ActiveDirectorySecurity and AutomaticLogonWindows: Difference between pages

From Piszczynski
(Difference between pages)
piszczynski>Aleks
 
piszczynski>Aleks
(Created page with " == Automatically Logon to windows without entering password == Best used with a home PC and a local account you can set to not require a password. First create a local acco...")
 
Line 1: Line 1:


== Get Backup of ntds.dit ==
== Automatically Logon to windows without entering password ==


For testing passwords for active directory you will need to obtain the password hashes which are stored in the ntds.dit file located in the c:\Windows\NTDS location on the domain controllers by default.
Best used with a home PC and a local account you can set to not require a password.


Use ntdsutil to create a backup:
First create a local account with the permissions you require.


*ntdsutil
Then enter in the following changes in the registry using a powershell script;
**ac i ntds
<pre>
***ifm
$Username =’<username>’
****create full C:\temp\ntdsbackup
$Pass = ‘<password>’
$RegistryPath = ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon’
Set-ItemProperty $RegistryPath ‘AutoAdminLogon’ -Value “1” -Type String
Set-ItemProperty $RegistryPath ‘DefaultUsername’ -Value $Username -type String
Set-ItemProperty $RegistryPath ‘DefaultPassword’ -Value $Pass -type String
</pre>


This creates a copy of the AD instance into the location specified. Usually this backup is used to restore a domain controller or to setup a new domain controller in an active directory.
The computer should be restarted to take effect.
 
== Powershell module DSInternals for getting info from ntds ==
 
There is a useful powershell module for accessing and manipulating the ntds info which can be found here: https://github.com/MichaelGrafnetter/DSInternals
 
install:
*install-module -name dsinternals
 
 
Other useful infor about this module:
 
https://www.dsinternals.com/en/
 
https://www.dsinternals.com/en/dumping-ntds-dit-files-using-powershell/
 
https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/
 
== Extract content of ntds.dit ==
 
First, get the so-called Boot Key (aka SysKey)that is used to encrypt sensitive data in AD:
*$key = Get-BootKey -SystemHivePath 'C:\temp\ntdsbackup\registry\SYSTEM'
 
We then load the DB and decrypt password hashes of all accounts:
*Get-ADDBAccount -All -DBPath 'C:\temp\ntdsbackup\Active Directory\ntds.dit' -BootKey $key
 
We can also get a single account by specifying its distinguishedName,objectGuid, objectSid or sAMAccountName atribute:
*Get-ADDBAccount -DistinguishedName 'CN=krbtgt,CN=Users,DC=Adatum,DC=com' -DBPath 'C:\temp\ntdsbackup\Active Directory\ntds.dit' -BootKey $key
 
 
== Create security check against known passwords from haveibeenpwned.com ==
 
Get the ntlm password hash dictionary: https://haveibeenpwned.com/Passwords
 
Get the ntds.dit of the active directory you want to check the accounts
 
then run the command to get the accounts and decrypt the hash, then compare against the hash dictionary:
 
*import-module dsinternals
**$key = Get-BootKey -SystemHiveFilePath C:\Temp\ntdsbackup\registry\SYSTEM
***Get-ADDBAccount -all -DBPath "C:\Temp\ntdsbackup\Active Directory\ntds.dit" -BootKey $key | Test-PasswordQuality -WeakPasswordHashesFile C:\temp\hashdictionary\pwned-passwords-ntlm-ordered-by-hash-v8.txt
 
The output can be outputted to a file if required or reviewed in the console

Revision as of 22:45, 9 April 2022

Automatically Logon to windows without entering password

Best used with a home PC and a local account you can set to not require a password.

First create a local account with the permissions you require.

Then enter in the following changes in the registry using a powershell script;

$Username =’<username>’
$Pass = ‘<password>’
$RegistryPath = ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon’
Set-ItemProperty $RegistryPath ‘AutoAdminLogon’ -Value “1” -Type String
Set-ItemProperty $RegistryPath ‘DefaultUsername’ -Value $Username -type String
Set-ItemProperty $RegistryPath ‘DefaultPassword’ -Value $Pass -type String

The computer should be restarted to take effect.