ActiveDirectorySecurity: Difference between revisions

Revision as of 15:56, 24 December 2022

Get Backup of ntds.dit

For testing passwords for active directory you will need to obtain teh password hashes which are stored in the ntds.dit file located in the c:\Windows\NTDS location on the domain controllers by default.

Use ntdsutil to create a backup:

ntdsutil
- ac i ntdc
  - ifm
    - create full C:\temp\ntdsbackup

Powershell module DSInternals for getting info from ntds

There is a useful powershell module for accessing and manipulating the ntds info which can be found here: https://github.com/MichaelGrafnetter/DSInternals

install:

install-module -name dsinternals

Extract content of ntds.dit

First, get the so-called Boot Key (aka SysKey)that is used to encrypt sensitive data in AD:

$key = Get-BootKey -SystemHivePath 'C:\temp\ntdsbackup\registry\SYSTEM'

We then load the DB and decrypt password hashes of all accounts:

Get-ADDBAccount -All -DBPath 'C:\temp\ntdsbackup\Active Directory\ntds.dit' -BootKey $key

We can also get a single account by specifying its distinguishedName,objectGuid, objectSid or sAMAccountName atribute:

Get-ADDBAccount -DistinguishedName 'CN=krbtgt,CN=Users,DC=Adatum,DC=com' -DBPath 'C:\temp\ntdsbackup\Active Directory\ntds.dit' -BootKey $key

Create security check against known passwords from haveibeenpwned.com

Get the ntlm password hash dictionary: https://haveibeenpwned.com/Passwords

Get the ntds.dit of the active directory you want to check the accounts

then run the command to get the accounts and decrypt the hash, then compare against the hash dictionary:

import-module dsinternals
- $key = Get-BootKey -SystemHiveFilePath C:\Temp\ntdsbackup\registry\SYSTEM
  - Get-ADDBAccount -all -DBPath "C:\Temp\ntdsbackup\Active Directory\ntds.dit" -BootKey $key | Test-PasswordQuality -WeakPasswordHashesFile C:\temp\hashdictionary\pwned-passwords-ntlm-ordered-by-hash-v8.txt

The output can be outputted to a file if required or reviewed in the console

@@ Line 10: / Line 10: @@
 ***ifm
 ****create full C:\temp\ntdsbackup
+== Powershell module DSInternals for getting info from ntds ==
+There is a useful powershell module for accessing and manipulating the ntds info which can be found here: https://github.com/MichaelGrafnetter/DSInternals
+install:
+*install-module -name dsinternals
+== Extract content of ntds.dit ==
+First, get the so-called Boot Key (aka SysKey)that is used to encrypt sensitive data in AD:
+*$key = Get-BootKey -SystemHivePath 'C:\temp\ntdsbackup\registry\SYSTEM'
+We then load the DB and decrypt password hashes of all accounts:
+*Get-ADDBAccount -All -DBPath 'C:\temp\ntdsbackup\Active Directory\ntds.dit' -BootKey $key
+We can also get a single account by specifying its distinguishedName,objectGuid, objectSid or sAMAccountName atribute:
+*Get-ADDBAccount -DistinguishedName 'CN=krbtgt,CN=Users,DC=Adatum,DC=com' -DBPath 'C:\temp\ntdsbackup\Active Directory\ntds.dit' -BootKey $key
+== Create security check against known passwords from haveibeenpwned.com ==
+Get the ntlm password hash dictionary: https://haveibeenpwned.com/Passwords
+Get the ntds.dit of the active directory you want to check the accounts
+then run the command to get the accounts and decrypt the hash, then compare against the hash dictionary:
+*import-module dsinternals
+**$key = Get-BootKey -SystemHiveFilePath C:\Temp\ntdsbackup\registry\SYSTEM
+***Get-ADDBAccount -all -DBPath "C:\Temp\ntdsbackup\Active Directory\ntds.dit" -BootKey $key | Test-PasswordQuality -WeakPasswordHashesFile C:\temp\hashdictionary\pwned-passwords-ntlm-ordered-by-hash-v8.txt
+The output can be outputted to a file if required or reviewed in the console