Extracting domain credentials

Dumping domain credentials for password audits.

Step 1: Obtain SYSTEM and NTDS.dit files

  • SAM and SYSTEM live in C:\Windows\System32\config
  • NTDS.dit lives in C:\Windows\ntds\NTDS.dit

Armed with this information, you can forget all of it, because FTK Imager Lite will grab it for you. Use Obtain Protected Files option. I grabbed everything with "Password recovery and all registry files". The SAM file is only necessary for end user computers if you want to crack locally stored passwords.

Step 2: Download the newest libesedb from https://github.com/libyal/libesedb/releases

  • cd libesedb-2050409
  • chmod +x configure
  • ./configure
  • make
  • You can optionally extract the database you need at this point, but esedbxtract will do it for you. If you want it anyway, the steps are...
    • cd esedbtools/
    • ./esedbexport ~/Desktop/ntds.dit
    • cd ntds.dit.export
    • ls

Download esedbxtract from https://bitbucket.org/grimhacker/esedbxtract

  • Documentation: http://grimhacker.com/wordpress/2014/09/27/esedbxtract/
  • python esedbxtract.py -P -s <system file> -n <ntds.dit file> --esedbexport ~/ntdsextract/libesedb-20150409/esedbtools/esedbexport
  • This will take a while, no joke, unless you just have a tiny active directory. When it finishes you should have file in pwdump format.