Here is my command line:

python dsusers.py datatable linktable test --passwordhashes --syshive system.save --pwdformat john --lmoutfile LM.out --ntoutfile NT.out

The scripts displays a scrolling output of:

[!] Warning! Multiple records with PEK entry!
[+] Scanning database - 0% -> 4372(this number is just an example, it keeps increasing as the script is running) records processed

Finally, the scripts gets killed:

Error in sys.excepthook:
Traceback (most recent call last):
File "C:\Users\aldperez\Documents\dumpntds\ntdsxtract\ntds__init__.py", line
31, in simple_exception
sys.stderr.write("[!] Error!", value, "\n")
TypeError: function takes exactly 1 argument (3 given)

Original exception was:
Traceback (most recent call last):
File "dsusers.py", line 407, in
db = dsInitDatabase(sys.argv[1], wd)
File "C:\Users\aldperez\Documents\dumpntds\ntdsxtract\ntds\dsdatabase.py", lin
e 174, in dsInitDatabase
dsCheckMaps(db, workdir)
File "C:\Users\aldperez\Documents\dumpntds\ntdsxtract\ntds\dsdatabase.py", lin
e 207, in dsCheckMaps
dsBuildMaps(dsDatabase, workdir)
File "C:\Users\aldperez\Documents\dumpntds\ntdsxtract\ntds\dsdatabase.py", lin
e 290, in dsBuildMaps
dsMapRecordIdBySID[str(SID(record[ntds.dsfielddictionary.dsSIDIndex]))]
IndexError: list index out of range

Concerning the PEK entries, does it mean that the DC is encrypted? Also, I'm running this in Windows and I do have pycrypto installed. Thanks

Hi,
when trying to run dsusers in python3 , i got an error "_CM_KEY_NODE" has no attribute "SubKeyLists",What can I do?
thanks so much.

Error in sys.excepthook:
Traceback (most recent call last):
File "/home/joe/Downloads/ntdsxtract-master/ntds/init.py", line 31, in simple_exception
sys.stderr.write("[!] Error!", value, "\n")
TypeError: function takes exactly 1 argument (3 given)

Original exception was:
Traceback (most recent call last):
File "dsusers.py", line 27, in
from ntds.dsdatabase import *
File "/home/joe/Downloads/ntdsxtract-master/ntds/dsdatabase.py", line 28, in
from ntds.dsencryption import *
File "/home/joe/Downloads/ntdsxtract-master/ntds/dsencryption.py", line 31, in
from framework.win32.hashdump import sid_to_key, get_bootkey
File "/home/joe/Downloads/ntdsxtract-master/framework/win32/hashdump.py", line 24, in
from Crypto.Hash import MD5
ImportError: No module named Crypto.Hash

Hi,

here is the line I am using :
c:\Python27\python.exe C:\zgms\TEMPO\2NTDSX\dskeytab.py .\datatable.4 .\link_table.5 .\SYSTEM C:\zgms\TEMPO C:\zgms\TEMPO\keytab.key

The first part when through easily but I get stuck when it wants to create the KAYTAB file.

[+] Initialising engine...
[+] Loading saved map files (Stage 1)...
[+] Loading saved map files (Stage 2)...
Processing principal AD03-DTC$.
Error in sys.excepthook:
Traceback (most recent call last):
File "C:\zgms\TEMPO\2NTDSX\ntds_init_.py", line 31, in simple_exception
sys.stderr.write("[!] Error!", value, "\n")
TypeError: function takes exactly 1 argument (3 given)

Original exception was:
Traceback (most recent call last):
File "C:\zgms\TEMPO\2NTDSX\dskeytab.py", line 263, in
dsAddPrincipalEntries(principal, keytabFile)
File "C:\zgms\TEMPO\2NTDSX\dskeytab.py", line 145, in dsAddPrincipalEntries
kerberosKeys = dsGetPrincipalKerberosKeys(principal)
File "C:\zgms\TEMPO\2NTDSX\dskeytab.py", line 163, in dsGetPrincipalKerberosKeys
creds = principal.getSupplementalCredentials()
File "C:\zgms\TEMPO\2NTDSX\ntds\dsobjects.py", line 254, in getSupplementalCredentials
return dsSupplCredentials(tmpdec)
File "C:\zgms\TEMPO\2NTDSX\ntds\dsobjects.py", line 506, in init
self.ParseUserProperties(text)
File "C:\zgms\TEMPO\2NTDSX\ntds\dsobjects.py", line 533, in ParseUserProperties
assert reserved1 == 0
AssertionError

Since I get through the first part, I guess I am doing at least part of it right.

Thanks for you help.

Using Kali(version 2018.2), and the following command, for domain password auditing. No output files are being produced after the command is run and the scrolling list of users/accounts. The command is being run from the same directory as the ntds.dit file. This is being run after esedbexport was successfully run to extract the Database.

dsusers.py ./ntds.dit.export/datatable.3 ./ntds.dit.export/link_table.5 ./hashdumpwork –syshive ../registry/SYSTEM –passwordhashes –lmoutfile lm-out.txt –ntoutfile nt-out.txt –pwdformat john

been working great for years. Love the effort. Trying on Windows 2012 R2 and getting problems.

the export from the latest esedbtools is the following:

Opening file.
Exporting table 1 (MSysObjects) out of 14.
Exporting table 2 (MSysObjectsShadow) out of 14.
Exporting table 3 (MSysObjids) out of 14.
Exporting table 4 (MSysLocales) out of 14.
Exporting table 5 (datatable) out of 14.
Exporting table 6 (hiddentable) out of 14.
Exporting table 7 (link_history_table) out of 14.
Exporting table 8 (link_table) out of 14.
Exporting table 9 (sdpropcounttable) out of 14.
Exporting table 10 (sdproptable) out of 14.
Exporting table 11 (sd_table) out of 14.
Exporting table 12 (MSysDefrag2) out of 14.
Exporting table 13 (quota_table) out of 14.
Exporting table 14 (quota_rebuild_progress_table) out of 14.
Export completed.

I am guessing that the differences in the extracted files is messing up the parsing that ntdsxtract is doing. I can run with datatable.4 and link_table.7 which gives me some data, but not the hashes, thoughts?

I rely very much on this tool (great job man) for my work and it always worked fine but this time i got this error.

esedbexport 20151213

Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysObjids) out of 12.
Exporting table 4 (MSysLocales) out of 12.
Exporting table 5 (datatable) out of 12.
Exporting table 6 (hiddentable) out of 12.
Exporting table 7 (link_history_table) out of 12.
Exporting table 8 (link_table) out of 12.
Exporting table 9 (quota_table) out of 12.
Exporting table 10 (sdpropcounttable) out of 12.
Exporting table 11 (sdproptable) out of 12.
Exporting table 12 (sd_table) out of 12.
Export completed.

--------------FILES ----------------

-rw-r--r-- 1 root root 6408266 May 11 15:46 datatable.4
-rw-r--r-- 1 root root 567 May 11 15:46 hiddentable.5
-rw-r--r-- 1 root root 263 May 11 15:46 link_history_table.6
-rw-r--r-- 1 root root 155 May 11 15:46 link_table.7
-rw-r--r-- 1 root root 1021 May 11 15:45 MSysLocales.3
-rw-r--r-- 1 root root 95781 May 11 15:45 MSysObjects.0
-rw-r--r-- 1 root root 95781 May 11 15:45 MSysObjectsShadow.1
-rw-r--r-- 1 root root 1680 May 11 15:45 MSysObjids.2
-rw-r--r-- 1 root root 51 May 11 15:46 quota_table.8
-rw-r--r-- 1 root root 24 May 11 15:46 sdpropcounttable.9
-rw-r--r-- 1 root root 96 May 11 15:46 sdproptable.10
-rw-r--r-- 1 root root 576 May 11 15:46 sd_table.11

and the error is here:

[+] Started at: Wed, 11 May 2016 13:49:38 UTC
[+] Started with options:
    [-] Extracting password hashes
    [-] Hash output format: ocl
    [-] NT hash output filename: ******_NT_hash
    [-] LM hash output filename: ******_LM_hash
The directory (/root/ntdsxtract-master/XXXX/temp2) specified does not exists!
Would you like to create it? [Y/N] y

[+] Initialising engine...
[+] Loading saved map files (Stage 1)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/ntdsxtract-master/XXXX/temp2/offlid.map'
[+] Rebuilding maps...
[+] Scanning database - 100% -> 1745 records processed
[+] Sanity checks...
      Schema record id: 5
      Schema type id: 10
[+] Extracting schema information - 100% -> 1738 records processed
[+] Loading saved map files (Stage 2)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/ntdsxtract-master/XXXX/temp2/links.map'
[+] Rebuilding maps...
[+] Extracting object links...

List of users:
==============Error in sys.excepthook:
Traceback (most recent call last):
  File "/root/ntdsxtract-master/ntds/__init__.py", line 31, in simple_exception
    sys.stderr.write("[!] Error!", value, "\n")
TypeError: function takes exactly 1 argument (3 given)

Original exception was:
Traceback (most recent call last):
  File "dsusers.py", line 486, in <module>
    for recordid in dsMapRecordIdByTypeId[utype]:
KeyError: 1528

I am doing something wrong or this is a new bug?

This can be the same as the john format only strip off the SID and the $NT$ at the beginning of the hash.

So it will look like this in the ntoutfile, as an example, test:0cb6948805f797bf2a82807973b89537
Same can go for the lmoutfile as well, I believe that is in the correct format today, but just needs the SID stuff stripped off the end.

Hi, thank you many years of wonderful usage!! I was trying to extract hashes from a Windows Server 2016 NTDS.dit using the latest libesedb (earlier versions complained about "fixed-size data type 12") and it looks like Windows Server 2016 introduced a 4 byte value somewhere within ATTk590689, which results in dsencryption.py/dsDecryptPEK function returning a value that is 80 bytes long, instead of 76 (as mentioned here https://www.exploit-db.com/docs/english/18244-active-domain-offline-hash-dump-&-forensic-analysis.pdf). This in turn, causes the LM and NT hash decryption to fail with the following error trace, where the d2 enc_hash slice has 4 extra bytes in it. Pwdformat has no effect on this. Can anyone else confirm similar behavior?

Command:
python dscomputers.py '/home/user/libesedb/esedbtools/ntds.dit.export/datatable.4' output --syshive '/home/user/Desktop/SYSTEM' --passwordhashes --lmoutfile lmout --ntoutfile ntout --pwdformat ocl

Error trace:

<snip>
Password hashes:Error in sys.excepthook:
Traceback (most recent call last):
  File "/home/user/ntdsxtract/ntds/__init__.py", line 31, in simple_exception
    sys.stderr.write("[!] Error!", value, "\n")
TypeError: function takes exactly 1 argument (3 given)

Original exception was:
Traceback (most recent call last):
  File "dscomputers.py", line 296, in <module>
    processComputer(computer)
  File "dscomputers.py", line 92, in processComputer
    (lm, nt) = computer.getPasswordHashes()
  File "/home/user/ntdsxtract/ntds/dsobjects.py", line 221, in getPasswordHashes
    nthash = hexlify(dsDecryptSingleHash(self.SID.RID, nthash))
  File "/home/user/ntdsxtract/ntds/dsencryption.py", line 67, in dsDecryptSingleHash
    hash = d1.decrypt(enc_hash[:8]) + d2.decrypt(enc_hash[8:])
  File "/usr/lib/python2.7/dist-packages/Crypto/Cipher/blockalgo.py", line 295, in decrypt
    return self._cipher.decrypt(ciphertext)
ValueError: Input strings must be a multiple of 8 in length

Trying to extract machine accounts and failing. Works fine with ImpDump (https://github.com/HarmJ0y/ImpDump) and CredDump.

command:
ntdsxtract/dscomputers.py output.export/datatable.4 work --syshive system --passwordhashes --pwdformat john --ntoutfile nt --lmoutfile lm

...
Password hashes:[!] Error! format_john() takes exactly 4 arguments (3 given)

Looks like you're missing the sid arg? Quick test editing the code to pass in an empty string for a sid does get some output however.

The ophc argument also doesn't seem to return anything, but no errors.
edit: it seems there is a logic problem there, ntlm passwords are never written with ophc format flag...

Quick&Dirty-Fix:

diff --git a/ntds/dsencryption.py b/ntds/dsencryption.py
index 5a5aaeb..55bb470 100755
--- a/ntds/dsencryption.py
+++ b/ntds/dsencryption.py
@@ -64,5 +64,5 @@ def dsDecryptSingleHash(rid, enc_hash):
     (des_k1,des_k2) = sid_to_key(rid)
     d1 = DES.new(des_k1, DES.MODE_ECB)
     d2 = DES.new(des_k2, DES.MODE_ECB)
-    hash = d1.decrypt(enc_hash[:8]) + d2.decrypt(enc_hash[8:])
-    return hash
\ No newline at end of file
+    hash = d1.decrypt(enc_hash[:8]) + d2.decrypt(enc_hash[8:16])
+    return hash[:16]

This works perfect!!!Thanks

Originally posted by @0pa9ue in #30 (comment)

Hi,
Thanks a lot for this really (REALLY) good tool.
I'v got a problem when using dsusers.py with a Windows 2012 ntds.dit, any help will be appreciated :)

$ python dsusers.py $dir/ntds.dit.export/datatable.4 $dir/ntds.dit.export/link_table.6 $dir/results --passwordhashes --passwordhistory --syshive $dir/SYSTEM --ntoutfile $dir/AD_NT_pass --pwdformat john --lmoutfile $dir/AD_LM_pass

[+] Started at: Wed, --
[+] Started with options:
[-] Extracting password hashes
[-] Extracting password history
[-] NT hash output filename: /tmp/INTERNE/PASSWORD/AD_NT_pass
[-] Hash output format: john
[-] LM hash output filename: /tmp/PASSWORD/AD_LM_pass
[+] Initialising engine...
[+] Loading saved map files (Stage 1)...
[+] Loading saved map files (Stage 2)...

List of users:
==============Traceback (most recent call last):
File "dsusers.py", line 468, in
for recordid in dsMapRecordIdByTypeId[utype]:
KeyError: 1481

Ran this not long ago without issue under version 1.3.2 Updated today and the List of Users won't complete currently.

Command:

./dsusers.py ../../ntds.dit.export/datatable.3 ../../ntds.dit.export/link_table.5 workingfolder --syshive ../../SYSTEM --lmoutfile lmoutfile.txt --ntoutfile ntoutfile.txt -- pwdformat ophc --passwordhashes --passwordhistory

...
[+] Loading Saved map files (Stage 2)...

List of users:
==========[!] Error! 1369

It appears that in this version compared to the 1.0 version it is not extracting user information who's accounts are marked disabled. Examples would be the guest account and others that are manually set to disabled. If I run it in the 1.0 version I see them, but in the 1.3.1 version I do not. Could this be added back in?

hi i have tried to run the following in my kali vm by aws, and found the following issue:

/usr/share/doc/python3-impacket/examples/ntdsxtract# python3 dsusers.py /usr/local/bin/ntds.dit.export/datatable.4 /usr/local/bin/ntds.dit.export/link_table.6 --lmoutfile lm.out --ntoutfile nt.out --syshive SYSTEM.bin --passwordhashes --pwdformat john
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/share/doc/python3-impacket/examples/ntdsxtract/ntds/init.py", line 31, in simple_exception
sys.stderr.write("[!] Error!", value, "\n")
TypeError: write() takes exactly one argument (3 given)

Original exception was:
Traceback (most recent call last):
File "dsusers.py", line 27, in
from ntds.dsdatabase import *
File "/usr/share/doc/python3-impacket/examples/ntdsxtract/ntds/dsdatabase.py", line 370
else:
^
TabError: inconsistent use of tabs and spaces in indentation

can someone please help on solving this ?
thanks so much.

Hi,
First of all, thank you for your code!

It looks like there is a little problem while retrieving the Supplementary Credentials.
in the ntdsxtract/ntds/dsobjects.py file

def ParseUserProperty(self, text, offset):
        [...]
        elif Name == u"Primary:CLEARTEXT":
            self.Password = unhexlify(text[offset:offset+ValueLength]).decode('utf-16')
        else:
            print Name
        return offset + ValueLength

I get an encoding error because the value seems to already be an ascii String

Supplemental credentials:
  Kerberos newer keys
    salt: I[...]t
    Credentials
      18 fa[...]53
      17 cb[...]a2
      3 20[...]70
  Kerberos keys
    salt: I[...]t
    Credentials
      3 20[...]70
    OldCredentials
      3 c1[...]10
      1 c1[...]10
  WDigest hashes
    903e44489957c3a3ca489b86be83d12f
    [...]
    85f363474700b4dfa0ace59bdbc6ad98
  Packages
    Kerberos-Newer-Keys
    Kerberos
    WDigest
    CLEARTEXT
 [!] Error! 'ascii' codec can't encode characters in position 0-15: ordinal not in range(128)

which turns to be coming from there :

  File "/opt/ntdsxtract/dsusers.py", line 446, in <module>
    processUser(user)
  File "/opt/ntdsxtract/dsusers.py", line 178, in processUser
    creds.Print("  ")
  File "/opt/ntdsxtract/ntds/dsobjects.py", line 506, in Print
    print "{0}Password: {1}".format(indent, self.Password)

I personnaly resolved that bug by applying this modification in ntdsxtract/ntds/dsobjects.py:

def ParseUserProperty(self, text, offset):
        [...]
        elif Name == u"Primary:CLEARTEXT":
            self.Password = text[offset:offset+ValueLength])
        else:
            print Name
        return offset + ValueLength

As I just jumped into your code, I might not have a clean step back on what's really happening, so I let you consider if it is a viable fix.

Take care ;)

It would be nice to add a flag to be able to enable certain user account controls to be listed in a summary file. For example if an account is flagged with ACCOUNTDISABLE, we could write that username to a file. We could do the same for PWD_NOTREQD and DONT_EXPIRE_PASSWORD. This way we have an easy method of seeing who has a disabled account, a password that is not required, and a password that doesn't expire. Ideally we would produce three files one of a list of users for each control. Today I am doing this with a bunch of grep statements and it gets kinda messy.

When trying to execute the follwing command:

python dsgroups.py ../ntds_forensics/Active\ Directory/ntds.dit.export/datatable ../ntds_forensics/Active\ Directory/ntds.dit.export/link_table | less -S

I get the error:

[!] Error! No module named Crypto.Hash

With a different command I get the same error, Im pretty new at this

python dsusers.py ../ntds_forensics/Active\ Directory/ntds.dit.export/datatable ../ntds_forensics/Active\ Directory/ntds.dit.export/link_table -passwordhashes ../ntds_forensics/registry -passwordhistory ../ntds_forensics/registry -supplcreds ../ntds_forensics/registry -membership | less -S

[!] Error! No module named Crypto.Hash

Im totally lost

python dsusers.py ~/Desktop/1/datatable.3 ~/Desktop/1/link_table.5 ~/Desktop/1/temp/ --passwordhashes --syshive ~/Desktop/1/SYSTEM --pwdformat john --lmoutfile ~/Desktop/lm --ntoutfile ~/Desktop/nt

if running this, i get the following

Password hashes:[!] Error! format_john() takes exactly 4 arguments (3 given)

I get the same error if U use --pwdformat ophc

if I change to --pwdformat ocl - runs but generates no data

am I missing something?

Hi,

I the dsusers.py process is killed in between its run. It says -
scanning database - 87% -> 1398103 records processedKilled

FYI, i am trying to process a datatable.3 file which is an 8GB file.

Please help.

Hello,

I encounter always the same error with always the same username.
The extraction is stopped...

Dump from Microsoft Windows 2008 R2
Have you an idea ?

Thanks in advance.

Traceback (most recent call last):
File "/usr/local/src/ntdsxtract/dsusers.py", line 513, in
processUser(user)
File "/usr/local/src/ntdsxtract/dsusers.py", line 97, in processUser
sys.stdout.write(str(user))
File "/usr/local/src/ntdsxtract/ntds/dsobjects.py", line 378, in str
ancestors = self.getAncestors(self.DB)
File "/usr/local/src/ntdsxtract/ntds/dsobjects.py", line 108, in getAncestors
ancestor = dsObject(dsDatabase, ancestorid)
File "/usr/local/src/ntdsxtract/ntds/dsobjects.py", line 57, in init
raise BaseException
BaseException

I can not get the password hashes from the Windows Server 2012 "ntds.dit" file

commands

in windows Server 2012
cscript vssown.vbs /create c
cscript vssown.vbs /list
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM

in linux Debian 8
apt-get install libesedb-utils
cd /root
esedbexport -m tables /root/ntds.dit
wget "https://github.com/csababarta/ntdsxtract/archive/e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip"
unzip "e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip"

python ./ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262/dsusers.py $dir/ntds.dit.export/datatable.4 $dir/ntds.dit.export/link_table.7 $dir/results --passwordhashes --passwordhistory --syshive $dir/SYSTEM --ntoutfile $dir/AD_NT_pass --pwdformat john --lmoutfile $dir/AD_LM_pass

output

...

Record ID:            5201
User name:            Vinicius Ferro Araujo
User principal name:
SAM Account name:     vinicius.araujo
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 e668db2e-073b-4d22-b200-f297163bb49d
SID:                  S-1-5-21-2337669984-3197530991-546699991-2079
When created:         2018-08-15 15:16:28+00:00
When changed:         2018-08-15 15:16:28+00:00
Account expires:      Never
Password last set:    Never
Last logon:           Never
Last logon timestamp: Never
Bad password time     Never
Logon count:          0
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
        ACCOUNTDISABLE
        PWD_NOTREQD
        NORMAL_ACCOUNT
Ancestors:
        $ROOT_OBJECT$, info, labti, PMRO, TI, Administradores, Vinicius Ferro Araujo
Password hashes:
Password history:

files "ntds.dit" and "SYSTEM" to download
https://drive.google.com/file/d/1NA0sHgmwNKxYGUQy6iyXIqO4E4hTxs9P/view?usp=sharing
https://drive.google.com/file/d/1qpCRdytDOYibE-fJvAE2ppMnGgEc0_Hk/view?usp=sharing

when trying to run dsusers i got an error "No module named ntds.version", trying to search for that package with no success.

The major scripts (e.g. dsusers.py) are all missing the #!/usr/bin/python shebang (or /usr/bin/env python); meaning that you have to explicitly call them through python, which is all rather quaint.

(strictly you oughtn't really use .py - but that's just the pedant in me.)

When trying to pull hashes from a windows 2008 r2 server i see that it builds the maps, extracts the schema information and saves it, but then gets to "List of users: =========[!] Error! 1369" i cannot seem to find what this error relates to. thanks.