Well... a funny thing happened.

I stole a Domain Controller.

Like... physically stole it. I have it here with me. It's... well. It's unencrypted. I can mount it like a hard drive.

Now to figure out how to get info, such as user lists, out of it...
I've only interacted with DCs from domain connected computers using 'net' commands and powershell...

I've even remotely connected to DC's and interacted with Active Directory using Remote Desktop Protocol...

But I've never physically stolen and mounted a DC before.
First thing, I might as well grab the NTDS.dit file and pull off hashes.
- That's found in: ...\\Windows\\NTDS\\NTDS.dit

Need the system hive as well...
- That's found in: ...\\Windows\\System32\\config\\SYSTEM

Drag those over to my own host.
Impacket has a nice script to pull domain user accounts and hashes from local files. Thanks Impacket!!!

~/$ python http://secretsdump.py  -ntds NTDS.dit -system SYSTEM LOCAL -outputfile lol.hash

Push those to my hashcracker....

Alright. That gives me internal usernames and hashes. But I don't have the user information.

Normally I'd do a:
C:\\ net user <username> /domain

Or pull every user out via LDAP. Or something similar.

But how do I get the Active Directory user info from these files?!
Seriously... I have no idea.

Brb while I duckduckgo this shit.
Also, don't ask about how I got the physical server rack. They slide out of the cabinet just fine, thank you!

Also also, running with a 4U rack "under" your arm is ungainly. Shits heavy and bulky, yo.
Oooh... impacket has an 'esentutl' python port...
Oh Lady Discordia... this NTDS.dit is huge....

What sort of out of the way, branch office, needs one this large?
Ok!!! I dumped everything!

I used impacket's 'esentutl' python port & dumped all of NTDS.dit into a text file. Grepped for Employee Name, Email, Title, &c.

~/$ python http://esentutl.py  ~/Loot/NTDS.dit export -table datatable > allTheThings.txt https://github.com/SecureAuthCorp/impacket/blob/master/examples/esentutl.py
Oh... Umm...

@UK_Daniel_Card reminded me to check GPP. So, I grepped SYSVOL (C:\\Windows\\SYSVOL\\):

~/$ grep -r cpassword *

And found the cipher text for every workstations' Local Admin password. Decrypted it with:

~/$ gpp-decrypt "<cpasswordcipher>"

I am now depressed.
You can follow @TinkerSec.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: