Another thing that Ive just tried:

python dsusers.py ../ntds_forensics/Active\ Directory/ntds.dit.export/datatable ../ntds_forensics/Active\ Directory/ntds.dit.export/link_table --passwordhashes ../ntds_forensics/registry/ --membership --supplcreds ../ntds_forensics/registry/ --membership --rid 500

With the same error:

[!] Error! No module named Crypto.Hash

Im running this scripts on Centos 6.5
Python 2.6.6
I extracted ntds with ntdsutil
it created the following directories:
Active Directory with ntds.dit inside

registry with SYSTEM and SECURITY files (the registry hives)

after executing
esedbexport -m all ntds.dit

the directory ntds.dit.export was created inside the directory "Active Directory" mentioned before.
ntds.dit.export directory contains plenty of stuff

from ntdsxtract.

yum install pycrypto

installed the library and I still experience the same problem

from ntdsxtract.

Finally researching on internet I got the solution installing the very last pycrypto library downloaded from a link on bitconins.
And still cant get the python scripts to work,

python dsusers.py ../ntds_forensics/Active\ Directory/ntds.dit.export/datatable ../ntds_forensics/Active\ Directory/ntds.dit.export/link_table --passwordhashes ../ntds_forensics/registry --membership --supplcreds ../ntds_forensics/registry --membership --rid 500

Error:
[!] Error! syshive not specified!

Where ../ntds_forensics/registry directory contains 2 files
SECURITY 256 kb
SYSTEM 15,2 Mb

from ntdsxtract.

It seems you didn’t specify the path to the system registry hive. This hive is needed in order extract password hashes from the ntds.dit. You need to use the option —syshive

besides that you will also need to use other options to specify the output format and the output files as well. Please check the help of dsuser.py by executing the script without any arguments. The options you will probably need are:
—pwdformat
—lmoutfile
—ntoutfile

On 23 Jun 2015, at 19:15, gopala410 [email protected] wrote:

Finally researching on internet I got the solution installing the very last pycrypto library downloaded from a link on bitconins.
And still cant get the python scripts to work,

python dsusers.py ../ntds_forensics/Active\ Directory/ntds.dit.export/datatable ../ntds_forensics/Active\ Directory/ntds.dit.export/link_table --passwordhashes ../ntds_forensics/registry --membership --supplcreds ../ntds_forensics/registry --membership --rid 500

Error:
[!] Error! syshive not specified!

Where ../ntds_forensics/registry directory contains 2 files
SECURITY 256 kb
SYSTEM 15,2 Mb

—
Reply to this email directly or view it on GitHub #13 (comment).

from ntdsxtract.

Hi ! many thanks for your help and hints !
I manage to extract nthashes, so at least I now that the ntds + hives were
successfully extracted.
My question now is how could I get the most of this framework ? for example
you mentioned me on your first email that I could realize if kerberos user
was attacked/compromised
Also how could I realized if attackers have been using high privileged
users ?
How could I know if they gave special or admin permisions to certain users
? in your videos you show info about users, even though I dont know how to
distinguish a legitimate user from a non-legitimate user or at least the
legitimate VS non-legitimate activity on the Domain.
Im pretty new at this. Actually I am currently analyzing ntds.dit that I
have created from a VM win server 2008 R2 that I have just created and
dcpromo-ted for testing purposes. Once I really know how to do it, I will
start with real forensics on the company that Im working for which has been
attacked and compromised (we saw in logs that some admin users were login
in computers that are not their desktops) our objective now is "to prove
without refutation that our domain reflects lateral movement and malicious
activity" and attackers have been using admin users for their undercovered
activities.

I dont know which commands and options to give and how to interpret the
results. Because Im very new in this framework I dont even know what the
results should be for giving our managers conclusive evidences of the
activity that the attackers have been performing on our systems.

Many thanks indeed Csaba,

Luis

*This email has not been sent from any apple device. I prefer to be more
clever/productive and buy useful standard devices at a reasonable price.
"Be a responsible consumer" *

Share your wifi connection, you will save money and health

Este mensaje no ha sido enviado desde ningun dispositivo de apple.
Prefiero ser mas inteligente/productivo y comprar dispositivos utiles y
compatibles/estandar a un precio razonable. "Se un consumidor responsable"
Comparte tu conexion wifi te lo ahorraras en dinero y salud

On Tue, Jun 23, 2015 at 9:58 PM, csababarta [email protected]
wrote:

It seems you didn’t specify the path to the system registry hive. This
hive is needed in order extract password hashes from the ntds.dit. You need
to use the option —syshive

besides that you will also need to use other options to specify the output
format and the output files as well. Please check the help of dsuser.py by
executing the script without any arguments. The options you will probably
need are:
—pwdformat
—lmoutfile
—ntoutfile

On 23 Jun 2015, at 19:15, gopala410 [email protected] wrote:

Finally researching on internet I got the solution installing the very
last pycrypto library downloaded from a link on bitconins.
And still cant get the python scripts to work,

python dsusers.py ../ntds_forensics/Active
Directory/ntds.dit.export/datatable ../ntds_forensics/Active
Directory/ntds.dit.export/link_table --passwordhashes
../ntds_forensics/registry --membership --supplcreds
../ntds_forensics/registry --membership --rid 500

Error:
[!] Error! syshive not specified!

Where ../ntds_forensics/registry directory contains 2 files
SECURITY 256 kb
SYSTEM 15,2 Mb

—
Reply to this email directly or view it on GitHub <
#13 (comment)
.

—
Reply to this email directly or view it on GitHub
#13 (comment)
.

from ntdsxtract.

Im trying to understand better and I cant.
The command

python dscomputers.py ../ntds_forensics/Active
Directory/ntds.dit.export/datatable.3 dscomputers_output --name *
--dhistory_file --syshive ../ntds_forensics/registry/SYSTEM
--passwordhistory --pwdformat john --ntoutfile salidalm --lmoutfile
lmoutputfile --supplcreds

just creates 2 empty files:

lmoutputfile
salidalm

I was trying to check the history on changing passwords, ... the 2 output
files mentions just above this line are empty ..

*This email has not been sent from any apple device. I prefer to be more
clever/productive and buy useful standard devices at a reasonable price.
"Be a responsible consumer" *

Share your wifi connection, you will save money and health

Este mensaje no ha sido enviado desde ningun dispositivo de apple.
Prefiero ser mas inteligente/productivo y comprar dispositivos utiles y
compatibles/estandar a un precio razonable. "Se un consumidor responsable"
Comparte tu conexion wifi te lo ahorraras en dinero y salud

On Wed, Jun 24, 2015 at 9:20 PM, Luis Escobar [email protected] wrote:

Hi ! many thanks for your help and hints !
I manage to extract nthashes, so at least I now that the ntds + hives were
successfully extracted.
My question now is how could I get the most of this framework ? for
example you mentioned me on your first email that I could realize if
kerberos user was attacked/compromised
Also how could I realized if attackers have been using high privileged
users ?
How could I know if they gave special or admin permisions to certain users
? in your videos you show info about users, even though I dont know how to
distinguish a legitimate user from a non-legitimate user or at least the
legitimate VS non-legitimate activity on the Domain.
Im pretty new at this. Actually I am currently analyzing ntds.dit that I
have created from a VM win server 2008 R2 that I have just created and
dcpromo-ted for testing purposes. Once I really know how to do it, I will
start with real forensics on the company that Im working for which has been
attacked and compromised (we saw in logs that some admin users were login
in computers that are not their desktops) our objective now is "to prove
without refutation that our domain reflects lateral movement and malicious
activity" and attackers have been using admin users for their undercovered
activities.

I dont know which commands and options to give and how to interpret the
results. Because Im very new in this framework I dont even know what the
results should be for giving our managers conclusive evidences of the
activity that the attackers have been performing on our systems.

Many thanks indeed Csaba,

Luis

*This email has not been sent from any apple device. I prefer to be more
clever/productive and buy useful standard devices at a reasonable price.
"Be a responsible consumer" *

Share your wifi connection, you will save money and health

Este mensaje no ha sido enviado desde ningun dispositivo de apple.
Prefiero ser mas inteligente/productivo y comprar dispositivos utiles y
compatibles/estandar a un precio razonable. "Se un consumidor responsable"
Comparte tu conexion wifi te lo ahorraras en dinero y salud

On Tue, Jun 23, 2015 at 9:58 PM, csababarta [email protected]
wrote:

It seems you didn’t specify the path to the system registry hive. This
hive is needed in order extract password hashes from the ntds.dit. You need
to use the option —syshive

besides that you will also need to use other options to specify the
output format and the output files as well. Please check the help of
dsuser.py by executing the script without any arguments. The options you
will probably need are:
—pwdformat
—lmoutfile
—ntoutfile

On 23 Jun 2015, at 19:15, gopala410 [email protected] wrote:

Finally researching on internet I got the solution installing the very
last pycrypto library downloaded from a link on bitconins.
And still cant get the python scripts to work,

python dsusers.py ../ntds_forensics/Active
Directory/ntds.dit.export/datatable ../ntds_forensics/Active
Directory/ntds.dit.export/link_table --passwordhashes
../ntds_forensics/registry --membership --supplcreds
../ntds_forensics/registry --membership --rid 500

Error:
[!] Error! syshive not specified!

Where ../ntds_forensics/registry directory contains 2 files
SECURITY 256 kb
SYSTEM 15,2 Mb

—
Reply to this email directly or view it on GitHub <
#13 (comment)
.

—
Reply to this email directly or view it on GitHub
#13 (comment)
.

from ntdsxtract.