Comments (6)
Another thing that Ive just tried:
python dsusers.py ../ntds_forensics/Active\ Directory/ntds.dit.export/datatable ../ntds_forensics/Active\ Directory/ntds.dit.export/link_table --passwordhashes ../ntds_forensics/registry/ --membership --supplcreds ../ntds_forensics/registry/ --membership --rid 500
With the same error:
[!] Error! No module named Crypto.Hash
Im running this scripts on Centos 6.5
Python 2.6.6
I extracted ntds with ntdsutil
it created the following directories:
Active Directory with ntds.dit inside
registry with SYSTEM and SECURITY files (the registry hives)
after executing
esedbexport -m all ntds.dit
the directory ntds.dit.export was created inside the directory "Active Directory" mentioned before.
ntds.dit.export directory contains plenty of stuff
from ntdsxtract.
yum install pycrypto
installed the library and I still experience the same problem
from ntdsxtract.
Finally researching on internet I got the solution installing the very last pycrypto library downloaded from a link on bitconins.
And still cant get the python scripts to work,
python dsusers.py ../ntds_forensics/Active\ Directory/ntds.dit.export/datatable ../ntds_forensics/Active\ Directory/ntds.dit.export/link_table --passwordhashes ../ntds_forensics/registry --membership --supplcreds ../ntds_forensics/registry --membership --rid 500
Error:
[!] Error! syshive not specified!
Where ../ntds_forensics/registry directory contains 2 files
SECURITY 256 kb
SYSTEM 15,2 Mb
from ntdsxtract.
It seems you didn’t specify the path to the system registry hive. This hive is needed in order extract password hashes from the ntds.dit. You need to use the option —syshive
besides that you will also need to use other options to specify the output format and the output files as well. Please check the help of dsuser.py by executing the script without any arguments. The options you will probably need are:
—pwdformat
—lmoutfile
—ntoutfile
On 23 Jun 2015, at 19:15, gopala410 [email protected] wrote:
Finally researching on internet I got the solution installing the very last pycrypto library downloaded from a link on bitconins.
And still cant get the python scripts to work,python dsusers.py ../ntds_forensics/Active\ Directory/ntds.dit.export/datatable ../ntds_forensics/Active\ Directory/ntds.dit.export/link_table --passwordhashes ../ntds_forensics/registry --membership --supplcreds ../ntds_forensics/registry --membership --rid 500
Error:
[!] Error! syshive not specified!Where ../ntds_forensics/registry directory contains 2 files
SECURITY 256 kb
SYSTEM 15,2 Mb—
Reply to this email directly or view it on GitHub #13 (comment).
from ntdsxtract.
Hi ! many thanks for your help and hints !
I manage to extract nthashes, so at least I now that the ntds + hives were
successfully extracted.
My question now is how could I get the most of this framework ? for example
you mentioned me on your first email that I could realize if kerberos user
was attacked/compromised
Also how could I realized if attackers have been using high privileged
users ?
How could I know if they gave special or admin permisions to certain users
? in your videos you show info about users, even though I dont know how to
distinguish a legitimate user from a non-legitimate user or at least the
legitimate VS non-legitimate activity on the Domain.
Im pretty new at this. Actually I am currently analyzing ntds.dit that I
have created from a VM win server 2008 R2 that I have just created and
dcpromo-ted for testing purposes. Once I really know how to do it, I will
start with real forensics on the company that Im working for which has been
attacked and compromised (we saw in logs that some admin users were login
in computers that are not their desktops) our objective now is "to prove
without refutation that our domain reflects lateral movement and malicious
activity" and attackers have been using admin users for their undercovered
activities.
I dont know which commands and options to give and how to interpret the
results. Because Im very new in this framework I dont even know what the
results should be for giving our managers conclusive evidences of the
activity that the attackers have been performing on our systems.
Many thanks indeed Csaba,
Luis
*This email has not been sent from any apple device. I prefer to be more
clever/productive and buy useful standard devices at a reasonable price.
"Be a responsible consumer" *
Share your wifi connection, you will save money and health
Este mensaje no ha sido enviado desde ningun dispositivo de apple.
Prefiero ser mas inteligente/productivo y comprar dispositivos utiles y
compatibles/estandar a un precio razonable. "Se un consumidor responsable"
Comparte tu conexion wifi te lo ahorraras en dinero y salud
On Tue, Jun 23, 2015 at 9:58 PM, csababarta [email protected]
wrote:
It seems you didn’t specify the path to the system registry hive. This
hive is needed in order extract password hashes from the ntds.dit. You need
to use the option —syshivebesides that you will also need to use other options to specify the output
format and the output files as well. Please check the help of dsuser.py by
executing the script without any arguments. The options you will probably
need are:
—pwdformat
—lmoutfile
—ntoutfileOn 23 Jun 2015, at 19:15, gopala410 [email protected] wrote:
Finally researching on internet I got the solution installing the very
last pycrypto library downloaded from a link on bitconins.
And still cant get the python scripts to work,python dsusers.py ../ntds_forensics/Active
Directory/ntds.dit.export/datatable ../ntds_forensics/Active
Directory/ntds.dit.export/link_table --passwordhashes
../ntds_forensics/registry --membership --supplcreds
../ntds_forensics/registry --membership --rid 500Error:
[!] Error! syshive not specified!Where ../ntds_forensics/registry directory contains 2 files
SECURITY 256 kb
SYSTEM 15,2 Mb—
Reply to this email directly or view it on GitHub <
#13 (comment)
.—
Reply to this email directly or view it on GitHub
#13 (comment)
.
from ntdsxtract.
Im trying to understand better and I cant.
The command
python dscomputers.py ../ntds_forensics/Active
Directory/ntds.dit.export/datatable.3 dscomputers_output --name *
--dhistory_file --syshive ../ntds_forensics/registry/SYSTEM
--passwordhistory --pwdformat john --ntoutfile salidalm --lmoutfile
lmoutputfile --supplcreds
just creates 2 empty files:
lmoutputfile
salidalm
I was trying to check the history on changing passwords, ... the 2 output
files mentions just above this line are empty ..
*This email has not been sent from any apple device. I prefer to be more
clever/productive and buy useful standard devices at a reasonable price.
"Be a responsible consumer" *
Share your wifi connection, you will save money and health
Este mensaje no ha sido enviado desde ningun dispositivo de apple.
Prefiero ser mas inteligente/productivo y comprar dispositivos utiles y
compatibles/estandar a un precio razonable. "Se un consumidor responsable"
Comparte tu conexion wifi te lo ahorraras en dinero y salud
On Wed, Jun 24, 2015 at 9:20 PM, Luis Escobar [email protected] wrote:
Hi ! many thanks for your help and hints !
I manage to extract nthashes, so at least I now that the ntds + hives were
successfully extracted.
My question now is how could I get the most of this framework ? for
example you mentioned me on your first email that I could realize if
kerberos user was attacked/compromised
Also how could I realized if attackers have been using high privileged
users ?
How could I know if they gave special or admin permisions to certain users
? in your videos you show info about users, even though I dont know how to
distinguish a legitimate user from a non-legitimate user or at least the
legitimate VS non-legitimate activity on the Domain.
Im pretty new at this. Actually I am currently analyzing ntds.dit that I
have created from a VM win server 2008 R2 that I have just created and
dcpromo-ted for testing purposes. Once I really know how to do it, I will
start with real forensics on the company that Im working for which has been
attacked and compromised (we saw in logs that some admin users were login
in computers that are not their desktops) our objective now is "to prove
without refutation that our domain reflects lateral movement and malicious
activity" and attackers have been using admin users for their undercovered
activities.I dont know which commands and options to give and how to interpret the
results. Because Im very new in this framework I dont even know what the
results should be for giving our managers conclusive evidences of the
activity that the attackers have been performing on our systems.Many thanks indeed Csaba,
Luis
*This email has not been sent from any apple device. I prefer to be more
clever/productive and buy useful standard devices at a reasonable price.
"Be a responsible consumer" *Share your wifi connection, you will save money and health
Este mensaje no ha sido enviado desde ningun dispositivo de apple.
Prefiero ser mas inteligente/productivo y comprar dispositivos utiles y
compatibles/estandar a un precio razonable. "Se un consumidor responsable"
Comparte tu conexion wifi te lo ahorraras en dinero y saludOn Tue, Jun 23, 2015 at 9:58 PM, csababarta [email protected]
wrote:It seems you didn’t specify the path to the system registry hive. This
hive is needed in order extract password hashes from the ntds.dit. You need
to use the option —syshivebesides that you will also need to use other options to specify the
output format and the output files as well. Please check the help of
dsuser.py by executing the script without any arguments. The options you
will probably need are:
—pwdformat
—lmoutfile
—ntoutfileOn 23 Jun 2015, at 19:15, gopala410 [email protected] wrote:
Finally researching on internet I got the solution installing the very
last pycrypto library downloaded from a link on bitconins.
And still cant get the python scripts to work,python dsusers.py ../ntds_forensics/Active
Directory/ntds.dit.export/datatable ../ntds_forensics/Active
Directory/ntds.dit.export/link_table --passwordhashes
../ntds_forensics/registry --membership --supplcreds
../ntds_forensics/registry --membership --rid 500Error:
[!] Error! syshive not specified!Where ../ntds_forensics/registry directory contains 2 files
SECURITY 256 kb
SYSTEM 15,2 Mb—
Reply to this email directly or view it on GitHub <
#13 (comment)
.—
Reply to this email directly or view it on GitHub
#13 (comment)
.
from ntdsxtract.
Related Issues (20)
- dscomputers.py --passwordhashes broken HOT 3
- Dump cannot be completed? HOT 3
- v.1.3.3 - Error! 1369 HOT 6
- Server 2012 R2 HOT 6
- records processedKilled
- KeyError: 1528 HOT 1
- Hashes not being genereated and error HOT 1
- Output errors HOT 4
- Output when running dsusers.py HOT 2
- No output being produced HOT 1
- I can not get the password hashes from the Windows Server 2012 "ntds.dit" file HOT 1
- Windows Server 2016 password hashes length exception HOT 6
- Error in sys.excepthook: HOT 1
- dsusers
- > Quick&Dirty-Fix: HOT 1
- TypeError: function takes exactly 1 argument (3 given) when processing principal HOT 7
- python3 ERROR HOT 3
- dsusers.py not extracting disabled account information. HOT 4
- Add ability to produce summary files of user account control attributes. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ntdsxtract.