SAM & NTDIS
Both of this files hold information we'd like to gather to get the hashes for later cracking.
The NTDIS.dit holds all accounts in a Directory and is your main target.
The bad Thing for cracking, but good for real world, is that this file can only read by a system resurce. Hance we can't change to %SystemRoot%\ntds\NTDS.DIT and copy the file. But there are two well known sultions to get the file anyway.
- Use a tool that implements itself as a System process and copys the file for you. (i.e. pwdump) Please keep in mind to disable any antivirus Prior of copying it to the target. - Try usung the Pwdump6 instead of the very latest version as I never had any Problems with it while AV was still running.
- Use a shadow copy command to create a backup of the NTDIS file.
1. Create a new Shadow Copy.
cscript vssown.vbs /start (optional)
cscript vssown.vbs /create
2. Pull the following files from a shadow copy:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .
I'd prefer you go for the pwdump as it procudes a ready usable Textfile you can Import into Can&Abel while the second technique give you the plain NTDIS file you Need to extract using other tools. Check my Tools section for a HowTo.
The second file I'd like to talk abaout is the SAM file. Windows stores the username and hash of the last 10 users that logged onto the System in that file. So the Information in there might be duplicate to your Directory Information you're getting through the NTDIS.