Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Active Directory hash dump n' crack methodology

Creating AD backup dump of user accounts and hashes

Upgrade to latest version of PowerShell

Check your version with:


If you are below Major: 5, Minor:1 head to Microsoft's download site to get the latest.

Install DSInternals

Once PowerShell is updated, run this command to install DSInternals:

install-module dsinternals

Type Y when asked about installing the NuGet provider, and basically answer Y to anything else that comes up.

Then type:

import-module dsinternals

Take a backup of AD

Run these commands to create a folder called c:\dcbackup and dump an AD backup to it:

mkdir c:\dcbackup
ntdsutil "ac i ntds" "ifm" "create full c:\dcbackup" q q

Create a file containing only AD hashes

Run the script below:

$key = Get-BootKey -SystemHivePath 'C:\dcbackup\registry\SYSTEM'

Get-ADDBAccount -All -DBPath 'C:\dcbackup\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File 'c:\dcbackup\hashesNT-and-users.txt' -Encoding ASCII

Get-ADDBAccount -All -DBPath 'C:\dcbackup\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatLM | Out-File 'c:\dcbackup\hashesLM.txt' -Encoding ASCII

$hashdump =
foreach ($hash in get-content 'c:\dcbackup\hashesNT-and-users.txt')


$hashdump | out-file 'C:\dcbackup\hashesNT-just-hashes.txt'

get-content 'C:\dcbackup\hashesNT-just-hashes.txt' | where {$_} | set-content 'C:\dcbackup\hashesNT-just-hashes-nospaces.txt'

The script will extract the hashes from the backup you put in c:\dcbackup and then parse them out in a few different files:

  • hashesNT-and-users.txt - contains usernames and hashes
  • hashesNT-just-hashes.txt - a cleaned up list of only the hashes from the hashesNT-and-users.txt, but this file contains a bunch of empty lines, and so...
  • hashesNT-just-hashes-nospaces.txt - a nice clean list of only hashes, one hash per line

Note to self: I realize I need to clean this script up to be more efficient :-)

Linux option

After the initial AD dump as described above, I ended up having to clean up the "user:hash" format on a Linux box rather than with Windows/Powershell. This command cleaned up the file (crackme.txt) nicely:

sed 's/.*://' crackme.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.