Currently there are a few ways to dump Active Directory and local password hashes. Until recently, the techniques I had seen used to get the hashes either relied on injecting code in to LSASS or using the Volume Shadow Copy service to obtain copies of the files which contain the hashes. I have created a PowerShell script called Invoke-NinjaCopy that allows any file (including NTDS.dit) to be copied without starting suspicious services, injecting in to processes, or elevating to SYSTEM. But first, a little background.
A few months back I saw this awesome blog post: http://www.josho.org/blog/blog/2013/03/07/samex/. Rather than attempting to read files using the Win32 API (which enforces things such as read handle locks, SACL, DACL, etc.), the author wrote a tool that obtains a read handle to the C volume (something an administrator account can do). This gives him the ability to read the raw bytes of the entire volume. The tool then parses the NTFS structures on the C volume, determines where on the volume the bytes for a particular file reside, scans to the location and copies the files bytes. This allows the tool to get access to files even though LSASS has the file locked, and doesn’t require starting the Volume Shadow Copy service (which might look suspicious if it isn’t normally used).
I wanted something a little more generic (SAMex only dumps files related to password hashes on the C volume): a tool that allows me to copy any file on any volume. I want to be able to make copies of NTDS.dit and registry hives, but also any other file (such as a file protected by a SACL). I also want the tool to be written in PowerShell so it can be run remotely without writing hacker tools to disk.
Initially, I was going to write a parser in PowerShell, but then I realized there are already NTFS parsers written in C++ such as this one: http://www.codeproject.com/Articles/81456/An-NTFS-Parser-Lib. Rather than write an NTFS parser in PowerShell, it made a lot more sense to compile an existing NTFS parser as a DLL and load it up in Invoke-ReflectivePEInjection.
I was able to get the NTFS parser loaded up in PowerShell in several hours, which goes to show how easy and fast it is to turn existing native code applications in to sneaky PowerShell tools.
The result is Invoke-NinjaCopy. A PowerShell script capable of copying NTDS.dit, Registry hives, and any other file sitting on an NTFS volume by obtaining a read handle to the volume and parsing NTFS. This does not require elevating to SYSTEM, injecting in to SYSTEM processes, or starting new services/suspicious programs.
Demo:
.\Invoke-NinjaCopy.ps1 -path c:\windows\system32\config\system -localdestination c:\test\system -verbose -computername workstationvm VERBOSE: PowerShell ProcessID: 3196 VERBOSE: Copied 5242880 bytes. 6553600 Bytes remaining VERBOSE: Copied 10485760 bytes. 1310720 Bytes remaining VERBOSE: Copied 11796480 bytes. 0 Bytes remaining
Source Code:
https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy
References:
- http://www.codeproject.com/Articles/81456/An-NTFS-Parser-Lib
- http://www.josho.org/blog/blog/2013/03/07/samex/
- http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html
- http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html
- http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-2.html
clymb3r 
Great article! Do you know of a powershell script that can export an NTDS.DIT file into something human readable? I pretty much need a powershell version of libesedb!
No, I don’t know of an all in one solution. Your best bet would be to extract the database using this script, and then use an NTDS.dit parser to do the parsing.
I didn’t execute the Invoke-NinjaCopy.ps1. When I execute the script, I recevie a warning:
The ‘<' operator is reserved for future use.
At C:\Users\canhsyn\Desktop\Invoke-NinjaCopy.ps1:115 char:19
What is the solution?
What OS are you running this on, and what version of PowerShell is installed (if you have updated it)?
I use Windows 7 and Server 2008 R2 and they are full-patched. I solved this problem. But, there is another problem including PEbayt32 variable which is not assigned value.
How did you fix the issue, is it a code change?
I need the actual error message to look at the next bug. I’m assuming you are on 64bit systems and it is throwing this error, or is it throwing it on 32bit systems? Or both? I need more info to go off of…
Having an issue cloning your git repository at the moment, error is:
fatal: https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy/NTFSPa
rser/info/refs?service=git-upload-pack not found: did you run git update-server-
info on the server?
[…] came across this interesting blog post on clymb3r’s site that uses powershell to copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks […]
Greetings,
Running on Windows 7 fully patched.
PS C:\Users\kovard\Documents\GitHub\PowerShell\Invoke-NinjaCopy> .\Invoke-NinjaC
opy.ps1 -path “C:\Work\Documents\test.txt” -localdestination “c:\work\test.out”
Couldn’t get a handle for the file
At C:\Users\kovard\Documents\GitHub\PowerShell\Invoke-NinjaCopy\Invoke-NinjaCopy.ps1:2672 char:5
+ Throw “Couldn’t get a handle for the file”
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Couldn’t get a handle for the
file:String) [], RuntimeException
+ FullyQualifiedErrorId : Couldn’t get a handle for the file
I tried a variety of targets, all with the same result.
Are you running PowerShell as Administrator?
Thank you. I was, but as the wrong one. Corrected that and all is good. Thank you for the tool, and the help.
[…] Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks […]
[…] Read the rest at Joe Bialok’s Blog about Invoke-NinjaCopy that is part of PowerSploit […]