Merry Christmas and Happy New Year

Another Christmas is soon about us, another year is almost near.
Would like to thank everyone we hold dear.
You have all made Kioptrix what we are,
Everyone near and far.

We had planned to stay small but fair,
Without tearing out much of our hair.
We have succeeded in continuing on for another year,
Thank you very much, it gives us tears.

For everyone who has supported us in the past,
Let’s hope the relationship lasts.
We have met many new faces because if this.
And to them we wish holiday bliss.


Thank you for keeping Kioptrix alive well during 2011. Personally I never expected our blog to be so popular. As I’ve said many time before “difficulty is relative to everyone”, so is success. And consider this past year, as well as this whole project of ours a success.

Merry Christmas & Happy New Year.
Be good & stay safe guys.

Thank you,
aka loneferret


After seeing a Tweet about dumping password hashes from a live Windows 2008 Domain Controller, I was intrigued. Reading a post from Tim Tomes (LaNMaSteR53), I figured I’d give it a shot and if successful show my findings (with pictures). It’s an ingenious method of getting the hash values. This attack falls into the “post-exploitation” category. Even more so seeing administrative or system privileges are needed.

Firstly, we’ll need a few things to get this going. VSSOwn is a great script created by Tomes and Mark Baggett. In a nut shell, it will help us create a volume shadow copy of the windows domain controller’s drive from which the NTDS and SYSTEM files will be extracted. Yes you read right, we’ll be getting what we need from VSS. On Windows 2008 & 7 this feature is always on by default. Periodically taking backups of our system drive which also includes NTDS, SYSTEM the SAM files. VSSOwn has other interesting features, I strongly recommend checking out Tomes’ and Baggett’s talk from Hack3ercon 2.

Second item on our list will be another tool to retrieve the hashes once we’ve recovered our system files. Csaba Barta, a Hungarian researcher, has developed an open source tool to parse NTDS.dit files. Right now his tool only seems to work on NTDS files from 32bit domain controllers. This is why our target is a Win2008 R1. Let’s hope he gets the 64bit soon. The tool runs on Linux and installs great on BackTrack 5. With our groceries finished, we can now move along and recover our password hashes.