I’ve been working on coming up with an efficient and repeatable method for auditing Active Directory passwords during network assessments, and below is process that I’ve found to be quite workable. Below is the high-level overview:
- Extract the NTDS database from the Windows Domain Controller
- Decompile the NTDS database into a useable format
- Extract the hashes from the tables
- Crack the hashes
Below is more detailed explanation and breakdown of the process:
- On a Windows DC, the file containing the valuable data is named NTDS.dit and typically resides in C:\windows\NTDS but you may find it elsewhere. You also need the SYSTEM file located in c:\windows\system32\config as well. Microsoft doesn’t make it particularly easy to snag these files, but one method that works is to create a volume shadow copy (not explained here, but relatively easy) and then extract the required files from the backup to a USB drive or some other media.
- I then copied those two files (from the Windows DC) from the USB drive to /root/Desktop/NTDS on my Kali box
- I also needed two additional tools, which do not come standard with Kali: NTDSXtract and libesedb.
- How to get/install/use Libesedb:
- wget https://github.com/libyal/libesedb/archive/5d9a91340cfaeae344d989bb613db495e82b512f.zip
- unzip 5d9a91340cfaeae344d989bb613db495e82b512f.zip
- cd libesedb-5d9a91340cfaeae344d989bb613db495e82b512f/
- apt-get install git autoconf automake autopoint libtool pkg-config build-essential
- make install
- From /usr/local/bin, I issued the following command: esedbexport -m tables /root/Desktop/NTDS/ntds.dit
- This will create a new folder in /usr/local/bin called “ntds.dit.export” which will contain about 14 files.
- How to get/install/use NTDSXtract:
- wget https://github.com/csababarta/ntdsxtract/archive/e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip
- unzip e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip
- cd ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip/
- root@kali:~/root/Downloads/ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262# python dsusers.py /usr/local/bin/ntds.dit.export/datatable.4 /usr/local/bin/ntds.dit.export/link_table.7 /root/Desktop/NTDS/hashdump –syshive /root/Desktop/NTDS/SYSTEM –passwordhashes –lmoutfile /root/Desktop/NTDS/lm-out.txt –ntoutfile /root/Desktop/NTDS/ntlm_hashes.txt –pwdformat ophc
- The above will output a text file in /root/Desktop/NTDS named “ntlm_hashes.txt”. Each line in the file should read something like: jdoe:::2fd619f31242602547e7e8873241a02a:S-1-5-21-584645546-2734198843-167788419-1105::
- I made a backup copy of the file and created a new/blank file (i.e. “ntlm_hashes_stripped.txt” only kept only the following from the above: 2fd619f31242602547e7e8873241a02
- I then used hashcat to bruteforce the hashes: hashcat –m 1000 –a 0 /root/Desktop/NTDS/ntlm_hashes_stripped.txt /usr/share/wordlists/wordlist.txt
The output should look something like the below:
Happy password cracking.