Directory Services Internals

List of Cmdlets in the DSInternals Module

September 29, 2015 | Michael Grafnetter | 18 Comments

Here is the list of cmdlets currently contained in the DSInternals PowerShell module:

Online operations with the Active Directory database

Get-ADReplAccount – Reads one or more accounts through the DRSR protocol, including secret attributes.
Set-SamAccountPasswordHash – Sets NT and LM hashes of an account through the SAMR protocol.
Get-ADReplBackupKey – Reads the DPAPI backup keys through the DRSR protocol.

Offline operations with the Active Directory database

Get-ADDBAccount – Reads one or more accounts from a ntds.dit file, including the secret attributes.
Get-BootKey – Reads the BootKey (aka SysKey) from an online or offline SYSTEM registry hive.
Set-ADDBBootKey – Re-encrypts a ntds.dit with a new BootKey. Highly experimental!
Get-ADDBBackupKey – Reads the DPAPI backup keys from a ntds.dit file.
Add-ADDBSidHistory – Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
Set-ADDBPrimaryGroup – Modifies the primaryGroupId attribute of an object in a ntds.dit file.
Get-ADDBDomainController – Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name and DC site.
Set-ADDBDomainController – Writes information about the DC to a ntds.dit file, including the highest commited USN and database epoch.
Get-ADDBSchemaAttribute – Reads AD schema from a ntds.dit file, including datatable column names.
Remove-ADDBObject – Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!

Views

The output of the Get-ADDBAccount and Get-ADReplAccount cmdlets can be formatted using these additional Views:

HashcatNT – NT hashes in Hashcat‘s format.
HashcatLM – LM hashes in Hashcat’s format.
JohnNT – NT hashes in the format supported by John the Ripper.
JohnLM – LM hashes in the format supported by John the Ripper.
Ophcrack – NT and LM hashes in Ophcrack‘s format.

Password hash calculation

ConvertTo-NTHash – Calculates NT hash of a given password.
ConvertTo-NTHashDictionary – Creates a hash->password dictionary for use with the Test-PasswordQuality cmdlet.
ConvertTo-LMHash – Calculates LM hash of a given password.
ConvertTo-OrgIdHash – Calculates OrgId hash of a given password. Used by Azure Active Directory Sync.

Password decryption

ConvertFrom-GPPrefPassword – Decodes a password from the format used by Group Policy Preferences.
ConvertTo-GPPrefPassword – Converts a password to the format used by Group Policy Preferences.
ConvertFrom-UnattendXmlPassword – Decodes a password from the format used in unattend.xml files.
ConvertTo-UnicodePassword – Converts a password to the format used in unattend.xml or *.ldif files.
ConvertFrom-ADManagedPasswordBlob – Decodes the cleartext password from a Group Managed Service Account (GMSA) object.

Miscellaneous

Test-PasswordQuality – Performs AD audit, including checks for weak, duplicate, default and empty passwords.
Save-DPAPIBlob – Saves the output of the Get-ADReplBackupKey and Get-ADDBBackupKey cmdlets to a file.
ConvertTo-Hex – Helper cmdlet that converts binary input to the hexadecimal string format.

I promise to publish more information about my cmdlets in the near future.

Tags: Active Directory, DPAPI, Microsoft Azure, Office 365, PowerShell, Security

Peeking into the Active Directory Database

September 28, 2015 | Michael Grafnetter | No Comments

During my recent talk about inner workings of Active Directory, I showcased the Esent Workbench tool, which can be used to look inside a ntds.dit file. But one must really have stomach for it.

Tags: Active Directory