Category: ActiveDirectory

Auditing Active Directory Passwords

~ zs1rcm ~ Leave a comment

What you will need:

  1. Admin Access to your Active Directory
  2. A linux server with secretsdumps from impacket and hashcat, in this example I had a kali vm
  3. A Password list, on Kali there should be some here /usr/share/wordlists/ , I used rockyou.txt

Step 1: Dump NTDS Database

On a domain controller run the following:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

This command will generate two folders in c:\temp , Active Directory and Registry

output of ntdsutil command

Step 2: Extact the hashes from the ntds.dit file

Copy/scp your file over to a linux machine and throw it at secretsdump, to extract the hashes

On kali this is what we ran:

impacket-secretsdump -ntds /root/ntds_cracking/ActiveDirectory/ntds.dit -system /root/ntds_cracking/registry/system LOCAL -outputfile ntdshashes.txt

Step 3: Cleanup hashes, this creates a file with the username and ntlm hash for cracking:

cat ntdshashes.txt | cut -d : -f 4 |sort|uniq > cleanhashes.txt

Step 4: Run hashcat against hashes

hashcat -m 1000 cleanhashes.txt /home/zs1/rockyou.txt

View the cracked hashes

cat /root/.hashcat/hashcat.potfile

140e2a025b0a93dc13720d19e935a918:Password3! 7a829d816a477655abe98a8c7de84c99:Password2@ 07d128430a6338f8d537f6b3ae1dc136:Password2! 43460d636f269c709b20049cee36ae7a:Password1@

Active Directory User Report

~ zs1rcm ~ Leave a comment 

I needed a quick way to audit Active Directory accounts, the powershell script dumps the following active directory attributes:

samaccountname	 
DistiguishedName	 
whenCreated 
lastLogonDate 
pwdLastSet 
accountExpires 
userAccountControl
Enabled

For the audit the userAccountControl attribute is very useful, this attribute contains a code that maps back to the users account status and password change requirements. These are the codes we are interested in:

    512 =  "NORMAL_ACCOUNT"
    514 = "ACCOUNT_DISABLE_NORMAL_ACCESSS"
    544 = "NORMAL_ACCOUNT_PASSWORD_NOT_REQUIRED"
    546 = "ACCOUNT_DISABLED_NORMAL_ACCOUNT_PASSWORD_NOT_REQUIRED"
    66048 = "NORMAL_ACCOUNT_DONT_EXPIRE_PASSWORD"
    66050 = "ACCOUNT_DISABLED_NORMAL_ACCOUNT_DONT_EXPIRE_PASSOWRD"
    66080 = "PASSWORD_NOT_REQUIRED_NORMAL_ACCOUNT_DONT_EXPIRE_PASSWORD"
    590336 = "NORMAL_ACCOUNT_DONT_EXPIRE_PASSWORD_TRUSTED_FOR_DELEGATION"

Here is some more information on the codes from Microsoft:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties


Here is the powershell script we use to extract this data for analysis, it creates a csv file which we import to excel for analysis.
https://github.com/zs1rcm/powershell-scripts/blob/main/ExtractAccountData.ps1