Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Active Directory hash dump n' crack methodology

Creating AD backup dump of user accounts and hashes

Upgrade to latest version of PowerShell

Check your version with:

$Psversiontable.psversion

If you are below Major: 5, Minor:1 head to Microsoft's download site to get the latest.

Install DSInternals

Once PowerShell is updated, run this command (as Administrator) to install DSInternals:

install-module dsinternals

Type Y when asked about installing the NuGet provider, and basically answer Y to anything else that comes up. If you get a warning that it is already installed, try uninstall-module -name dsinternals. With v3, you may get a message saying (WARNING: Version '3.0' of module 'DSInternals' is already installed at 'C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals'.) If that's the case, manually delete the folder.

Then type:

import-module dsinternals

Take a backup of AD

Run these commands to create a NEW folder called c:\dcbackup (or whatever you want to call it) and dump an AD backup to it:

mkdir c:\dcbackup
ntdsutil "ac i ntds" "ifm" "create full c:\dcbackup" q q

Note: UAC may ask for approval.

Create a file containing only AD hashes

Run the script below:

$key = Get-BootKey -SystemHivePath 'C:\dcbackup\registry\SYSTEM'

Get-ADDBAccount -All -DBPath 'C:\dcbackup\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File 'c:\dcbackup\hashesNT-and-users.txt' -Encoding ASCII

Get-ADDBAccount -All -DBPath 'C:\dcbackup\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatLM | Out-File 'c:\dcbackup\hashesLM.txt' -Encoding ASCII

$hashdump =
foreach ($hash in get-content 'c:\dcbackup\hashesNT-and-users.txt')
{
$hash.Split(':')[-1]

}

$hashdump | out-file 'C:\dcbackup\hashesNT-just-hashes.txt'

get-content 'C:\dcbackup\hashesNT-just-hashes.txt' | where {$_} | set-content 'C:\dcbackup\hashesNT-just-hashes-nospaces.txt'

The script will extract the hashes from the backup you put in c:\dcbackup and then parse them out in a few different files:

  • hashesNT-and-users.txt - contains usernames and hashes
  • hashesNT-just-hashes.txt - a cleaned up list of only the hashes from the hashesNT-and-users.txt, but this file contains a bunch of empty lines, and so...
  • hashesNT-just-hashes-nospaces.txt - a nice clean list of only hashes, one hash per line

Note to self: I realize I need to clean this script up to be more efficient :-)

Linux option

After the initial AD dump as described above, I ended up having to clean up the "user:hash" format on a Linux box rather than with Windows/Powershell. This command cleaned up the file (crackme.txt) nicely:

sed 's/.*://' crackme.txt
@drunkrhin0

This comment has been minimized.

Copy link

@drunkrhin0 drunkrhin0 commented Jul 21, 2020

@braimee I've updated this methodology to remove the file with a bunch of whitespace :)

Thank for all your hard work!

You can find the fork here

I haven't tested the linux option though.

@braimee

This comment has been minimized.

Copy link
Owner Author

@braimee braimee commented Jul 31, 2020

Sounds good @drunkrhin0 thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment