CQURE 5-Day Challenge – Day 4: Password & Hashes

CQURE 5-Day Challenge – Day 4: Password & Hashes

Hello again!

I know, I’m late. I promised this post the next day after Day3Challenge. Unfortunately, life got in the way and only now I finally had the time to sit down and write a few words about this one.
So, this is the Day 4 Challenge from CQURE’s 5-Day Challenge. This challenge consists in working with hashes from both the local system, as well as Active Directory.

For the first part of the challenge, the ‘SAM’ and ‘SYSTEM’ registry hive are provided. The goal is to extract password hashes and try to crack them. With the CQURE Hash Dump tool made available to us, this task is fairly easy.

CQHashDumpv2.exe --samdump --sam SAM --sys SYSTEM


Having the output on screen is awesome, but saving everything into a file is even better. So, I just redirected the output to a file named ‘hashes.txt’ and I worked from there. I immediately dropped into PowerShell for string manipulation and get the bits that I wanted.

Get-Content .\hashes.txt | Select-String -Pattern ':::' | ForEach-Object { ($_ -split ':')[3] }


Right from the start we can see that the first 3 users have the same password, users ‘Administrator’, ‘Guest’ and ‘test1’. With all the hashes in hand, I decided to use an online service to check them. I used CrackStation, but I’m sure other sites will do just fine.

And just like that, all hashes have been cracked. Erm … not really cracked, but all hashes were already in the database, so a simple lookup revealed all of them. Now, these are very simple passwords (please change your password if it’s similar to one of these), but the ability to get password hashes and try to crack them offline is very powerful and should not be neglected.

The second part of the challenge was a bit tricky. This involves extracting password hashes from an Active Directory database. No files are provided for this one, so I had to work on my own to obtain them. For testing purposes, just spin up an AD and add a few users, that will be enough. I already have an AD environment in one of my labs, so I just used that. The Active Directory database is found at ‘C:\Windows\NTDS\ntds.dit’ and the ‘SYSTEM’ registry hive at ‘C:\Windows\System32\config\SYSTEM’. Since these are locked, as they are being used by the ‘System’ process, I used the trick from Day 3 Challenge to get them. More explicitly, I created a new shadow copy and copied these files from there.

The tutorial video shows how to use ‘esedbexport’ from ‘libesedb’ to get the tables and then use ‘dsusers’ from ‘ntdsx’ to get the password hashes. I had troubles running ‘esedbexport’. Initially it was missing a DLL dependency, as I didn’t have ‘Visual C++ 2012 Redistributable’ installed. After installing it, the tool decided to error out on me when it tried to parse the AD database. I even compiled it on Kali Linux and tried from there, but it still failed. Maybe there’s a parsing problem when the Domain Level is ‘Windows Server 2016’ ? So, I decided to look for alternative ways to get the results I wanted. Searching around I found this awesome blog post. Towards the end, a tool called ‘secretsdump.py’ (part of ‘Impacket‘ collection) is showcased. I tried that one and it worked beautifully. Best part is that the tool is capable of much more than just extracting password hashes from ‘ntds.dit’ files. But I’ll leave that part to you. I strongly suggest you download the ‘impacket’ collection and play with its tools. That’s what I’m going to do next weekend 🙂 Let’s get back. So, the syntax I used is below.

secretsdump.py -ntds ntds.dit -system SYSTEM local -just-dc-ntlm


I used CQURE’s ‘CQHashCalc.exe’ tool to validate that the extracted hashes are correct and they match the passwords I have for those accounts.

It was a beautiful challenge and I learned new things. See you next time!