Open GoogleCodeExporter opened 9 years ago
Yes, that's a good idea and it will be added in a further release.
I have to use Volume Shadow Copy Service SDK 7.2 available at
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=23490
Original comment by deessk@gmail.com
on 21 May 2012 at 11:12
Just to give you some information, I used VSSOwn to extract the NTDS.DIT file
and tried to use Quarkspwdump on the copy, I get the following error:
[+] SYSKEY restrieving...[OK]
SYSKEY = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[+] Init JET engine...OK
[+] Open Database ntds.dit...ERROR : JetAttachDatabase() failed with JET_ERR =
-550
Details : JET_errDatabaseDirtyShutdown, Database was not shutdown cleanly.
Recovery must first be run to properly complete database operations for the
previous shutdown.
[!] NTDS_OpenDatabase failed!
I hope it can help you to add this functionality faster.
Original comment by ector.du...@gmail.com
on 21 May 2012 at 11:48
Thanx, did you run the tool on the same OS?
Original comment by deessk@gmail.com
on 21 May 2012 at 4:07
Yes, both tools (VSSOwn and Quarks) were used with cmd in Admin on a DC with
2008R2
Original comment by ector.du...@gmail.com
on 22 May 2012 at 6:22
Can you try to do a "eseutil /p" on the ntds database to repair it?
Also, try to use the manual method written in README.txt which uses ntdsutil
with VSS, it should resolve some conflicts between AD DS and standard VSS
snapshots.
Original comment by deessk@gmail.com
on 22 May 2012 at 7:27
I have tried to use "eseutil /p", it fails during DEFRAGMENTATION (around 45%)
with following error:
"Operation terminated with error -327 (JET_errBadPageLink, Database corrupted)
after 4.0 seconds."
Using the manual method in the README.txt was successful. I really wonder why
VSSOwn is not providing a working ntds.dit
Anyway, great tool.
Original comment by ector.du...@gmail.com
on 22 May 2012 at 8:52
VSSOwn may not work cause it does not properly validate that AD services aren't
writing when snapshot is created. So the database could be in an inconsistent
state (corrupted, bad checksum, not properly shutted down,...).
When you use ntdsutil, you specifically define a NTDS type snapshot when using
"activate instance ntds". It allow you to safely copy AD linked files with VSS.
http://technet.microsoft.com/en-us/library/cc753343(v=ws.10).aspx
It's a bit confused by MS but there are many way to use VSS and AD files
snapshot is a specific case which must be handled by ntdsutil.
Original comment by deessk@gmail.com
on 22 May 2012 at 9:10
Thanks for the info. I may need to dive deeper into Win internals to fully
understand your tool.
Do you have any ETA for the next release which could include VSS handling
directly in QuarksPwDump? I may need it for a security assessment soon.
Original comment by ector.du...@gmail.com
on 22 May 2012 at 9:14
BTW, just a few remarks on the CLI usage:
- I don't know if you can do this easy on Win CLI app but it would be great if
parameter order was not important
- The NTDS.dit file should be a parameter of a flag (-f or --file)
- Can you also support short flags à la Unix? Considering the few options the
prog offers, it's really a pain in the a$$ to write the "--dump-hash-domain
--with-history" instead of a "-d -hist" for example.
If you need any help on testing the soft, I can help you. I may even be able to
contribute on the code.
Original comment by ector.du...@gmail.com
on 22 May 2012 at 9:33
Yes it can be done easily, ntds.dit filename is the only parameter which need
to be at the end of the command line. All others can be reversed.
Short flags are also a good idea, i keep it in my TODO list :)
If you want to contribute, we can discuss it by mails, it's an interesting
proposition.
Original comment by deessk@gmail.com
on 24 May 2012 at 8:30
Original issue reported on code.google.com by
ector.du...@gmail.com
on 18 May 2012 at 8:09