Advertisement
opexxx

ntdsutil

Jan 16th, 2015
671
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.35 KB | None | 0 0
  1. Use at your own risk. The tool does not require launching on a DC!
  2. This will dump the Active Directory table in tsv format, from an offline
  3. NTDS.dit file. This contains an ESENT (Extensible Storage Engine) database.
  4. Clean ways to grab this file are ntdsutil (2008 or later), vssadmin (win2k3 or later) or ntbackup (win2k).
  5. Ntdsutil is the best option, with the NTDS writer for VSS. It ensures a clean applicative shutdown of the database. Raw imaging with VSS only recovers ESENT consistency.
  6.  
  7. Open an admin cmd. Then:
  8.  
  9. 1st option:
  10. ntdsutil
  11. activate instance NTDS
  12. snapshot
  13. create
  14. list all
  15. mount <>
  16. copy C:\$SNAP_.....\Windows\NTDS\ntds.dit .
  17.  
  18. 2nd option:
  19. "vssadmin create shadow /for=C:"
  20. then copy .dit, .log, .chk, .edb and .jrs files from snapshot path
  21. finally commit the logged operations to get a clean base:
  22. "esentutl /r edb /d /i /8"
  23.  
  24. Some interesting column numbers, not necessary to use the tool:
  25. "MSysObjects" contains the metadata, "datatable" is the actual AD table, "sd_table" contains the security descriptors
  26. "ATTm3" is the Common-Name
  27. "ATTm11" is the Organizational-Unit-Name
  28. "ATTm1376281" is the Domain-Component
  29. "ATTm131532" is the LDAP-Display-Name (of attributes)
  30. "ATTm590480" is the User-Principal-Name
  31. "ATTc131102" is the Attribute-ID (columns) column
  32. "ATTj591540" is the msDS-IntId column, for specific attribute ids (exchange...)
  33. "ATTk590689" is the Pek-List
  34. "ATTm590045" is the usernames column,
  35. "ATTk589879" is the DBCS-Pwd column, encrypted LMHash,
  36. "ATTk589914" is the Unicode-Pwd column, encrypted NTHash,
  37. "ATTr589970" is the Object-Sid column (last int32 of the struct is the RID)
  38. "ATTr590433" is the Sid-History column
  39. "ATTj589832" is the User-Account-Control column
  40. "ATTr589949" is the Supplemental-Credentials column (storing the reversible encrypted passwords)
  41. "ATTb590606" is the Object-Category column (for a given object)
  42. "ATTb590607" is the Default-Object-Category column (index of an object category schema attribute)
  43. "ATTp131353" is the NT-Security-Descriptor (in fact an index, big endian, to sd_id from sd_table)
  44. "ATTk589972" is the Schema-ID-GUID (found in ACE InheritedObjectTypes)
  45. "ATTm590164" is the Rights-Guid (found in ACE ObjectTypes)
  46. "Ancestors_col" is the multi-valued int32 DN ancestors
  47. Exchange ms-Exch-Mailbox-Security-Descriptor: it depends.
  48. Look for it either in Attribute-ID or in msDS-IntId
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement