Behind this catchy title is a real need. As a system administrator, it may be worthwhile to audit all of your organization’s Active Directory accounts to assess the level of security for user accounts. Let’s see how we do it!
Web resources and Methods:
- How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller: https://adsecurity.org/?p=451
- Using NTDSUTIL to create a copy of NTDS.DIT
- Using DSInternals PowerShell module and an adhoc script
- Using a Linux computer: http://paulasitblog.blogspot.de/2016/03/auditing-active-directory-passwords.html
- Other ways to get passwords include:
- John the Ripper (CPU based cracking tool)
- Hashcat (GPU based cracking tool)
- Cain and Abel: http://www.oxid.it/cain.html
- fgdump: http://colesec.inventedtheinternet.com/tag/fgdump/
- pwdump7: http://www.tarasco.org/security/pwdump_7/index.html ; this does not work for ntds.dit
- gsecdump from truesec:
- and Ophcrack (Rainbow table password cracking tool). Details on using those are beyond the scope of this article, but all 3 will crack NTLM passwords. One neat thing about Ophcrack is if you have physical access to the machine, you can simply boot it to an Ophcrack Live CD, and let it find and crack the passwords automatically. Of course if you already have physical access to a machine in a pentest, you can probably consider the engagement done with everything compromised already.An even better way to grab passwords is to do so in cleartext.
- WCE (Windows Credential Editor). Just running wce from the command line will also dump the hashes, but running it with the -w flag will grab the credentials in cleartext from memory.As you can see, the password clearly shown is asdf. This won’t always grab all the passwords in the system, but it sure helps for the ones it does grab. Another tool that works in the same way as WCE (not in English, but less likely to be caught by anti-virus) is mimikatz. You can try that tool as well.
- Using mimikatz dcsync: