List of Cmdlets in the DSInternals Module

September 29, 2015 | Michael Grafnetter | 18 Comments on List of Cmdlets in the DSInternals Module

Here is the list of cmdlets currently contained in the DSInternals PowerShell module:

Online operations with the Active Directory database

Offline operations with the Active Directory database

  • Get-ADDBAccount – Reads one or more accounts from a ntds.dit file, including the secret attributes.
  • Get-BootKey – Reads the BootKey (aka SysKey) from an online or offline SYSTEM registry hive.
  • Set-ADDBBootKey – Re-encrypts a ntds.dit with a new BootKey. Highly experimental!
  • Get-ADDBBackupKey – Reads the DPAPI backup keys from a ntds.dit file.
  • Add-ADDBSidHistory – Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
  • Set-ADDBPrimaryGroup – Modifies the primaryGroupId attribute of an object in a ntds.dit file.
  • Get-ADDBDomainController – Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name and DC site.
  • Set-ADDBDomainController – Writes information about the DC to a ntds.dit file, including the highest commited USN and database epoch.
  • Get-ADDBSchemaAttribute – Reads AD schema from a ntds.dit file, including datatable column names.
  • Remove-ADDBObject – Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!


The output of the Get-ADDBAccount and Get-ADReplAccount cmdlets can be formatted using these additional Views:

  • HashcatNT – NT hashes in Hashcat‘s format.
  • HashcatLM – LM hashes in Hashcat’s format.
  • JohnNT – NT hashes in the format supported by John the Ripper.
  • JohnLM – LM hashes in the format supported by John the Ripper.
  • Ophcrack – NT and LM hashes in Ophcrack‘s format.

Password hash calculation

Password decryption


  • Test-PasswordQuality – Performs AD audit, including checks for weak, duplicate, default and empty passwords.
  • Save-DPAPIBlob – Saves the output of the Get-ADReplBackupKey and Get-ADDBBackupKey cmdlets to a file.
  • ConvertTo-Hex – Helper cmdlet that converts binary input to the hexadecimal string format.

I promise to publish more information about my cmdlets in the near future.

Tags: , , , , ,

New version of the DSInternals module released

September 5, 2015 | Michael Grafnetter | No Comments on New version of the DSInternals module released

I have released a new version of the DSInternals PowerShell module. This is mainly a bugfix release. You can grab it from the Downloads section. Or, if you have PowerShell 5, you can install the module from the PowerShell Gallery by running this command:

Tags: , , ,

Retrieving Active Directory Passwords Remotely

August 4, 2015 | Michael Grafnetter | 130 Comments on Retrieving Active Directory Passwords Remotely

I have finally finished work on the Get-ADReplAccount cmdlet, the newest addition to my DSInternals PowerShell Module, that can retrieve reversibly encrypted plaintext passwords, password hashes and Kerberos keys of all user accounts from remote domain controllers. This is achieved by simulating the behavior of the dcromo tool and creating a replica of Active Directory database through the MS-DRSR protocol. Furthermore, it has these properties:

  • It does not even need the Domain Admins group membership. The Replicating Directory Changes All permission is more than enough for this cmdlet to do its job.
  • It opens door to other attacks, e.g. pass-the-hash, pass-the-ticket or PAC spoofing, that can be used to seize control of the entire Active Directory forest. Long live mimikatz!
  • It cannot be effectively blocked by firewalls, because the directory replication service (the DRSGetNCChanges call to be more precise) shares the same port with other critical services, like user name resolution (exposed by the DsCrackNames call).
  • It only uses documented features of Active Directory and is not a hack per se.
  • It leaves only minimal footprint on Domain Conrollers and can be easily overlooked by security audits.

Usage example:

Sample output:

You could even dump all accounts at once, but this can cause heavy (=suspicious) replication traffic:

Tags: , ,

The DSInternals PowerShell Module has been released

February 28, 2015 | Michael Grafnetter | 4 Comments on The DSInternals PowerShell Module has been released

I have decided to publish the DSInternals PowerShell Module, which contains a few cmdlets I use during my lectures about Active Directory security. You can find it in the Downloads section. It currently lacks any documentation, so Get-Help won’t give you nice results, but I am working on that.


Error reporting

If you find an error in the DSInternals Powershell Module, I would be glad if you sent me an e-mail.

Planned features

I am currently working on these new features, but it will take me some time until they are production-ready:

  • Offline modification of the ntds.dit file, including the sIDHistory and primaryGroupID attributes. Done
  • Attribute-level authoritative restore of AD objects
  • Remote export of account password hashes using the MS-DRSR protocol. Done
  • Fully functional Get-Help
  • MSI installer. Deprecated in favor of PowerShellGet.

Tags: , ,


September 19, 2014 | Michael Grafnetter | No Comments on Welcome!

Welcome to my new blog about undocumented features of Active Directory. Unfortunately, most of the content is currently in Slovak/Czech only, but I will try to translate some of the more interesting things into English.