piszczynski>Aleks No edit summary |
piszczynski>Aleks |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
== Get Backup of ntds.dit == | == Get Backup of ntds.dit == | ||
For testing passwords for active directory you will need to obtain | For testing passwords for active directory you will need to obtain the password hashes which are stored in the ntds.dit file located in the c:\Windows\NTDS location on the domain controllers by default. | ||
Use ntdsutil to create a backup: | Use ntdsutil to create a backup: | ||
*ntdsutil | *ntdsutil | ||
**ac i | **ac i ntds | ||
***ifm | ***ifm | ||
****create full C:\temp\ntdsbackup | ****create full C:\temp\ntdsbackup | ||
This creates a copy of the AD instance into the location specified. Usually this backup is used to restore a domain controller or to setup a new domain controller in an active directory. | |||
== Powershell module DSInternals for getting info from ntds == | == Powershell module DSInternals for getting info from ntds == | ||
| Line 18: | Line 20: | ||
*install-module -name dsinternals | *install-module -name dsinternals | ||
Other useful infor about this module: | |||
https://www.dsinternals.com/en/ | |||
https://www.dsinternals.com/en/dumping-ntds-dit-files-using-powershell/ | |||
https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/ | |||
== Extract content of ntds.dit == | == Extract content of ntds.dit == | ||
Revision as of 01:09, 25 December 2022
Get Backup of ntds.dit
For testing passwords for active directory you will need to obtain the password hashes which are stored in the ntds.dit file located in the c:\Windows\NTDS location on the domain controllers by default.
Use ntdsutil to create a backup:
- ntdsutil
- ac i ntds
- ifm
- create full C:\temp\ntdsbackup
- ifm
- ac i ntds
This creates a copy of the AD instance into the location specified. Usually this backup is used to restore a domain controller or to setup a new domain controller in an active directory.
Powershell module DSInternals for getting info from ntds
There is a useful powershell module for accessing and manipulating the ntds info which can be found here: https://github.com/MichaelGrafnetter/DSInternals
install:
- install-module -name dsinternals
Other useful infor about this module:
https://www.dsinternals.com/en/
https://www.dsinternals.com/en/dumping-ntds-dit-files-using-powershell/
https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/
Extract content of ntds.dit
First, get the so-called Boot Key (aka SysKey)that is used to encrypt sensitive data in AD:
- $key = Get-BootKey -SystemHivePath 'C:\temp\ntdsbackup\registry\SYSTEM'
We then load the DB and decrypt password hashes of all accounts:
- Get-ADDBAccount -All -DBPath 'C:\temp\ntdsbackup\Active Directory\ntds.dit' -BootKey $key
We can also get a single account by specifying its distinguishedName,objectGuid, objectSid or sAMAccountName atribute:
- Get-ADDBAccount -DistinguishedName 'CN=krbtgt,CN=Users,DC=Adatum,DC=com' -DBPath 'C:\temp\ntdsbackup\Active Directory\ntds.dit' -BootKey $key
Create security check against known passwords from haveibeenpwned.com
Get the ntlm password hash dictionary: https://haveibeenpwned.com/Passwords
Get the ntds.dit of the active directory you want to check the accounts
then run the command to get the accounts and decrypt the hash, then compare against the hash dictionary:
- import-module dsinternals
- $key = Get-BootKey -SystemHiveFilePath C:\Temp\ntdsbackup\registry\SYSTEM
- Get-ADDBAccount -all -DBPath "C:\Temp\ntdsbackup\Active Directory\ntds.dit" -BootKey $key | Test-PasswordQuality -WeakPasswordHashesFile C:\temp\hashdictionary\pwned-passwords-ntlm-ordered-by-hash-v8.txt
- $key = Get-BootKey -SystemHiveFilePath C:\Temp\ntdsbackup\registry\SYSTEM
The output can be outputted to a file if required or reviewed in the console