2011
12.10

After seeing a Tweet about dumping password hashes from a live Windows 2008 Domain Controller, I was intrigued. Reading a post from Tim Tomes (LaNMaSteR53), I figured I’d give it a shot and if successful show my findings (with pictures). It’s an ingenious method of getting the hash values. This attack falls into the “post-exploitation” category. Even more so seeing administrative or system privileges are needed.

Firstly, we’ll need a few things to get this going. VSSOwn is a great script created by Tomes and Mark Baggett. In a nut shell, it will help us create a volume shadow copy of the windows domain controller’s drive from which the NTDS and SYSTEM files will be extracted. Yes you read right, we’ll be getting what we need from VSS. On Windows 2008 & 7 this feature is always on by default. Periodically taking backups of our system drive which also includes NTDS, SYSTEM the SAM files. VSSOwn has other interesting features, I strongly recommend checking out Tomes’ and Baggett’s talk from Hack3ercon 2.

Second item on our list will be another tool to retrieve the hashes once we’ve recovered our system files. Csaba Barta, a Hungarian researcher, has developed an open source tool to parse NTDS.dit files. Right now his tool only seems to work on NTDS files from 32bit domain controllers. This is why our target is a Win2008 R1. Let’s hope he gets the 64bit soon. The tool runs on Linux and installs great on BackTrack 5. With our groceries finished, we can now move along and recover our password hashes.

We’ll omit any exploitation of the domain controller, and just imagine that everyone in our organization simultaneously forgot their passwords due to a really strong Christmas punch (hey! It can happen). Let’s look at our target machine.
Target Domain Information

We can see a Windows 2008 Standard Edition with Service Pack 2 installed. We also notice a couple of domain accounts. After uploading VSSOwn to our server, we run vssown.vbs using the “cscript” command. Since this is a command line tool it wouldn’t be a good idea using “wscript”. Start by creating a shadow copy of the system.
vssOwn Create

Once the command prompt returns, you can check the shadow copies using the “/list” switch. We could’ve used the “VSSADMIN” command, but this way is just easier. Now it’s time to copy the system files from this shadow copy.
Copy NTDS file

Using the “/list” switch, we take note of the path to the copy. In this case its “\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3”. From here it’s as simple as copying a file from the command prompt. Append “windows\ntds\ntds.dit” & “\windows\system32\config\SYSTEM” to the device object path and copy.

Now we move these 2 files (if you copy the SAM file you can get local accounts) to our Backtrack box. Download and install Barta’s tool using configure and make. Then we travel to esedbtools folder to start the process.
Dump hash

Run the script giving as parameter the location of the NTDS.dit file and pressing Enter we should be rewarded by something similar.
Dump hash from NTDS.dit file

This will have a created an “ntds.dit.export” folder with a file called “datatable”. We’ll need that file for dumping the hashes. Navigate down to creddump folder and run the dsdump python script like so.
Complete Hashs from .dit file

And there we have it. All that needs to be done is a password cracker and some patience.

Let’s make a file with that output so “Hashcat” can better digest it.
Cracking Hashs

Now why didn’t Hashcat get all of the passwords? I honestly don’t know, but if you compare the hash values to the picture above. Admisnistrator and kioptrix were found.

There you have it. It’s now possible to recover users’ passwords after a drunken stupor. Again this is for 32bit only and esedbdumphash will spit an error if you try to run it on anything else. I did send Csaba Barta a .dit file from a 64bit test server. Let’s hope he gets something out of it.

I strongly suggest you also visit the referenced sites mentioned below. VSSOwn has a few more cool features.

Hope you enjoyed the read.
loneferret

References:
Tomes’ and Baggett’s talk: http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows
VSSown code: http://lanmaster53.com/wp-content/uploads/tools/vssown.vbs
Ntds_hash_dump: http://csababarta.com/downloads/ntds_dump_hash.zip
Pauldotcom post: http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html

  1. [...] So I’ve seen a few posts on dumping password hashes from active directory. So the concept is pretty simple, you use VSS (Volume Shadow Copy) to copy the SYSTEM and ntds.dit files, then you can use a tool written by Csaba Barta to extract the hashes. Since VSS is enabled by default on 2008, this should be pretty simple. There is a VBScript out that will do this for you, it’s called VSSOwn. I was able to create copies of the SYSTEM and ntds.dit files, but was not able to extract the hashes, why? Csaba Barta’s tool doesnt currently work with 64bit systems, bummer. Since i dont have a 32bit version to test with i’m out of luck. Anyway a nice write-up is available here [...]