Skip to content

Instantly share code, notes, and snippets.

@7MinSec

7MinSec/Active_Directory_dump_n_crack.md

Last active April 15, 2021 16:17
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save 7MinSec/4dd6fb4f88e4bdd07e093a919064de96 to your computer and use it in GitHub Desktop.
Save 7MinSec/4dd6fb4f88e4bdd07e093a919064de96 to your computer and use it in GitHub Desktop.
Download ZIP
Active Directory hash dump n' crack methodology
Raw
Active_Directory_dump_n_crack.md

Creating AD backup dump of user accounts and hashes

Upgrade to latest version of PowerShell

Check your version with:

$Psversiontable.psversion

If you are below Major: 5, Minor:1 head to Microsoft's download site to get the latest.

Install DSInternals

Once PowerShell is updated, run this command (as Administrator) to install DSInternals:

install-module dsinternals

Type Y when asked about installing the NuGet provider, and basically answer Y to anything else that comes up. If you get a warning that it is already installed, try uninstall-module -name dsinternals. With v3, you may get a message saying (WARNING: Version '3.0' of module 'DSInternals' is already installed at 'C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals'.) If that's the case, manually delete the folder.

Then type:

import-module dsinternals

Take a backup of AD

Run these commands to create a NEW folder called c:\dcbackup (or whatever you want to call it) and dump an AD backup to it:

mkdir c:\dcbackup
ntdsutil "ac i ntds" "ifm" "create full c:\dcbackup" q q

Note: UAC may ask for approval.

Create a file containing only AD hashes

Run the script below:

$key = Get-BootKey -SystemHivePath 'C:\dcbackup\registry\SYSTEM'

Get-ADDBAccount -All -DBPath 'C:\dcbackup\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File 'c:\dcbackup\hashesNT-and-users.txt' -Encoding ASCII

Get-ADDBAccount -All -DBPath 'C:\dcbackup\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatLM | Out-File 'c:\dcbackup\hashesLM.txt' -Encoding ASCII

$hashdump =
foreach ($hash in get-content 'c:\dcbackup\hashesNT-and-users.txt')
{
$hash.Split(':')[-1]

}

$hashdump | out-file 'C:\dcbackup\hashesNT-just-hashes.txt'

get-content 'C:\dcbackup\hashesNT-just-hashes.txt' | where {$_} | set-content 'C:\dcbackup\hashesNT-just-hashes-nospaces.txt'

The script will extract the hashes from the backup you put in c:\dcbackup and then parse them out in a few different files:

  • hashesNT-and-users.txt - contains usernames and hashes
  • hashesNT-just-hashes.txt - a cleaned up list of only the hashes from the hashesNT-and-users.txt, but this file contains a bunch of empty lines, and so...
  • hashesNT-just-hashes-nospaces.txt - a nice clean list of only hashes, one hash per line

Note to self: I realize I need to clean this script up to be more efficient :-)

Linux option

After the initial AD dump as described above, I ended up having to clean up the "user:hash" format on a Linux box rather than with Windows/Powershell. This command cleaned up the file (crackme.txt) nicely:

sed 's/.*://' crackme.txt
@drunkrhin0
Copy link

@braimee I've updated this methodology to remove the file with a bunch of whitespace :)

Thank for all your hard work!

You can find the fork here

I haven't tested the linux option though.

@7MinSec
Copy link
Author

7MinSec commented Jul 31, 2020

Sounds good @drunkrhin0 thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment