Recovering Hashes from Domain Controller

After seeing a Tweet about dumping password hashes from a live Windows 2008 Domain Controller, I was intrigued. Reading a post from Tim Tomes (LaNMaSteR53), I figured I’d give it a shot and if successful show my findings (with pictures). It’s an ingenious method of getting the hash values.  This attack falls into the “post-exploitation” category.  Even more so seeing administrative or system privileges are needed.

Firstly, we’ll need a few things to get this going. VSSOwn is a great script created by Tomes and Mark Baggett. In a nut shell, it will help us create a volume shadow copy of the windows domain controller’s drive from which the NTDS and SYSTEM files will be extracted.  Yes you read right, we’ll be getting what we need from VSS. On Windows 2008 & 7 this feature is always on by default. Periodically taking backups of our system drive which also includes NTDS, SYSTEM the SAM files.   VSSOwn has other interesting features, I strongly recommend checking out Tomes’ and Baggett’s talk from Hack3ercon 2.

Second item on our list will be another tool to retrieve the hashes once we’ve recovered our system files. Csaba Barta, a Hungarian researcher, has developed an open source tool to parse NTDS.dit files. Right now his tool only seems to work on NTDS files from 32bit domain controllers. This is why our target is a Win2008 R1. Let’s hope he gets the 64bit soon. The tool runs on Linux and installs great on BackTrack 5. With our groceries finished, we can now move along and recover our password hashes.

We’ll omit any exploitation of the domain controller, and just imagine that everyone in our organization simultaneously forgot their passwords due to a really strong Christmas punch (hey! It can happen). Let’s look at our target machine.
Target Domain Information

We can see a Windows 2008 Standard Edition with Service Pack 2 installed. We also notice a couple of domain accounts. After uploading VSSOwn to our server, we run vssown.vbs using the “cscript” command. Since this is a command line tool it wouldn’t be a good idea using “wscript”. Start by creating a shadow copy of the system.
vssOwn Create

Once the command prompt returns, you can check the shadow copies using the “/list” switch. We could’ve used the “VSSADMIN” command, but this way is just easier. Now it’s time to copy the system files from this shadow copy.
Copy NTDS file

Using the “/list” switch, we take note of the path to the copy. In this case its “\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3”. From here it’s as simple as copying a file from the command prompt. Append “windows\ntds\ntds.dit” & “\windows\system32\config\SYSTEM” to the device object path and copy.

Now we move these 2 files (if you copy the SAM file you can get local accounts) to our Backtrack box.  Download and install Barta’s tool using configure and make. Then we travel to esedbtools folder to start the process.
Dump hash

Run the script giving as parameter the location of the NTDS.dit file and pressing Enter we should be rewarded by something similar.
Dump hash from NTDS.dit file

This will have a created an “ntds.dit.export” folder with a file called “datatable”. We’ll need that file for dumping the hashes. Navigate down to creddump folder and run the dsdump python script like so.
Complete Hashs from .dit file

And there we have it. All that needs to be done is a password cracker and some patience.

Let’s make a file with that output so “Hashcat” can better digest it.
Cracking Hashs

Now why didn’t Hashcat get all of the passwords? I honestly don’t know, but if you compare the hash values to the picture above.  Admisnistrator and kioptrix were found.

There you have it. It’s now possible to recover users’ passwords after a drunken stupor. Again this is for 32bit only and esedbdumphash will spit an error if you try to run it on anything else.  I did send Csaba Barta a .dit file from a 64bit test server. Let’s hope he gets something out of it.

I strongly suggest you also visit the referenced sites mentioned below. VSSOwn has a few more cool features.

Hope you enjoyed the read.
loneferret

References:
Tomes’ and Baggett’s talk: http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows
VSSown code:  http://lanmaster53.com/wp-content/uploads/tools/vssown.vbs
Ntds_hash_dump: http://csababarta.com/downloads/ntds_dump_hash.zip
Pauldotcom post: http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html