Step 1 – Install Libesedb
Libesedb is an open source C library developed to forensically extract information from Extensible Storage Engine (ESE) database files. In order to get what we need out of NTDS.dit we will first have to download and install the library using the following URL
Next we will need to extract the tarball, configure, make and install the library using the command line.
- $tar xvzf libesedb-alpha-20120102.tar.gz
- $cd libesedb-20120102
- $make && make install
Step 2 – Export Tables From NTDS.dit
Now that you have a working install of the Libesedb library make sure you’ve got a proper copy of the NTDS.dit database as well as the SYSTEM registry hive file on your machine. In case you weren’t already aware, you can use another one of my modules ntdsgrab.rb to obtain these items from a Windows Domain Controller, provided you have proper credentials or course. Here is what they look like on my system after downloading them via the Metasploit Framework.
Change into whatever directory contains your loot, in my case the /tmp/NTDS_Grab directory and run esedbexport from the libesedb/esedbtools directory against your NTDS.dit database. It will export all of the tables and store them in a newly created directory called ntds.export.
Step 3 – Dump All The Hashes
At this point you’re ready to run ntds_hashextract.rb against the datatable (Table #4) and the SYSTEM registry hive file in order to grab all of the domain password hashes. If the domain is large enough (several thousand unique users) the command might take a few minutes to finish on your system so go grab a cup of coffee. When it’s done it should look something like this.
If you like my blog, Please Donate Me
Or Click The Banner For Support Me.