NTDS Privilege Escalation

Okay, so lets assume you just hi-jacked a machine inside a network. You don’t have time to enable the keylogger function in meterpreter since you really need to get some network credentials right now. Lucky for us, Windows stores those temporary credentials. What we do most of the times is try to get the SAM hash dump trying to crack passwords. But those are just for local users. Sure, in most pen-tests that would be good since the local admin password is usually the same on all machines, but lets assume you really need those network credentials.

Okay, so first off, Libesedb is an open source C library developed to forensically extract information from Extensible Storage Engine (ESE) database files. In order to get what we need out of NTDS.dit we will first have to download and install the library. For that, use the following commands:

wget http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz
tar xvzf libesedb-alpha-20120102.tar.gz
cd libesedb-20120102
make install


Once that’s done you are about ready to start. Now you need to get the wonderful ntdsgrab.rb module wrote by Royce @R3dy__ Davis. This auxiliary basically uses a authentication to Active Directory Domain Controller to create a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the ntds.dit file as well as the SYSTEM hive and stores them on your attacking machine. The ntds.dit and SYSTEM copy can be used in combination with other tools for offline extraction of AD password hashes. All of this is possible without uploading a single binary to the target host.

wget https://raw.github.com/R3dy/metasploit-framework/ntdsgrab/modules/auxiliary/admin/smb/ntdsgrab.rb


After executing the module on the victim’s machine you will get the raw files you need to start handeling. ‘cd’ to the directory where the files are stored (Usually loot folder). Now run ‘esedbexport’ from the libesedb/esedbtools directory against your NTDS.dit database. It will export all of the tables and store them in a newly created directory calledd ntds.export.

Finally, all you need to do now is run ‘ntds_hashextract.rb’ against the datatable and the SYSTEM registry hive file in order to grab all of the domain password hashes. And There you go! Now all you need is a bit of hash cracking and you’re done!

Leave a Reply

Your email address will not be published. Required fields are marked *

Please type the characters of this captcha image in the input box

Please type the characters of this captcha image in the input box

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>