Auditing Active Directory Passwords

What you will need:

  1. Admin Access to your Active Directory
  2. A linux server with secretsdumps from impacket and hashcat, in this example I had a kali vm
  3. A Password list, on Kali there should be some here /usr/share/wordlists/ , I used rockyou.txt

Step 1: Dump NTDS Database

On a domain controller run the following:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

This command will generate two folders in c:\temp , Active Directory and Registry

output of ntdsutil command

Step 2: Extact the hashes from the ntds.dit file

Copy/scp your file over to a linux machine and throw it at secretsdump, to extract the hashes

On kali this is what we ran:

impacket-secretsdump -ntds /root/ntds_cracking/ActiveDirectory/ntds.dit -system /root/ntds_cracking/registry/system LOCAL -outputfile ntdshashes.txt

Step 3: Cleanup hashes, this creates a file with the username and ntlm hash for cracking:

cat ntdshashes.txt | cut -d : -f 4 |sort|uniq > cleanhashes.txt

Step 4: Run hashcat against hashes

hashcat -m 1000 cleanhashes.txt /home/zs1/rockyou.txt

View the cracked hashes

cat /root/.hashcat/hashcat.potfile

140e2a025b0a93dc13720d19e935a918:Password3! 7a829d816a477655abe98a8c7de84c99:Password2@ 07d128430a6338f8d537f6b3ae1dc136:Password2! 43460d636f269c709b20049cee36ae7a:Password1@

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s