Extracting LM/NTLM password hashes from a 2003 Domain controller using ntbackup

Extracting LM/NTLM password hashes from a 2003 Domain controller using ntbackup

Take System state backup and restore ntds.dit and system reg key

Log onto Domain controller using a domain admin account and follow this method published by quarkspwdump ( http://quarkspwdump.googlecode.com/hg/README.txt )

1. Launch NTBACKUP gui

2. Use backup wizard (advanced)
3. Choose to save system state only and choose output filename
4. Wait some minutes
5. Use restore wizard (advanced)
6. Choose your backup, click next and use advanced button
7. Choose to restore file on another location (c:\tmp\ for example)
8. Choose to overwrite everything and next uncheck all restoration parameters
9. Validate and wait some minutes
10. Open a command shell to "c:\tmp\Active Directory"
11. We need to repair the database with this command " esentutl /p ntds.dit "
12. Validate warning and wait some minutes

Now copy the restored ntds.dit and system from "c:\tmp\Active Directory" folder into a 

new folder on a Backtrack machine.

How to extract password hashes from ntds.dit file and system reg key.

The next part you need to copy the ntds.dit and system reg key from the ntbackup restore into a folder on a backtrack machine. I haven choosen to create an ntds folder in the home directory and have copied the system reg key into (see text is green) and have also created a sub folder in this directory called "Active Directory" that has the ntds.dit file. (see below)

 

Next follow the guide published on " http://pauldotcom.com/2011/12/safely-dumping-hashes-now-avai.html" to extract the ntlm hashes using ntdsxtract.

1. Stay in the ntds directory and download and install libesedb

wget http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz
tar xvzf libesedb-alpha-20120102.tar.gz
cd libesedb-20120102 

chmod +x configure

./configure && make

2. Create directory in ntds called ntdsxtract and download and extract ntdsxtract

mkdir ntdsxtract
wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
unzip ntdsxtract_v1_0.zip
cd ntdsxtract_v1_0
chmod +x *.py

3. Use esedbexport to extract the relevant tables from ntds.dit, esedbtools is a subdirectory in the libesedb folder

cd esedbtools
./esedbexport ../../Active\ Directory/ntds.dit

4. Use dshashes.py to extract the hashes from the datatable. To put the hashes in a pentester friendly format download dshashes.py from http://ptscripts.googlecode.com/svn/trunk/dshashes.py or copy from below

cd ../../NTDSXtract/
wget http://ptscripts.googlecode.com/svn/trunk/dshashes.py
chmod +x *.py
python ./dsusers.py ../datatable ../link_table --passwordhashes ../system > domainhashes.txt










To make it more difficult for password cracking tools to crack ntlm password hashes then stop windows from using LMhash passwords. Follow this article http://support.microsoft.com/kb/299656



http://www.objectif-securite.ch/en/ophcrack.php

DShashes.py script

# This file was derived from dsusers.py, which is is part of ntdsxtract.
#
# ntdsxtract is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ntdsxtract is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ntdsxtract.  If not, see .

'''
@editor:        LaNMaSteR53
@author:        Csaba Barta
@license:       GNU General Public License 2.0 or later
@contact:       csaba.barta@gmail.com
'''

from ntds.dsdatabase import *
from ntds.dsrecord import *
from ntds.dslink import *
from ntds.dstime import *
from ntds.dsobjects import *

def usage():
    print "DSHashes"
    print "Extracts user hashes in a user-friendly format\n"
    print "usage: %s   [option]" % sys.argv[0]
    print "  options:"
    print "    --rid "
    print "          List user identified by RID"
    print "    --name "
    print "          List user identified by Name"
    print "    --passwordhashes "
    print "          Extract password hashes"
    print "    --passwordhistory "
    print "          Extract password history"
    print "    --exclude-disabled"
    print "          Exclude disabled accounts from output"

if len(sys.argv) < 3:
    usage()
    sys.exit(1)

rid = -1
name = ""
syshive = ""
pwdump = False
pwhdump = False
optid = 0
excl_dsbl = False
print "Running with options:"
for opt in sys.argv:
    if opt == "--rid":
        if len(sys.argv) < 5:
            usage()
            sys.exit(1)
        rid = int(sys.argv[optid + 1])
        print "\tUser RID: %d" % rid
    if opt == "--name":
        if len(sys.argv) < 5:
            usage()
            sys.exit(1)
        name = sys.argv[optid + 1]
        print "\tUser name: %s" % name
    if opt == "--passwordhashes":
        if len(sys.argv) < 5:
            usage()
            sys.exit(1)
        syshive = sys.argv[optid + 1]
        pwdump = True
        print "\tExtracting password hashes"
    if opt == "--passwordhistory":
        if len(sys.argv) < 5:
            usage()
            sys.exit(1)
        syshive = sys.argv[optid + 1]
        pwhdump = True
        print "\tExtracting password history"
    if '--exclude-disabled' in sys.argv:
        excl_dsbl = True
    optid += 1 

db = dsInitDatabase(sys.argv[1])
dl = dsInitLinks(sys.argv[2])

if pwdump or pwhdump:
    dsInitEncryption(syshive)

utype = -1
utype = dsGetTypeIdByTypeName(db, "Person")
if utype == -1:
    print "Unable to get type id for Person"
    sys.exit()

print "\nList of hashes:"
print "=============="
for recordid in dsMapLineIdByRecordId:
    if int(dsGetRecordType(db, recordid)) == utype:
        user = dsUser(db, recordid)
        if rid != -1 and user.SID.RID != rid:
            continue
        if name != "" and user.Name != name:
            continue
        if excl_dsbl:
            user_disabled = False
            for uac in user.getUserAccountControl():
                if uac == 'Disabled': user_disabled = True
            if user_disabled: continue

        if pwdump == True:
            nthash = ''
            lmhash = 'aad3b435b51404eeaad3b435b51404ee'
            (lm, nt) = user.getPasswordHashes()
            if nt != '':
                nthash = nt
                if lm != '':
                    lmhash = lm
            hash = "%s:%s:%s:%s:::" % (user.SAMAccountName, user.SID.RID, lmhash, nthash)
            if nt != '':
                print hash

        if pwhdump == True:
            lmhistory = None
            nthistory = None
            (lmhistory, nthistory) = user.getPasswordHistory()
            if nthistory != None:
                hashid = 0
                for nthash in nthistory:
                    print "%s_nthistory%d:%s:E52CAC67419A9A224A3B108F3FA6CB6D:%s:::" % (user.SAMAccountName, hashid, user.SID.RID, nthash)
                    hashid += 1
                if lmhistory != None:
                    hashid = 0
                    for lmhash in lmhistory:
                        print "%s_lmhistory%d:%s:%s:8846F7EAEE8FB117AD06BDD830B7586C:::" % (user.SAMAccountName, hashid, user.SID.RID, lmhash)
                        hashid += 1

if pwhdump == True:
  print "\n[*] NOTE: NT and LM hashes are shown on individual lines with the respective hash of 'password' in the opposing position."
  print "This is done in order to make sure the output plays nice with various hash cracking tools. Account for this when cracking historical hashes.\n"

Powershell script to extract logon times from an imported user .csv file

Powershell script to extract logon times from an imported user .csv file

Create the following .csv file. The top column is labeled name, this is the variable used by powershell and then the user accounts are put underneath like so (see Figure 1)



Figure 1

Download powershell cmdlets http://www.quest.com/powershell/activeroles-server.aspx   Run the following in quest powershell cmdlets app. import-csv c:\chris.csv | Get-QADUser -id {$_.name} | select name,LastLogonTimestamp | export-csv c:\userlist.csv   $_.name refers to the column name “name” in figure1   The out put should look something like the below see figure 2   Figure 2

Key Management Server Setup guide

KMS (Key Management Server)

What is a KMS server

KMS activates operating systems on your local network, eliminating the need for individual computers to connect to Microsoft. To do this, KMS uses a client/server method of implementation. KMS clients connect to a KMS server, called the KMS host, for activation. The KMS host resides on your local network.

Supported platforms

A KMS server can run on either windows 2008, Windows vista or Windows Server 2003 with SP1 and later, however installing it on Windows 2003 requires you to download the appropriate installation files for KMS v1.1.

Number of PC's required

To activate Windows Vista, you must have at least 25 computers running Windows Vista or Windows Server 2008 that are connected together; for Windows Server 2008, the minimum is 5 computers. Computers that are activated through KMS must be reactivated every six months by connecting to your organization's network.

KMS Setup

Note: Do all the commands below via a command prompt which has been opened with Administrative privileges.

Installing KMS Server:

Open C:Windowssystem32 and execute the following command

cscript c:WindowsSystem32slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx


Obvioulsy replace xxxxx with your key.

You should see the following:

Quote
Microsoft ® Windows Script Host Version 5.7
Copyright © Microsoft Corporation. All rights reserved.
Installed product key xxxxx-xxxxx-xxxxx-xxxxx-xxxxx successfully.


How can I activate via Telephone (offline activation)

If activation for the KMS server is necessary then call Microsoft and follow the instructions.

Open C:Windows\system32 and execute the following command

slui.exe 4


Then

* Show me other ways to activate
* use the automated phone system

And then call Microsoft and follow the instructions. After successful activation, click on close.

Then do as follows:

net stop slsvc && net start slsvc


You should see the following:

Quote
The Software Licensing service is stopping.
The Software Licensing service was stopped successfully.

The Software Licensing service is starting.
The Software Licensing service was started successfully.


Open the Firewall for KMS traffic

In Windows Firewall, click on Exceptions and allow the now listed Key Management Services, failure to do this step will mean that your KMS hosts can not talk to the KMS service and therefore will not activate.

KMS listens on port 1688, to change the port you must do as follows:

SLMgr.vbs /SPrt xxxx


where xxxx = the new port number

slmgr.vbs After you have entered this command you must restart the SLMgr service using:

net stop slsvc && net start slsvc


Test the KMS server configuration

The KMS server should publish its SRV records in your domain DNS, you should verify that these records exist.

Open C:\Windows\system32 and execute the following command

nslookup -type=srv _vlmcs._tcp


You should see output similar to the following:

Quote
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.0.1

_vlmcs._tcp.windows-noob.local SRV service location:
priority = 0
weight = 0
port = 1688
svr hostname = servername.Domainname
servername.domainname internet address = 192.168.3.1


To manually activate a client over the Internet

Any client will automatically try to activate itself every 120 minutes by default, so there is no need to run the acivation command manually. However if you want to test or speed up the process then do as follows.

Open C:Windowssystem32 and execute the following command

cscript C:windowssystem32slmgr.vbs /ato


To change the 120 minutes setting, you must do as follows:

SLMgr.vbs /sai x


where x = the new interval in minutes

After you have entered this command you must restart the SLMgr service using:

net stop slsvc && net start slsvc




Query KMS server

To query the KMS server and see its status open a command prompt and execute the following command.

cscript slmgr.vbs /dli


You should see output similar to below:

Quote
Microsoft ® Windows Script Host Version 5.7
Copyright © Microsoft Corporation. All rights reserved.

Name: Windows Server®, ServerStandard edition
Description: Windows Operating System - Windows Server®, VOLUME_KMS_B channel
Partial Product Key: xxxxx
License Status: Licensed

Key Management Service is enabled on this machine
Current count: 2
Listening on Port: 1688
DNS publishing enabled
KMS priority: Normal

Key Management Service cumulative requests received from clients
Total requests received: 5
Failed requests received: 0
Requests with License Status Unlicensed: 0
Requests with License Status Licensed: 0
Requests with License Status Initial grace period: 5
Requests with License Status License expired or Hardware out of tolerance: 0

Requests with License Status Non-genuine grace period: 0
Requests with License Status Notification: 0


Microsoft Video showing KMS in action > http://www.microsoft.com/downloads/details...;DisplayLang=en



License States

A computer can be in one of 5 license states

Initial grace Period
This occurs after the computer is installed and can only last for up to 30 days, this can be reset twice.

Non-Genuine grace Period
This occurs after a computer is found to have a non-genuine or counterfeit Windows operating system installed. This state can last up to 30 days to give you time to reactivate using a genuine copy and License key.

Out-of-tolerance grace period
This can occur when either several hardware changes are made to the computer or when the KMS key has not contacted Microsoft for updates in 180 days. This state can last up to 30 days.

Licensed
This state occurs when everything is ok and the system is activated.

Unlicensed
This state occurs when the activation period has expired and nothing was done about it. The computer will stay in a limited access state until it has been activated.



Related Reading:-

Windows 7 Specific KMS info. For Windows 7 and Windows Server 2008 R2 KMS info please refer to this post.

Key Management Services (KMS) explained - http://www.virtuall....s-kms-explained

Which Key do I use, KMS, MAK, VLK ? IF you are unsure about which key to use for activation then take a look at this post on Technet

Change Product Key from MAK to KMS

Linux Admin

Scripting

Windows Admin