New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Auxiliary Module ntdsgrab.rb #1574
Conversation
…it add ntdsgrab.rb
Alright I can't figure out how to get rid of this data from a previous pull request. Hopefully it doesn't mater :) |
Please add the license terms at the very top of the module see another module for example |
You're right, it shouldn't matter at all, assuming everything merges cleanly at the end. History is important. |
This shouldn't be a scanner. |
|
||
register_options([ | ||
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']), | ||
OptString.new('LOGDIR', [true, 'Directory on local system used to store the ntds.dit and SYSTEM hive', '/tmp/NTDS_Grab']), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I dont think it is the best way to store the ntds.dit and SYSTEM hive.
My feeling is store_loot could be used to store them, and in this way you can also track collected loots/objects in the db if you're using.
Any inconvenient with using store_loot here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will look into store_loot. The only reason I did it this way was so that I could use a separate tool that I built ntds_hashextract.rb to retrieve the Active Directory password hashes and it is convient for the two files to be in the same directory. Can this be achieved with store_loot?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
store_loot puts everything under ~/.msf4/loot/
but that may not always be the case.
Deployed a single DC and tried
Any clue about what could be wrong? (I've checked ntds.dit exists con c:\windows\ntds\ntds.dit). Feel free to ask me to provide any information. |
By any chance could you try running it with CREATE_NEW_VSC set to 'true' and tell me if there is any difference? Thanks! |
Sure, successful with CREATE_NEW_VSC as true:
|
Ok so here is what I would like you to try next if you don't mind. Try it again with CREATE_NEW_VSC set to false. and tell me if it works, My guess is that it will work and I had an off by one error whereby my check to see if a VSC is present requires there to be at least two and in this canse when you spun up a new DC that has only one shadow copy my off by one triggered a false negative. If you try it again and it sitll produces the same error. Can you check for m ein the c:\windows\temp directory and tell me if there is a file called "ntds" and or "sys"? Thanks man! |
Setting it again to false works :)
|
I am unable to replicate this error. If you try it again on a fresh DC do you still get the same error? I have deleted all Volume Shadow copies on my system to see if that was the issue and it is still working. |
Tried again in a fresh DC:
weird :s now it's working in the first shot.... Oka will give a new and last shot tomorrow, if works, after last code cleanup I think we'll be ready to merge :) thanks! |
rescue StandardError => sysdownloaderror | ||
print_error("Unable to download SYSTEM hive: #{sysdownloaderror}") | ||
return sysdownloaderror | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There isn't needed a simple.disconnect("\#{ip}#{@SMBSHARE}") as in download_ntds? just asking :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes there should be, fixed.
…d in as paramaters
Did last cleanup: And tested with an existing VSC and creating a new one. Working, so merged! Thanks @R3dy !!
|
This module uses the psexec Mixin to extract NTDS.dit and the SYSTEM registry hive from a Windows Domain Controller.
Reference:
http://blog.accuvant.com/blog/owning-computers-without-shell-access
The module can be used in three seperate ways.
Check if a volume shadow copy already exists and pull from there:
Create a new Volume Shadow Copy and pull from there:
Target a specific user-defined Volume Shadow Copy and pull form there: