I have finally finished work on the Get-ADReplAccount cmdlet, the newest addition to my DSInternals PowerShell Module, that can retrieve reversibly encrypted plaintext passwords, password hashes and Kerberos keys of all user accounts from remote domain controllers. This is achieved by simulating the behavior of the dcromo tool and creating a replica of Active Directory database through the MS-DRSR protocol. Furthermore, it has these properties:
- It does not even need the Domain Admins group membership. The Replicating Directory Changes All permission is more than enough for this cmdlet to do its job.
- It opens door to other attacks, e.g. pass-the-hash, pass-the-ticket or PAC spoofing, that can be used to seize control of the entire Active Directory forest. Long live mimikatz!
- It cannot be effectively blocked by firewalls, because the directory replication service (the DRSGetNCChanges call to be more precise) shares the same port with other critical services, like user name resolution (exposed by the DsCrackNames call).
- It only uses documented features of Active Directory and is not a hack per se.
- It leaves only minimal footprint on Domain Conrollers and can be easily overlooked by security audits.
Usage example:
|
1 2 3 4 |
Import-Module DSInternals $cred = Get-Credential Get-ADReplAccount -SamAccountName April -Domain Adatum -Server LON-DC1 ` -Credential $cred -Protocol TCP |
Sample output:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 |
DistinguishedName: CN=April Reagan,OU=IT,DC=Adatum,DC=com Sid: S-1-5-21-3180365339-800773672-3767752645-1375 Guid: 124ae098-699b-4450-a47a-314a29cc90ea SamAccountName: April SamAccountType: User UserPrincipalName: April@adatum.com PrimaryGroupId: 513 SidHistory: Enabled: True Deleted: False LastLogon: DisplayName: April Reagan GivenName: April Surname: Reagan Description: NTHash: 92937945b518814341de3f726500d4ff LMHash: 727e3576618fa1754a3b108f3fa6cb6d NTHashHistory: Hash 01: 92937945b518814341de3f726500d4ff Hash 02: 1d3da193d2f45911a6f0fa940b9fb32f Hash 03: 402bc59d8a00641b7f386e78596340f4 LMHashHistory: Hash 01: 727e3576618fa1754a3b108f3fa6cb6d Hash 02: 5a5503d0e85f58abaad3b435b51404ee Hash 03: f9393d97e7a1873caad3b435b51404ee SupplementalCredentials: ClearText: Pa$$w0rd Kerberos: Credentials: DES_CBC_MD5 Key: 76fe3b5bda911a40 OldCredentials: DES_CBC_MD5 Key: 7f8c4f38e0ea0b80 Salt: ADATUM.COMApril Flags: 0 KerberosNew: Credentials: AES256_CTS_HMAC_SHA1_96 Key: 3a3b6a89bb82d112db5ef68f6db5d1afc2b806df61dcd85e3eacf3b85ee382d8 Iterations: 4096 AES128_CTS_HMAC_SHA1_96 Key: a72c8bc96c4a6f03244f0b0067a1e440 Iterations: 4096 DES_CBC_MD5 Key: 76fe3b5bda911a40 Iterations: 4096 OldCredentials: AES256_CTS_HMAC_SHA1_96 Key: 14e46244a59a37cd8aa7c1fe61896441c7d065fafe4874191e69c1fe28856810 Iterations: 4096 AES128_CTS_HMAC_SHA1_96 Key: 034b512ec64286dec951d6aff8d81fa8 Iterations: 4096 DES_CBC_MD5 Key: 7f8c4f38e0ea0b80 Iterations: 4096 OlderCredentials: AES256_CTS_HMAC_SHA1_96 Key: 2387ca8f936c8c154996809af8fee7c47fe4b9b5dd84d051fc43a9289bbaa3ab Iterations: 4096 AES128_CTS_HMAC_SHA1_96 Key: 29d536ec057f9063747161429b81f056 Iterations: 4096 DES_CBC_MD5 Key: 58f1cbe6e50e1f83 Iterations: 4096 ServiceCredentials: Salt: ADATUM.COMApril DefaultIterationCount: 4096 Flags: 0 WDigest: Hash 01: c3d012ab1101eb8f51b483fb4c5f8a7e Hash 02: c993da396914645b356ae7816251fcb1 Hash 03: 6b58530cab34de91189a603e22c2be15 Hash 04: c3d012ab1101eb8f51b483fb4c5f8a7e Hash 05: 5a762cf59fa31023dcba1ebd4725b443 Hash 06: c78bac91c0ba25cae5d44460fd65a73b Hash 07: 59d73cea16afd1aac6bf8acfa2768621 Hash 08: d2be383db9469a39736d9e2136054131 Hash 09: 079de9f4d94d97a80f1726497dfd1cc2 Hash 10: 85dbe1549d5fbfcc91f7fe5ac5910f52 Hash 11: 961a36bded5535b8fc15b4b8e6c48b93 Hash 12: 6ac8a60d83e9ae67c2097db716a6af17 Hash 13: e899e577d5f81ef5288ab67de07fad9a Hash 14: 135452ab86d40c3d47ca849646d5e176 Hash 15: a84c367eaa334d0a4cb98e36da011e0f Hash 16: 61a458eb70440b1a92639452f0c2c948 Hash 17: 238f4059776c3575be534afb46be4ccf Hash 18: 03ddf370064c544e9c6dbb6ccbf8f4ac Hash 19: 354dd6c77ccf35f63e48cd5af6473ccf Hash 20: 5f9800d734ebe9fb588def6aaafc40b7 Hash 21: 59aab99ebcddcbf13b96d75bb7a731e3 Hash 22: f1685383b0c131035ae264ee5bd24a8d Hash 23: 3119e42886b01cad00347e72d0cee594 Hash 24: ebef7f2c730e17ded8cba1ed20122602 Hash 25: 7d99673c9895e0b9c484e430578ee78e Hash 26: e1e20982753c6a1140c1a8241b23b9ea Hash 27: e5ec1c63e0e549e49cda218bc3752051 Hash 28: 26f2d85f7513d73dd93ab3afd2d90cf6 Hash 29: 84010d657e6b58ce233fae2bd7644222 |
You could even dump all accounts at once, but this can cause heavy (=suspicious) replication traffic:
|
1 |
Get-ADReplAccount -All -NamingContext 'DC=Adatum,DC=com' -Server LON-DC1 |
Tags: Active Directory, PowerShell, Security
hi where do you read ClearText password from? from which user attribute?
Hi, the cleartext password is contained in the secret supplementalCredentials attribute, which is never sent through LDAP.
Thank you. I have One more question: Wdigest hash is MD5 of user:realm:password. Real can be empty according to MS. However in your example none of MD5 matches the AprilPa$$w0rd MD5 ;/
But the first one definitely matches “April:ADATUM:Pa$$w0rd”. See the MS article, but use colons instead of commas as delimiters.
Thanks for the cool module. I am trying to export hashed password from windows 2008 R2 sp1. I have installed PowerShell 5 and install DSInternal from Powershell Gallery. But I got the following error message when I tries to dump all the user information. Is there anything to check to fix this issue?
Thanks
PS C:\Users\Administrator> Get-ADReplAccount -All -NamingContext ‘DC=xxxx,DC=xx’ -Server infraAD
Get-ADReplAccount : Method not found: ‘IntPtr
System.Runtime.InteropServices.Marshal.GetFunctionPointerForDelegate(!!0)’.
At line:1 char:1
+ Get-ADReplAccount -All -NamingContext ‘DC=xxxx,DC=xx’ -Server i …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], MissingMethodException
+ FullyQualifiedErrorId : System.MissingMethodException,DSInternals.PowerShell.Commands.GetADReplAccountCommand
Thx for the report. Could you please check your version of .NET Framework? Is it 4.5.1+?
Thanks Michael. It is working fine after installing .NET 4.5.1. I was not working on .NET 4.5.
B.K.
I have one more question. Can we use this PowerShell in AD LDS? I just tried this one on AD LDS. It showed the following error message.
PS C:\DSInternals> Get-ADReplAccount -All -NamingContext ‘cn=users,dc=idg,dc=ca’ -Server IDG:50000
Get-ADReplAccount : The RPC server is unavailable
At line:1 char:1
+ Get-ADReplAccount -All -NamingContext ‘cn=users,dc=idg,dc=ca’ -Server I …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], Win32Exception
+ FullyQualifiedErrorId : System.ComponentModel.Win32Exception,DSInternals.PowerShell.Commands.GetADReplAccountCom
mand
Only a few of the cmdlets work with AD LDS, like Get-ADDBDomainController against adamntds.dit. Regarding replication, I have not tried it yet, as it is not enabled by default.
Hello,
Could these functions used to do a sync of passwords between two domains. I tried to do
Get-ADReplAccount and afterwards
et-SamAccountPasswordHash -SamAccountName teste -Domain Test -NTHash $TestUser.NTHash
There is a format issue with the NTHash.
Could you give me a hand?
Uwe
Yes, Uwe, password sync is one of the reasons I created this tool for. Try this:
Set-SamAccountPasswordHash -SamAccountName teste -Domain Test -NTHash (ConvertTo-Hex $TestUser.NTHash) The Set-SamAccountPasswordHash cmdlet only accepts hex string as NTHash, not a byte array. This is a design choice I made and it has both pros and cons.
Hi Michael, I have a quick question. The ClearText field is empty. Am I doing something wrong?
Thank you
Hi John, the ClearText field only contains a value if the option “Store password using reversible encryption” is enabled on the specific account or globally.
Hi, I selected “store password using reversible encryption” but it is still empty (clear text filed)
Hi Michael,
my bad. I didn’t pay attention. Thank you. If the AD account doesn’t use reversible encryption and then later on I just check the “Store password using reversible encryption” will it display the password then?
Even if you check that option, AD still does not know the cleartext password. The cleartext password will be saved as soon that user changes his password. The same is true with unchecking that option: The cleartext password will be deleted during the next password change.
I see. Thank you Michael.
Hi Michael, is it possible to Write the LMHash (in Detail the password without knowing it) back to another AD (for Sync) via PS or C#?
Thanks for the GREAT! Work.
Greets Michael
NT/LM password hash writeback is possible using my Set-SamAccountPasswordHash PS cmdlet or the DSInternals.SAM NuGet .NET library, but I would stick to using NT hashes only. I have not found out a simple way of doing kerberos key writeback.
Hello Michael,
Would it be possible to restrict NamingContext to a specific OU in order to check security on a very specific OU instead of the whole AD?
Second question : is it possible to define which kind of SamAccountType object to retrieve? I’ve tried to define SamAccountType User in addition to the request you provided but not working.
Any help appreciated.
Great job by the way, love it!
Best
Laurent
Hello Laurent, the replication protocol by itself does not support such filters. But you could use
Where-Object DistinguishedName -like "*,OU="in the middle of the pipeline. Or, for small OUs, you could replicate the objects one by one:Get-ADUser -SearchBase "OU=..." -Filter * | Select-Object -Property ObjectGuid | Get-ADReplAccount ... | Test-...Worked perfectly, thanks a lot Michael!
Hello Michael, I used Win10 with .NetFramework v.4.6.1, when I run the comman as you described, I’ve got an error: “Get-ADReplAccount : The distinguished name specified for this replication operation is invalid”.
Could you please help with this?
Hi Arsen, please see this bug report.
Hi Michael,
Using your example, in the results that I get back the LMHash is empty. Is it also because the option “Store password using reversible encryption” is not enabled on the account or globally? Or is it something else?
Thanks!
Hi Eduard, it is because of the Do not store LAN Manager hash value on next password change policy, which is a good thing.
I love that Get-ADReplAccount shows the ClearText password for accounts that have reversible encryption enabled. In your sample output above it shows the field “ClearText:” and that works fine in practice for me as well. However if I just want to create a list, using the following:
get-aduser -filter * -searchbase … | Get-ADReplAccount -Domain … -Server … | select SamAccountName, ClearText The cleartext is blank.
How can I access the ‘cleartext’ field without having to dump the full output of Get-AdReplAccount. Ideally, my output would be:
SamAccountName, ClearText
Sorry to bore you with a simple formating question, but I’m stumped.
Hi Kendall,
Try to do this:
Get-ADReplAccount ... | select SamAccountName, @{ Name = 'ClearText'; Expression = { $PSItem.SupplementalCredentials.ClearText } }
Cheers
Michael
Worked Perfectly! You are God-like.
Thanks,
Kendall
I get the following error:
Get-ADReplAccount : Access is denied I verified the da account can run Powershell..
This command works fine.
powershell Invoke-Command -ComputerName dc1 -ScriptBlock { Get-ChildItem C:\ } -credential domain1\domainadm
What other user rights does this need? The account is a Domain Admin.
Its a Windows 2012R2 Domain functional level. The account is in the ‘Protected Users’ Group.
Does it work for users who are not members of the Protected Users group?
Yes. Apparently putting a Domain Admin in the Protected Users group will block this.
OK, I will look into it, Todd. It would appear that only NTLM auth works with Get-ADReplAccount, not Kerberos, but I have to verify that.
Hi Michael,
What could be the reason that LM hashes from LMHashHistory do not match the actual passwords? For instance, When I generate the LM and NTLM hashes from the current password, Hash 01 from NTHashHistory matches, but Hash 01 from LMHashHistory does not match.
Thanks,
Eduard
Hi Eduard, it might be caused by the fact that storing LM hashes is disabled by default since Windows Server 2003. A random value is probably stored in the history, I would guess.
Michael,
Another question: what are the WDigest hashes returned by Get-ADReplAccount? That is, where would they show up on the client machine?
Thanks!
Eduard
Hi Eduard, the WDigest hashes are used during Digest/MD5 authentication, which Windows Server supports with HTTP (IIS) and LDAP (AD). It is a deprecated authentication scheme and should not be used. AD stores these hashes for compatibility reasons.
Excellent work ! So I guess the default domain policy of having no reversible encryption is still safe as retrieving methods on this have not yet been found?
Yes, the default policy is safe. But some companies had to enable storing passwords using reversible encryption because of legacy PAP VPN authentication. Personally, I have never been in such situation.
Michael,
How do I pull the LMHash and WDigest hash information out of the DSAccount object? I’m storing the object in a variable like so:
$TesterObject = Get-ADReplAccount -SamAccountName username -Domain DOMAINNAME -Server server.domain.org I see that LMHash is a system.byte but I’m having trouble converting that back into a string.
Similarly with the WDigest if I reference $TesterObject.SupplementalCredentials.WDigest I get a byte array/
Thanks!
Dear Joel, you can use my
ConvertTo-Hexcmdlet to convert byte[] to a hexadecimal string.Thanks for producing this tool – fantastic! I hope you have a minute for a couple of questions:
1- Is NTHash the value of UnicodePwd (just not base64-encoded) ?
2- I’m trying to generate a complete list of users from AD to have all their attributes AND their UnicodePwd. Any idea if I can ask for other LDAP attributes with ‘Get-ADReplAccount’ or how to combine the output of this with that of ‘Get-ADUser’ to generate such a list?
Hello Michael, I am trying to retrieve password from Windows 7 Computer with AD domain Credential however I am getting below error.
PS C:\Windows\system32> $cred =Get-credential
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Windows\system32> Get-ADReplAccount -SamAccountName zharpal -domain magoteaux -server rajkot-dc-02
Get-ADReplAccount : Access is denied
At line:1 char:1
+ Get-ADReplAccount -SamAccountName zharpal -domain magoteaux -server r …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,DSInternals.PowerShell.Commands.GetADReplAccountCo
nd
Dear Harpaslin, you have apparently skipped the -Credential parameter of the Get-ADReplAccount cmdlet.
PS C:\Windows\system32> Import-Module dsinternals
PS C:\Windows\system32> $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Domain magotteaux -Server rajkot-dc-02 -Credential $cred -Protocol TCP
Get-Credential : A positional parameter cannot be found that accepts argument ‘Get-ADReplAccount’.
At line:1 char:9
+ $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Dom …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-Credential], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetCredentialCommand I am getting as this error now.
PS C:\Windows\system32> Import-Module dsinternals
PS C:\Windows\system32> $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Domain magotteaux -Server rajkot-dc-02 -Credential $cred -Protocol TCP
Get-Credential : A positional parameter cannot be found that accepts argument ‘Get-ADReplAccount’.
At line:1 char:9
+ $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Dom …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-Credential], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetCredentialCommand
I got result now but there is no clear Text so I can’t recover password now.
PS C:\Windows\system32> Get-ADReplAccount -SamAccountName zharpal -Domain magotteaux -Server rajkot-dc-02 -Credential $c
red -Protocol TCP
DistinguishedName: CN=Zala Harpal,OU=Regular Accounts,OU=Mail,OU=Users,OU=Rajkot,OU=ASIA_PAC,DC=magotteaux,DC=org
Sid: S-1-5-21-443316275-3401568197-975265098-16922
Guid: cc9fba28-fc97-42e8-afea-271eaf8055ca
SamAccountName: zharpal
SamAccountType: User
UserPrincipalName: zharpal@magotteaux.com
PrimaryGroupId: 513
SidHistory:
Enabled: True
UserAccountControl: NormalAccount
AdminCount: False
Deleted: False
LastLogon:
DisplayName: Zala Harpal
GivenName: Zala
Surname: Harpal
Description: Information Technology
ServicePrincipalName:
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
SelfRelative
Owner: S-1-5-21-443316275-3401568197-975265098-512
NTHash: e5e9e197413856f5ca1a53df54d0d66c
LMHash: c081b956d54a2ef28b88eb25b9c5dfca
NTHashHistory:
Hash 01: e5e9e197413856f5ca1a53df54d0d66c
Hash 02: 531cfd9485f0b36e67044cff50076d17
Hash 03: 3a95deb7a07780448aad279003bc5db0
LMHashHistory:
Hash 01: c081b956d54a2ef28b88eb25b9c5dfca
Hash 02: c081b956d54a2ef2ff17365faf1ffe89
Hash 03: c081b956d54a2ef21aa818381e4e281b
SupplementalCredentials:
ClearText:
NTLMStrongHash:
Kerberos:
Credentials:
DES_CBC_MD5
Key: d9cb2338107920b3
-140
Key: e5e9e197413856f5ca1a53df54d0d66c
OldCredentials:
DES_CBC_MD5
Key: 496854755b6e8c6d
-140
Key: 531cfd9485f0b36e67044cff50076d17
Salt: MAGOTTEAUX.ORGzharpal
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: 62fc62a23eb51f080f43e1f8e9b79dc1f97f40ced9fb4eed9ae1f5ac8a23687c
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 27a3d09ea1c1885de6afbac4c7b76896
Iterations: 4096
DES_CBC_MD5
Key: d9cb2338107920b3
Iterations: 4096
-140
Key: e5e9e197413856f5ca1a53df54d0d66c
Iterations: 4096
OldCredentials:
AES256_CTS_HMAC_SHA1_96
Key: 47987752a4d56dc4cd95114b0147978ba3399dc93b126f50de62b60ee99c7c3b
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 01a33041000d27c15d4a21d4c0740718
Iterations: 4096
DES_CBC_MD5
Key: 496854755b6e8c6d
Iterations: 4096
-140
Key: 531cfd9485f0b36e67044cff50076d17
Iterations: 4096
OlderCredentials:
AES256_CTS_HMAC_SHA1_96
Key: aa6caa7a47da316fc54385662c43bb6d777aefbd98714a03ad2dd5f9a10fab83
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: ce670374a1f5dec8d3c42bc0dc031bc8
Iterations: 4096
DES_CBC_MD5
Key: 9bc70e438f642f86
Iterations: 4096
-140
Key: 549f8a5529710faec814f5eeb77c984a
Iterations: 4096
ServiceCredentials:
Salt: MAGOTTEAUX.ORGzharpal
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: e817f77d25c78915a0c67c8a6fd38a14
Hash 02: 3c46a7a252f5d0582339e9029ebe62da
Hash 03: c225be841b8eef0e0b245130563a1884
Hash 04: e817f77d25c78915a0c67c8a6fd38a14
Hash 05: 3c46a7a252f5d0582339e9029ebe62da
Hash 06: 87c4dda7d2e2f1c61ba505af997ba741
Hash 07: e817f77d25c78915a0c67c8a6fd38a14
Hash 08: 7406d09efe1ccb5dab77e6d79fe54c58
Hash 09: 7406d09efe1ccb5dab77e6d79fe54c58
Hash 10: d6b774dba6bccd27d330a14995591f6b
Hash 11: a17a5a4516dedf6eb5a051bcbb693d0e
Hash 12: 7406d09efe1ccb5dab77e6d79fe54c58
Hash 13: efbf1bda044e80cd1810b058f53d2193
Hash 14: a17a5a4516dedf6eb5a051bcbb693d0e
Hash 15: 6646d008bd0b39bc8ed0044c2d474c4e
Hash 16: 6646d008bd0b39bc8ed0044c2d474c4e
Hash 17: 237c05c30f800d51ccd4205bd102ecaa
Hash 18: 8e52951364bdaff5caf97b2679f52579
Hash 19: 22c089987ff1aa6db959e4864e56cffe
Hash 20: 7b80c4fb70dbd502c236cb56cef0c99f
Hash 21: 6944c61d63c483808c4ea31b65a0de56
Hash 22: 6944c61d63c483808c4ea31b65a0de56
Hash 23: cafb121216fe8be97a14d6db0fe92553
Hash 24: db020ade5728f0b8e3232729cf3e75fc
Hash 25: db020ade5728f0b8e3232729cf3e75fc
Hash 26: d77bfbf442d9d7fafbbe7674ff6f9577
Hash 27: 374de3f060fbf629d46434d34294c303
Hash 28: f76e702a897886c1aef3676aac46f4db
Hash 29: b53a9c8b7dbc4823447154fddb579d2f
Dear Micheal,
Please help to get clear text password.
Dear Harpaslinh, the ClearText password is present only if you enable “Store passwords using reversible encryption” in AD. Regarding your previous examples, you apparently forgot to close the sub-command in parenthesis.
Hi Michael, for some reason we are not allowed to build a trust between two forests. We must be able via LDAP to create user objects in forest/domain B by retrieving the user objects in domain/forest A. The user objects in domain B must have for some attributes the same values, like samAccount, last & first name. It is possible to “sync” the password hash from A to B so the user normally working in domain A can log on to domain B with the same samaccount and password?
Yes, the Set-SamAccountPasswordHash cmdlet can do that. But only Kerberos-RC4 and NTLM(v2) authentication will work against such accounts.
I keep getting an error for DSInternals.Replication.Interop.dll I have checked and the file is not locked. Any idea why?
Get-ADReplAccount : A procedure imported by ‘DSInternals.Replication.Interop.dll’ could not be loaded.
At line:1 char:1
+ Get-ADReplAccount -SamAccountName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], FileLoadException
+ FullyQualifiedErrorId : System.IO.FileLoadException,DSInternals.PowerShell.Commands.GetADReplAccountCommand
Jeff, could you please specify your OS, PS version and also send me the stack trace of this exception? Thx.
Hi Michael, first its great stuff 🙂 I wonder how to check which users is member of Domain Admins or local Administrators ? The user blabla is member of Domain Admins and Administrators, but the module didn’t show this correct information even if I log off and log on again, also gpupdate /force on the client didn’t help.
***I’ve import the new and I hope the latest module 2.21***.
I’m trying also (just for test) to check the store password using reversible encryptions for this specific user but the module didn’t get it.
Please help :))) The Command that I’ve run on the Client:
Get-ADReplAccount -All -NamingContext ‘DC=test,DC=local’ -Server srv12-01
Output:
DistinguishedName: CN=blabla,CN=Users,DC=test,DC=local
Sid: S-1-5-21-2984388398-6913812-1553380050-2606
Guid: e6012490-25a8-4f2f-ae66-2cf7822afcbc
SamAccountName: blabla
SamAccountType: User
UserPrincipalName: blabla@test.local
PrimaryGroupId: 513
SidHistory:
Enabled: True
UserAccountControl: PlaintextPasswordAllowed, NormalAccount, PasswordNeverExpires
AdminCount: False
Deleted: False
LastLogon:
DisplayName: blabla
GivenName: blabla
Surname:
Description:
ServicePrincipalName:
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent,
DiscretionaryAclAutoInherited, SystemAclAutoInherited, SelfRelative
Owner: S-1-5-21-2984388398-6913812-1553380050-512
…
It might take up to 3 hours before the adminCount attribute changes from 0 to 1 after adding a user to Domain Admins. This is standard AD behavior. See this article.
hi Michael do you know any way to get the clear password from nthash in other words, can i get this data when active directory is 2008 o upper and “Store passwords using reversible encryption” is unchecked?
Hey jesus, there is no way to get the cleartext password from the DB if it is not stored there. But you could try to attack the NTLM hash.
Hi Michael! I tried this but, i think since w2008 the lm hash is not stored in the A.D. do you know any way to get the lm hash in w2012?
You can only extract the LM hash if it is stored in the DB in the first place. This is disabled by default on modern versions of Windows, but can be enabled by GPO (not recommended).
Hey Michael, I’m using your code across domains but am being blocked by a firewall. What port needs to be open to run Get-ADReplAccount?
Thanks in advance.
Replication uses port 135 plus a random port between 49152 and 65535.
Hello Michael I see you use MS-DRSR in the DSInternals module to dump hashes from a DC.
Can it be done locally without using MS-DRSR ? I need to dump hashes in order to sync them elsewhere, i’d like to avoid as much third party tools as possible (please take no offense), and just give the Ds-Replication-Get-Changes-All privilege to a service account and dump the hashes on the simplest way possible. Do you see a way to do so ?
Thanks in advance
You can either use MS-DRSR or password filters. There is no other online supported way of retrieving password hashes.
Hi Michael, we have disabled LM Hashes in the domain but there are a large number of accounts that still have them stored in AD because they haven’t updated their password. I’m using your tool to write a script to change them using a combination of Get-ADReplAccount and Set-SamAccountPasswordHash which is working quite well. I want to run this in a script and log the output fully but the problem I have is that the LMHash attribute of the users is stored in a byte array that needs to be converted to a string to log properly. This is obviously done for the Get-ADReplAccount command as it displays it in a string during the output.
Can you point me to where that output is configured in the code source so I can use the same mechanism to output the LMhashes as strings in my script?
The DSInternals module contains ConvertTo-Hex cmdlet that does just this.
Nevermind I worked out a method using:
“$($account.nthash | % {$_.tostring(“x”)})” -replace ” “,””
hi Michael,
could you please show me how to use your ConvertTo-Hex cmdlet? current expression is :
Get-ADReplicationaccount –all -Domain secret –server Test
| select samaccountname, @{name = ‘NTHash’; Expression = {$PSItem.NTHash} } >……output.txt the output in the NThash column is {000,000,000,000…}
@{name = ‘NTHash’; Expression = { ConvertTo-Hex $PSItem.NTHash} }Or you can use one of the Views instead, e.g.:Get-ADReplicationaccount –all -Domain secret –server Test | Format-Custom -View HashcatNT > output.txtSeems like a really cool tool. Unfortunately for me, I get an unauthorizedaccessexception.
Any ideas?
+ CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,DSInternals.PowerShell.Commands.GetADReplAccountComma
d
Hi Michael, you apparently do not have the Replicating Directory Changes All permission.
I know this is an older post but I’m hoping you can still help.
I’m able to pull the information I need from my server. How can I format the text to have SamAccountName NTHash.
I’m using this command:
Get-ADUser -SearchBase “OU=Admins,OU=company Users,DC=company,dc=com” -Filter * | Select-Object -Property ObjectGuid | Get-ADReplAccount -Server server1| select SamAccountName, @{Name = ‘NTHash’; Expression = {$PSItem.NTHash}}
Problem is, it shows an ?array?
UserA {247, 120, 183, 170…}
UserB {183, 95, 226, 78…}
UserC {103, 89, 154, 19…}
Any Ideas How I can pull just the one hash that I can then run through hashcat.
I’m trying to show my employer how weak our password policy is by cracking our own passwords. (maybe even his)
ConvertTo-Hex $PSItem.NTHash
Dear Michael, I’ve looked at your source code but quite frankly this is on another level which I cannot possibly understand !
I’d like to sync passwords via the NTLM hash between two ADs. Using the PS command this works perfectly, however I would like to write some C# code using your framework. Could you possible give some guidance on which dll’s I need to reference and the format of the commands to extract the hash on the source AD and then to set the hash in the target AD
thanks
Hi Nico, you should use the DSInternals.SAM and DSInternals.DataStore NuGet packages.
Hello Michael,
I’m getting the below error when trying to load the module ,I have ver3 on my machine.
Import-Module : The specified module ‘.\DSInternals\’ was not loaded because no valid module file was found in any
module directory.
At line:1 char:1
+ Import-Module .\DSInternals\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (.\DSInternals\:String) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
When loading the module from non-default locations, path to the DSInternals.psd1 module manifest has to be provided.
Hello
Would this work for an ADLDS directory. If so what would the command look like to extract the hast for a user entry. The users are in ou=customers,ou=people,o=b2c.
Thanks.
Hi Ron, I have not implemented support for AD LDS into this cmdlet yet, as its schema is very flexible when compared with AD and it uses a different (and undocumented) data structure to store hashes.
I can not dump the password hashes of my ActiveDirectory
my settings
user: administrador
pass: 1qaz2wsx..
ip: 127.0.0.1
port: 636
user Dn: cn=administrador,cn=users,dc=labti,dc=info
base dn: dc=labti,dc=info
windows server 2012
powershell 5
commands
PS C:\Users\Administrador> Get-ADReplAccount -All -NamingContext ‘DC=labti,DC=info’ -Server LON-DC1
Get-ADReplAccount : RPC server is unavailable
System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException,DSInternals.
PowerShell.Commands.GetADReplAccountCommand
PS C:\Users\Administrador> Get-ADReplAccount -SamAccountName ‘isaque.neves’ -Domain labti -Server LON-DC1 -Credential $c
red -Protocol TCP
Get-ADReplAccount : RPC server is unavailable
Hi Isaque, that seems to be a firewall issue. The MS-DRSR protocol does not use LDAP. By default, you need TCP port 135 and 49152-65535 to be open.
Hi Michael,
You did great work. I have a question. Is there a way to get also password expire date with hashes or separately in DSInternals.
Thanks
Andrei
Hi Andrei, this is currently not possible. You can mount a ntds.dit DB using dsamain.exe and get the pwdLastSet values. Expiration is complex, as you would need to analyse Fine-Grained Password Policies, not just the Default Domain Policy.
Hi Michael,
what permission is required to run the script
Get-ADReplAccount -All -Server $DC -NamingContext $Domain | Test-PasswordQuality ? domain admin only?
thanks
The
Replicating Directory Changes Allpermission is required, which is by default only assigned to Administrators (and DCs).good joob
Hello Michael, great Job!!!
Already installed, but have one question. I’m passing an internal audit, and they asking me if I can demonstrate ntds.dit file have only ntlm v2 or kerberos hashes. Is there any way to doit with this?
Sure! Use the
Test-PasswordQualitycmdlet to check if there are any LM hashes present in the DB. Just note that there is no such thing as NTLMv2 hash. The hash function is actually called NT OWF (=one-way function), but I prefer calling it NT hash.Hello Michael. You did a great job I need help setting up this script. I use the following settings:
$ Passwords = “C: \ tmp \ pwd.txt”
$ Params = @ {
“All” = $ True
“Server” = ‘my-dc1’
“NamingContext” = ‘dc = contoso, dc = com’
}
Get-ADReplAccount @Params | Test-PasswordQuality -WeakPasswordsFile $ Passwords -IncludeDisabledAccounts
At the exit, I have:
Passwords of these accounts have been found in the dictionary:
User1
User2
User3
User4
How can I make the found password appear next to each user? If possible, tell me what the expression will look like.
The feeature to display the cleartext passwords will be re-added in a future version.
Hello Micheal, great tool! I have made an export of my active directory and successfully imported my data onto an openldap server.I now use your utillity to bring the passwords too but seems that all the hashes there will not work on openldap even if i follow password schemes like from: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/511f65e8-3dbe-4377-b657-30b47dc4f26c
Any idea how should i convert this passwords in order openldap will accept them?
Openldap accepts the following password schemes: If -h is specified, one of the following RFC 2307 schemes may be specified: {CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA}. The default is {SSHA}.
Note that scheme names may need to be protected, due to { and }, from expansion by the user’s command interpreter.
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be added to userPassword as clear text. Unless {CLEARTEXT} is used, this flag is incompatible with option -g.
Thanks and best regards
Hi, none of those schemes you mention are compatible with AD password hashes. You should enable NTLM (uses MD4 hashes) or GSSAPI (uses kerberos, for which you need a KDC service).
Hi Micheal, thanks for your work. I need your support. I’m using a script to synchronize passwords between two domains. I can’t do the job on the same script and I need to export the password and reimport them on the other domain. I exported NThash of some users in a csv file. I’m trying to reimport in the corresponding users on the other domain.
export:
foreach ($user in $UserList)
{
#$hashes = Get-ADReplAccount -All -NamingContext $sourceDomainDN -Server $sourceDomainFQDN -Credential $sourceDomainCredential -Protocol TCP;
$userhash = Get-ADReplAccount -SamAccountName $user.SamAccountName -Domain $sourceDomainNetBIOS -Server $sourceDomainFQDN -Credential $sourceDomainCredential -Protocol TCP;
$hashes += $userhash
}
$hashes | select SamAccountName,NThash | Export-Csv .\pwdsync\exphashes.csv -append -NoTypeInformation
import:
$hashes = import-csv -Path $ExportHashCSV
$tobeSynced = Get-Content -Path $tobeSyncedpath
$UserList=$tobeSynced|Get-ADuser -Server $targetDomainFQDN -Credential $targetDomainCredential
# Loop through these users
foreach ($user in $UserList)
{
# Get the hash of the user in the hashes collection
$currentUserHash = $hashes | ? {$_.saMAccountName -eq $user.SamAccountName};
# Convert hash to string
$NTHash = ([System.BitConverter]::ToString($currentUserHash.NTHash) -replace ‘-‘,”).ToLower(); when converting to string I’ve got this error:
Cannot convert argument “value”, with value: “System.Byte[]”, for “ToString” to type “System.Byte[]”: “Cannot convert value “System.Byte[]” to type “System.Byte[]”. Error: “Cannot convert
value “System.Byte[]” to type “System.Byte”. Error: “Input string was not in a correct format.”””
I’m pretty sure I’m doing something wrong on exporting to csv. Do you have any idea?
thanks for your support
Mike
Hi, try converting the NTHash binary property into string using ConvertTo-Hex before exporting it.
Hello Michael,
What are the security implications of using the Get-ADReplAccount cmdlet? Would someone potentially be able to sniff usable packets during a legitimate replication? Is the communication between the computer running the script and the DC it’s communicating with secure?
Thank you for your support and work on this great tool.
Thanks,
Paul
Hi Paul, the replication traffic is always encrypted at the RPC PDU level. Second layer of encryption is used when transferring secret attributes. The encryption keys are derived from the authentication layer (=Kerberos/NTLM). The Get-ADReplAccount cmdlet of course does in-memory decryption of all the data, including secret attributes (=password hashes). It should therefore only be executed from a secure computer. If you export the hashes to a file, that file should also be handled with security in mind.
Thanks for your work. what is the footprint can be left on DC? Any logs can be found on DC if someone used this Module.
If you enable DS Access Logging, the the usage of extended permission {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} will be logged. You can also enable Diagnostic Logging of Replication Events in DC registry, which would give you more info on the objects replicated.
Hi Micheal, is there a possible way to store our domain Windows 10 password in to a variable in PowerShell. I have two domains with no trust but have all the same username and password on each domains. I am just trying to connect a network drive from one domain using the password credential of the windows 10 connected domain.
If a password must be stored, then I would use the
Get-Credential | Export-CliXmlapproach.Hi Michael, having an issue where your set-samaccountpasswordhash cmdlet is not being able to connect to the domain. Getting the following error:
Set-SamAccountPasswordHash : The specified domain either does not exist or could not be contacted
At line:6 char:1
+ Set-SamAccountPasswordHash -SamAccountName testjna15b -Domain “ghs” – …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-SamAccountPasswordHash], ActiveDirectoryServerDownException
+ FullyQualifiedErrorId : System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException,DSInternals.PowerShell.Commands.SetSamAccountPasswordHashCommand I tried using “” or domain.org or just domain.
Hi Jake, could you please check that ghs really is the NetBIOS name of your domain?
I am doing a domain migration with a trust relationship established. I want to do a simple Get-ADReplAccount | Set-SamAccountPasswordHash but I get the error
ConvertTo-Hex : Cannot bind argument to parameter ‘Input’ because it is null.
Any suggestions?
Could you please share the exact commands including parameters? Also, could you please use GitHub for issue reporting?
Michael – I am looking for a powershell command/script that can tell how many characters are being used in our AD user passwords. Is there a way to do this either through your DSInternals module or other method? RDGR
Not until you crack a password hash.
I´m stunned on why is so easy to get the clear text version of the password. I have an important question: How can we AVOID this?
What measures can be taken, to block the offline AD DB attack? I know that sometimes, an insider attacker already being Admin is bad enough, but what i need is just a way to prevent admins from seeing the plain text password of the users… Right now, it´s a matter of not getting a bad situation worse, first admin rights and besides that, knowing all user´s passwords… how to avoid this?
I´m not sure if I got coorectly, but even using WinServer2016 and changing RC4/MD5 to something stronger, removing LM and NTLM hashes it might be impossible to avoid the discovery of users´ passwords?
That’s simple: Just don’t give non-Domain Admins access to domain controller hard drives or backups.
On the output below, is Hash2 a legitimate LM hash? Its 32 characters, just like the NTHASH. Additionally, is Hash3 useful for any cracking, or is that to craft kerberos traffic?
Secrets
NTHash: Hash1
LMHash:
NTHashHistory:
Hash 01: Hash1
LMHashHistory:
Hash 01: Hash2?
SupplementalCredentials:
ClearText:
NTLMStrongHash:
Kerberos:
Credentials:
DES_CBC_MD5
Key: Hash3?
OldCredentials:
Salt: FQDNusername
Flags: 0
Hi, NT hashes ( = MD4) are much easier to crack than the salted MD5 hashes with multiple iterations. Hashes in LM history are randomly generated by DCs if LM hash storage is turned off. So they have no real value in most environments.
Hi Michael.. How can I list down or export user list for user that using same NTHash?
… | Test-PasswordQuality | Select-Object -ExpandProperty DuplicatePasswordGroups | ForEach-Object { $PSItem -join ‘,’ }
Hi Michael,
I’m sorry because I not familiar with PowerShell command. i run the command line that you provide but i received below error. Actually i want to export Active Directory user that using same NTHash (which is i have what NTHash that i want from my test user) into *.csv file.
PS C:\Program Files\WindowsPowerShell\Modules\DSInternals\3.1> … | Test-PasswordQuality | Select-Object -ExpandProperty
DuplicatePasswordGroups | ForEach-Object { $PSItem -join ‘,’ }
… : The term ‘…’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spell
ing of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ … | Test-PasswordQuality | Select-Object -ExpandProperty DuplicatePas …
+ ~
+ CategoryInfo : ObjectNotFound: (…:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
You of course replace the 3 dots (…) with the Get-ADReplAccount or Get-ADDBAccount cmdlet with proper parameters. See the documentation for more examples.