3 Ways Extract Password Hashes from NTDS.dit

Hello friends!! Today we are going to discuss some forensic tools which are quite helpful in penetration testing and can be used to obtain NTLM password hashes from inside a host machine. As we know while doing penetration testing we get a lot of data from the host machine, like NTDS.dit and system hive.  In this article, we will learn to extract user information from those files.

Impacket-secretsdump

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for certain protocols (e.g. SMB1-3 and MSRPC). The library provides a set of tools as an example of what can be done within the context of this library.

secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent locally. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry, then we save the hives in the target system (%SYSTEMROOT%\Temp directory) and read the rest of the data from there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach.

Source: //www.coresecurity.com/corelabs-research/open-source-tools/impacket

As described in its official definition we mainly need two files i.e. ntds.dit & System-hive for extracting NTLM password from inside it. Suppose that, while performing penetration testing on a host machine you find these file mentioned above, then with help of the following command you can extract hash password for the admin account or for other accounts from inside it.

-system: denotes the path for system hive files (SYSTEM)

-ntds: denotes the path for dit file (ntds.dit)

Now, as you can observe it has dumped the NTLM password from inside the ntd.dit file……………

With the help of the online decryption tool, we can try to crack the password hash and as shown in the given image we get “[email protected]” from it.

DSInternals PowerShell

 The DSInternals PowerShell Module provides easy-to-use cmdlets that are built on top of its Framework. The main features include offline ntds.dit file manipulation and querying domain controllers through the Directory Replication Service (DRS) Remote Protocol.

Source: //github.com/MichaelGrafnetter/DSInternals

This method is only applicable to Windows users. To extract NTLM hashes you can take the help of the following commands as given below.

 

From its result, you can see that we have successfully extracted the NTLM hash and now we can decrypt it again as it was done above.

Ntdsxtract

The first step is to extract the tables from the NTDS.dit file, we will use esedbexport by downloading libesedb-tools. Libesedb is a library used to access the Extensible Storage Engine (ESE) Database File (EDB) format mainly known for its use in the Microsoft Extension for the prev1.edb file. The ESE database format is used in many different applications like Windows Search, Windows Mail, Exchange, Active Directory (NTDS.dit) and etc.

Source: //github.com/libyal/libesedb/

For Latest Download link: //github.com/libyal/libesedb/releases

Now type the following command to download libesedb library for installing esedbexport, then extract the tar file as given below.

Now install the requirements with the help of the following commands:

Now the tool is installed, use it to dump the tables from the ntds.dit file.

This will make a new directory, named “ntds.dit.export” with the extracted tables and here you will find two main tables i.e. data table and link_table.

Now download ntdsxtract, it is a forensic tool that is capable of extracting information related to user objects, group objects, computer objects, and deleted objects from NTDS.dit files.

Execute the following command to install all the set-up files.

Extracting User information and Password Hash

Now with the help of all three files (Datatable, link_table, and system hive) it will be capable of dumping user information and NT/LM password hashes. You can execute the following command for obtaining NTLM passwords in the format compatible with John the ripper.

As you can see, it has extract user information and password hash as mentioned above.

cat data/nthash.txt

So now we can crack this password hash with the help of John the ripper.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

Leave a Reply

Your email address will not be published. Required fields are marked *