 May 2012 at 7:27

[GoogleCodeExporter]

I have tried to use "eseutil /p", it fails during DEFRAGMENTATION (around 45%) 
with following error:

"Operation terminated with error -327 (JET_errBadPageLink, Database corrupted) 
after 4.0 seconds."

Using the manual method in the README.txt was successful. I really wonder why 
VSSOwn is not providing a working ntds.dit

Anyway, great tool.

Original comment by ector.du...@gmail.com on 22 May 2012 at 8:52

[GoogleCodeExporter]

VSSOwn may not work cause it does not properly validate that AD services aren't 
writing when snapshot is created. So the database could be in an inconsistent 
state (corrupted, bad checksum, not properly shutted down,...).

When you use ntdsutil, you specifically define a NTDS type snapshot when using 
"activate instance ntds". It allow you to safely copy AD linked files with VSS.

http://technet.microsoft.com/en-us/library/cc753343(v=ws.10).aspx

It's a bit confused by MS but there are many way to use VSS and AD files 
snapshot is a specific case which must be handled by ntdsutil.

Original comment by deessk@gmail.com on 22 May 2012 at 9:10

[GoogleCodeExporter]

Thanks for the info. I may need to dive deeper into Win internals to fully 
understand your tool.

Do you have any ETA for the next release which could include VSS handling 
directly in QuarksPwDump? I may need it for a security assessment soon.

Original comment by ector.du...@gmail.com on 22 May 2012 at 9:14

[GoogleCodeExporter]

BTW, just a few remarks on the CLI usage:
- I don't know if you can do this easy on Win CLI app but it would be great if 
parameter order was not important

- The NTDS.dit file should be a parameter of a flag (-f or --file)

- Can you also support short flags à la Unix? Considering the few options the 
prog offers, it's really a pain in the a$$ to write the "--dump-hash-domain 
--with-history" instead of a "-d -hist" for example.

If you need any help on testing the soft, I can help you. I may even be able to 
contribute on the code.

Original comment by ector.du...@gmail.com on 22 May 2012 at 9:33

[GoogleCodeExporter]

Yes it can be done easily, ntds.dit filename is the only parameter which need 
to be at the end of the command line. All others can be reversed.

Short flags are also a good idea, i keep it in my TODO list :)

If you want to contribute, we can discuss it by mails, it's an interesting 
proposition.

Original comment by deessk@gmail.com on 24 May 2012 at 8:30