New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use ntdsutil in 2008 and above to extract ntds.dit #3854

Open
todb-r7 opened this Issue Sep 23, 2014 · 7 comments

Comments

Projects
None yet
5 participants
@todb-r7
Contributor

todb-r7 commented Sep 23, 2014

This issue was RM8837, originally filed by Rich Rumble

This command will extract the NTDS.dit, SYSTEM and SECURITY files all in one command, and no need to invoke shadow copy. (Although I'm sure it's doing it for you in the bg)

ntdsutil.exe "activate instance ntds" "ifm" "Create Full C:\Temp\123" quit quit

I have screen shots that show it in action on my blog and it's built-in to 2008 and greater already!

https://xinn.org/blog/JtR-AD-Password-Auditing.html

You can shorten most of the commands as well http://technet.microsoft.com/en-us/library/cc753343.aspx

And you can add "nodefrag" http://technet.microsoft.com/en-us/library/cc732530.aspx to speed up the dump a bit :)

@todb-r7

This comment has been minimized.

Contributor

todb-r7 commented Mar 2, 2015

Yes, someone should write this post module. :)

@thelightcosine

This comment has been minimized.

thelightcosine commented Mar 5, 2015

@todb-r7 yeah ntdsutil is great, but unfortunately only works in newer Server OSes. It actually invokves shadowcopy for you on the backend, and pulls the exact things you need to replicate the DC. As an added benefit, it actually properly disconnects the ESEDB in ntds.dit so that it can be properly accessed offline, whereas just doing shadowcopy leaves ntds.dit in a bad state that will require additional work to repair.

@todb-r7

This comment has been minimized.

Contributor

todb-r7 commented Mar 5, 2015

Given the examples and docs referenced on the PR, seems like it'd be straightforward to implement, thus the newbie friendly tag.

@thelightcosine

This comment has been minimized.

thelightcosine commented Mar 5, 2015

@todb-r7 my concern is that doing this we need some sort of paradigm in place for post modules to declare version compatibility, so people do not try to use it on a 2003 server. Something we'd have to probably deal with eventually anyways,

@todb

This comment has been minimized.

Contributor

todb commented Mar 5, 2015

I know today there are lots of post modules that do some version checking.
It's pretty much up to the post module in question, since there are lots of
things to look for. grep -ril verison modules/post/ is pretty accurate.

On Thu, Mar 5, 2015 at 11:10 AM, dmaloney-r7 notifications@github.com
wrote:

@todb-r7 https://github.com/todb-r7 my concern is that doing this we
need some sort of paradigm in place for post modules to declare version
compatibility, so people do not try to use it on a 2003 server. Something
we'd have to probably deal with eventually anyways,


Reply to this email directly or view it on GitHub
#3854 (comment)
.

"Tod Beardsley" todb@packetfu.com | 512-438-9165 | @todb
Such coin, plz send: D98vwYv9RC4rYFzhzz3BBbrkry9bJ1GRi4

@thelightcosine

This comment has been minimized.

thelightcosine commented Mar 6, 2015

@todb Yeah, but I'd like to see us add a paradigm for Metadata on the actual post module that allow the users to know ahead of time whether they should expect a post module to work on a given machine.

@egypt

This comment has been minimized.

Contributor

egypt commented Sep 16, 2016

@dmaloney-r7 Was this fixed by #5348?

@bwatters-r7 bwatters-r7 referenced this issue Nov 28, 2017

Merged

Updated domain_hashdump fix #9211

13 of 14 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment