Here is the list of cmdlets currently contained in the DSInternals PowerShell module:
Online operations with the Active Directory database
- Get-ADReplAccount – Reads one or more accounts through the DRSR protocol, including secret attributes.
- Set-SamAccountPasswordHash – Sets NT and LM hashes of an account through the SAMR protocol.
- Get-ADReplBackupKey – Reads the DPAPI backup keys through the DRSR protocol.
Offline operations with the Active Directory database
- Get-ADDBAccount – Reads one or more accounts from a ntds.dit file, including the secret attributes.
- Get-BootKey – Reads the BootKey (aka SysKey) from an online or offline SYSTEM registry hive.
- Set-ADDBBootKey – Re-encrypts a ntds.dit with a new BootKey. Highly experimental!
- Get-ADDBBackupKey – Reads the DPAPI backup keys from a ntds.dit file.
- Add-ADDBSidHistory – Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
- Set-ADDBPrimaryGroup – Modifies the primaryGroupId attribute of an object in a ntds.dit file.
- Get-ADDBDomainController – Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name and DC site.
- Set-ADDBDomainController – Writes information about the DC to a ntds.dit file, including the highest commited USN and database epoch.
- Get-ADDBSchemaAttribute – Reads AD schema from a ntds.dit file, including datatable column names.
- Remove-ADDBObject – Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!
Views
The output of the Get-ADDBAccount and Get-ADReplAccount cmdlets can be formatted using these additional Views:
- HashcatNT – NT hashes in Hashcat‘s format.
- HashcatLM – LM hashes in Hashcat’s format.
- JohnNT – NT hashes in the format supported by John the Ripper.
- JohnLM – LM hashes in the format supported by John the Ripper.
- Ophcrack – NT and LM hashes in Ophcrack‘s format.
Password hash calculation
- ConvertTo-NTHash – Calculates NT hash of a given password.
- ConvertTo-NTHashDictionary – Creates a hash->password dictionary for use with the Test-PasswordQuality cmdlet.
- ConvertTo-LMHash – Calculates LM hash of a given password.
- ConvertTo-OrgIdHash – Calculates OrgId hash of a given password. Used by Azure Active Directory Sync.
Password decryption
- ConvertFrom-GPPrefPassword – Decodes a password from the format used by Group Policy Preferences.
- ConvertTo-GPPrefPassword – Converts a password to the format used by Group Policy Preferences.
- ConvertFrom-UnattendXmlPassword – Decodes a password from the format used in unattend.xml files.
- ConvertTo-UnicodePassword – Converts a password to the format used in unattend.xml or *.ldif files.
- ConvertFrom-ADManagedPasswordBlob – Decodes the cleartext password from a Group Managed Service Account (GMSA) object.
Miscellaneous
- Test-PasswordQuality – Performs AD audit, including checks for weak, duplicate, default and empty passwords.
- Save-DPAPIBlob – Saves the output of the Get-ADReplBackupKey and Get-ADDBBackupKey cmdlets to a file.
- ConvertTo-Hex – Helper cmdlet that converts binary input to the hexadecimal string format.
I promise to publish more information about my cmdlets in the near future.
Tags: Active Directory, DPAPI, Microsoft Azure, Office 365, PowerShell, Security