Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks

Currently there are a few ways to dump Active Directory and local password hashes. Until recently, the techniques I had seen used to get the hashes either relied on injecting code in to LSASS or using the Volume Shadow Copy service to obtain copies of the files which contain the hashes. I have created a PowerShell script called Invoke-NinjaCopy that allows any file (including NTDS.dit) to be copied without starting suspicious services, injecting in to processes, or elevating to SYSTEM. But first, a little background.

A few months back I saw this awesome blog post: http://www.josho.org/blog/blog/2013/03/07/samex/. Rather than attempting to read files using the Win32 API (which enforces things such as read handle locks, SACL, DACL, etc.), the author wrote a tool that obtains a read handle to the C volume (something an administrator account can do). This gives him the ability to read the raw bytes of the entire volume. The tool then parses the NTFS structures on the C volume, determines where on the volume the bytes for a particular file reside, scans to the location and copies the files bytes. This allows the tool to get access to files even though LSASS has the file locked, and doesn’t require starting the Volume Shadow Copy service (which might look suspicious if it isn’t normally used).

I wanted something a little more generic (SAMex only dumps files related to password hashes on the C volume): a tool that allows me to copy any file on any volume. I want to be able to make copies of NTDS.dit and registry hives, but also any other file (such as a file protected by a SACL). I also want the tool to be written in PowerShell so it can be run remotely without writing hacker tools to disk.

Initially, I was going to write a parser in PowerShell, but then I realized there are already NTFS parsers written in C++ such as this one: http://www.codeproject.com/Articles/81456/An-NTFS-Parser-Lib. Rather than write an NTFS parser in PowerShell, it made a lot more sense to compile an existing NTFS parser as a DLL and load it up in Invoke-ReflectivePEInjection.

I was able to get the NTFS parser loaded up in PowerShell in several hours, which goes to show how easy and fast it is to turn existing native code applications in to sneaky PowerShell tools.

The result is Invoke-NinjaCopy. A PowerShell script capable of copying NTDS.dit, Registry hives, and any other file sitting on an NTFS volume by obtaining a read handle to the volume and parsing NTFS. This does not require elevating to SYSTEM, injecting in to SYSTEM processes, or starting new services/suspicious programs.

Demo:

.\Invoke-NinjaCopy.ps1 -path c:\windows\system32\config\system -localdestination c:\test\system -verbose -computername workstationvm
VERBOSE: PowerShell ProcessID: 3196
VERBOSE: Copied 5242880 bytes. 6553600 Bytes remaining
VERBOSE: Copied 10485760 bytes. 1310720 Bytes remaining
VERBOSE: Copied 11796480 bytes. 0 Bytes remaining

Source Code:

https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy

References:

About these ads
Tagged with: , , , , , ,
Posted in Hacking
12 comments on “Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks
  1. Tatters says:

    Great article! Do you know of a powershell script that can export an NTDS.DIT file into something human readable? I pretty much need a powershell version of libesedb!

    • clymb3r says:

      No, I don’t know of an all in one solution. Your best bet would be to extract the database using this script, and then use an NTDS.dit parser to do the parsing.

  2. EthicalHack says:

    I didn’t execute the Invoke-NinjaCopy.ps1. When I execute the script, I recevie a warning:

    The ‘<' operator is reserved for future use.
    At C:\Users\canhsyn\Desktop\Invoke-NinjaCopy.ps1:115 char:19

    What is the solution?

    • clymb3r says:

      What OS are you running this on, and what version of PowerShell is installed (if you have updated it)?

      • EthicalHack says:

        I use Windows 7 and Server 2008 R2 and they are full-patched. I solved this problem. But, there is another problem including PEbayt32 variable which is not assigned value.

      • clymb3r says:

        How did you fix the issue, is it a code change?

        I need the actual error message to look at the next bug. I’m assuming you are on 64bit systems and it is throwing this error, or is it throwing it on 32bit systems? Or both? I need more info to go off of…

  3. Ruminator says:

    Having an issue cloning your git repository at the moment, error is:

    fatal: https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy/NTFSPa
    rser/info/refs?service=git-upload-pack not found: did you run git update-server-
    info on the server?

  4. […] came across this interesting blog post on clymb3r’s site that uses powershell to copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks […]

  5. Greetings,

    Running on Windows 7 fully patched.

    PS C:\Users\kovard\Documents\GitHub\PowerShell\Invoke-NinjaCopy> .\Invoke-NinjaC
    opy.ps1 -path “C:\Work\Documents\test.txt” -localdestination “c:\work\test.out”

    Couldn’t get a handle for the file
    At C:\Users\kovard\Documents\GitHub\PowerShell\Invoke-NinjaCopy\Invoke-NinjaCopy.ps1:2672 char:5
    + Throw “Couldn’t get a handle for the file”
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (Couldn’t get a handle for the
    file:String) [], RuntimeException
    + FullyQualifiedErrorId : Couldn’t get a handle for the file

    I tried a variety of targets, all with the same result.

  6. […] Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: