Didier Stevens

Wednesday 13 July 2016

Practice ntds.dit File Part 2: Extracting Hashes

Filed under: Encryption — Didier Stevens @ 0:00

There are several how-tos on the Internet explaining you how to extract hashes from the Active Directory database file. I used this how-to for Kali Linux: https://blog.joelj.org/windows-password-audit-with-kali-linux/

The tools libesedb and ntdsxtract are used in this how-to.

I encountered an error when making libesedb:

libcfile_support.c:742:2: error: #error Missing file remove function

Make sure to read the comment from May 6, 2016 for this how-to: it offers a solution for this error. Edit libcfile/libcfile_support.c and add this line at the top:

#define HAVE_UNLINK 1

First we get the Active Directory database file I published and unzip it:

20160710-210725

Next we use libesedb (command esedbexport) to export the tables from ntds.dit:

20160710-210856

This may take some time, depending on the size of the database.

20160710-210938

The exported tables are in folder ntds.dit.export:

20160710-211024

Then we use ntdsxtract (command dsusers.py) to export the hashes (LM and NTLM) from the exported tables. First we export the hashes in a format suitable for John the Ripper. We store the files in folder dump. This command also takes the SYSTEM registry hive (file system) to extract the system key to decrypt the hashes.

20160710-211607

We let the command create the folder dump:

20160710-211642

Next the tool detects 2 schemas in the exported tables (objects 5 and 1480). First we try schema object 5:

20160710-211702

This fails:

20160710-211723

So we start again with schema object 1480, but first we need to remove the dump folder:

20160710-211757

20160710-211816

20160710-211831

Now you can find the extracted hashes (lm.john.out and nt.john.out) in folder dump:

20160710-211852

20160710-212259

Next we repeat the same command but export hashes in a format suitable for hashcat:

20160710-211921

20160710-211932

Now you can find the extracted hashes (lm.ocl.out and nt.ocl.out) in folder dump:

20160710-211954

20160710-212049

If you want these hash files to crack the passwords without having to run through this how-to, you can download them here:

ntds-hashes.zip (https)
MD5: B0A84D756C211A97087BA307F0CE5739
SHA256: 009520798DD34831C47ADAC47D6DEB3C153FC44BD9D400A0BB813EBA46728D86

11 Comments »

  1. […] Now we will use hashcat and the rockyou wordlist to crack the passwords for the hashes we extracted in part 2. […]

    Pingback by Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist | Didier Stevens — Thursday 14 July 2016 @ 0:00

  2. […] cracking LM hashes we extracted from our Active Directory database file with a wordlist, we will perform a brute-force attack on the LM […]

    Pingback by Practice ntds.dit File Part 4: Password Cracking With hashcat – Brute-force | Didier Stevens — Friday 15 July 2016 @ 0:01

  3. […] The next post provides a step-by-step guide for extracting hashes from the NTDS.DIT file; first in a format suitable for John the Ripper and then Hashcat. Practice ntds.dit File Part 2: Extracting Hashes […]

    Pingback by Week 28 – 2016 – This Week In 4n6 — Sunday 17 July 2016 @ 12:51

  4. […] After password cracking examples with hashcat, I want to show you how to crack passwords with John the Ripper (remember we also produced hashes for John the Ripper: lm.john.out and nt.john.out). […]

    Pingback by Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist | Didier Stevens — Tuesday 19 July 2016 @ 0:01

  5. […] examiners how to crack passwords with a wordlist using John the Ripper and the hashes extracted in Part 2. Practice ntds.dit File Part 6: Password Cracking With John the Ripper – […]

    Pingback by Week 29 – 2016 – This Week In 4n6 — Sunday 24 July 2016 @ 13:14

  6. […] Practice ntds.dit File Part 2: Extracting Hashes […]

    Pingback by Practice ntds.dit File Overview | Didier Stevens — Monday 25 July 2016 @ 9:15

  7. […] In this video I show an alternative to my blogpost on extracting hashes from the Active Directory database file ntds.dit. […]

    Pingback by Video: ntds.dit: Extract Hashes With secretsdump.py | Didier Stevens — Saturday 30 July 2016 @ 17:40

  8. […] Practice ntds.dit File Part 2: Extracting Hashes […]

    Pingback by Overview of Content Published In July | Didier Stevens — Monday 1 August 2016 @ 0:00

  9. […] the LM and NTLM hashes with the hashes in this blogpost: they are the […]

    Pingback by mimikatz: Golden Ticket + DCSync | Didier Stevens — Friday 12 August 2016 @ 8:04

  10. […] Practice ntds.dit File Part 2: Extracting Hashes […]

    Pingback by Active Directory password audit using Kali | Stephen Dolphin — Wednesday 11 January 2017 @ 17:15

  11. […] extract password history from ntds.dit with ntdsxtract/dsusers.py, use option […]

    Pingback by Practice ntds.dit File Part 9: Extracting Password History Hashes | Didier Stevens — Friday 3 March 2017 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: