Dumping and Modifying Active Directory Database Using a Bootable Flash Drive

July 19, 2016 | Michael Grafnetter

Since version 2.15, the DSInternals PowerShell Module fully supports Windows PE, the free minimalistic edition of Windows. This means that all the nasty Active Directory database stuff can now be performed from a bootable flash drive or an ISO image, including:

Windows PE DSInternals

Required access

These actions would of course require an attacker to have one of the following:

  • Physical access to a domain controller (DC).
  • Knowledge of DC’s baseboard management controller (BMC) credentials.
  • Administrative access to a virtualized DC.

In an ideal world, only Domain Admins should have such non-trivial access to the core AD infrastructure, but the everyday reality is far from perfect.

Creating the media

To create a bootable Windows PE media loaded with the DSInternals module, follow these steps:

  1. Install the Windows Assessment and Deployment Kit (ADK), including the Windows PE feature.
  2. Click Start, and type deployment. Right-click Deployment and Imaging Tools Environment and then select Run as administrator.
  3. Create a working copy of the Windows PE files. Specify either x86 or amd64:
  4. Mount the Windows PE image:
  5. Add PowerShell support to Windows PE by adding a few optional components, together with their associated language packs:
  6. Add the DSInternals PowerShell module to the Windows PE image by copying it into the C:\WinPE_amd64\mount\Windows\system32\ WindowsPowerShell\v1.0\Modules folder.
  7. Add device drivers to the Windows PE image:
  8. Configure PowerShell to start automatically after boot by creating a file called winpeshl.ini in the C:\WinPE_amd64\mount\Windows\system32 folder, containing this text:
  9. Create an ISO file containing the Windows PE files:

    The same command can be used to create a bootable flash drive or VHD.

Final thoughts

As you have seen, it is pretty straightforward to create a bootable flash drive that can be used to conquer an Active Directory domain through a physically accessible DC. One of the precautions a domain administrator can take is to encrypt all DCs using BitLocker or other tool that does full volume encryption. Deploying RODCs at smaller branch offices is also a good idea. The new features in Windows Server 2016, Virtual TPMs and Shielded VMs, also seem very promising in regards to DC security.

Tags: , , ,

Leave a Reply

Your email address will not be published.