Wednesday, 31 July 2013

How to Audit Active Directory Domain Accounts - Without lighting up Antivirus etc

Recently I wanted to do an audit of weak administrative and service accounts on Active Directory. I had the usual tools ready, Metasploit, pwdump/fgdump and all the auxillary modules that go with dumping that.

The only problem was that the payloads from Metasploit and even the pwdump list of tools lit the anti-virus/host intrusion services running on the AD server in question. I had to figure out a legit way to get the dumps from the domain controller, so I went researching.

Now there's a ton of articles on how to do this on the interwebs, I am just putting it all in this post so I have my own little place of 'how to'...use it don't use it.

Also I am just running through the commands here, take your time and see all the different switches and options for each of the tools.

So with Active Directory gone are the days of SAM dumps etc, enter NTDS.DIT (New Technology Directory Services, the DIT stands for Directory Information Tree). Active Directory stores credential information within a database engine called Extensible Storage Engine (ESE) based of the Jet database and used by Exchange v5.5 and WINS.

Essentially this is the file you want off the Domain Controller to extract the stored password hashes in the database and link_table inside.

To grab the NTDS.DIT file from the Domain Controller, without lighting up the alerts and doing this in a legit manner, enter Volume Shadow Copying Service (VSS)

Volume Shadow Copying Service (VSS)

To use VSS you will need administrative privileges on the domain controller your doing to 'dump' the ntds.dit file from. VSS comes packaged with Windows by default so no worries about uploading tools and triggering anything suspicious. 

Step 1 - Create a Shadow Copy Drive

Usually the ntds.dit file is stored by default on the C: drive, it would be unusual for it to be under another drive, but it is possible, so to create the shadow drive run the following command:

vssadmin create shadow /for=C:
You can see if it was successful by the output from the command or afterwards you can run

 vssadmin list shadows

Step 2 - Copy the Required Files off

We're going to copy two files off the server, NTDS.DIT and the SYSTEM hive file. My layout was as follows, yours may differ:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\temp\NTDS.DIT
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM.hive
 I usually copy it directly off to a remote server, some NTDS.DIT files can be pretty big, so choose the location with enough drive space.

Now we need to quickly clean up and remove the Shadow Drive

  vssadmin delete shadows /for=C:

Step 3 - Extract the Required Tables from NTDS.DIT

There are going to be two main sets of tools, for Linux, we use to extract the NTDS.DIT tables and then extract user account information and password hashes.

NTDSXtract -


I used Kali/Backtrack for this. Firstly extract libesedb and compile it, you should know by know how to do this...
# tar zxvf libesedb-alpha-20120102.tar.gz
# cd libesedb-20120102
# ./configure 
# make
# make install
# ldconfig
If you are copying the NTDS.DIT/SYSTEM.hive files to your kali box, be it a virtual machine or physical, make sure the entire file copies across or like me you spend a day and a half trying to figure out why the tools keep crashing (;

Ok so libesedb is installed, now we can extract the stored tables, there are 12 tables to extract:
# esedbexport NTDS.DIT
The default settings will create folder like ntds.dit.export/ filled with extracted data, we are only interested in the database.3 and link_table.5 databases.

Next extract NTDSXtract and run the python script (there are a  few, I suggest play with them all). This is going to extract the NT hashes from the tables, you will need the SYSTEM.hive file too for this.
# python ../ntds.dit.export/datatable.3 ../ntds.dit.export/link_table.5 --passwordhashes ../SYSTEM.hive --passwordhistory ../SYSTEM.hive
I would suggest pumping the output to a file ( > to_somefile.txt).

Step 4 - Start the Cracking...

Now the file we pumped the output from is not nicely formatted, useful yes but we just want to extract the hashes, if you google around a bit you may find a Perl script or two that will take the output and copy the hashes to a file nice and clean.

(google: Perl script to parse the output from NTDSXtract)

Once you extract the hashes from this file you can run it directly in your favorite <insert tool name here> (: for instance:
# john /root/my_password_hashes.txt
Also, during this time, I came across a nice little tool from Digininja, called Pipal. Once you have your list of cracked passwords you run pipal to do some nice analysis of the discovered passwords. I found it rather useful.

Pipal -


So this is the quick'ish, clean and manual way of doing it, afterwards I found that Metasploit also has a module to do exactly as mentioned above with the VSS copy and cleanup, however I didnt get it to work right the first couple of times.

I must say, the results have been interesting and scary! Lots of work to be done after opening this can of worms!

Then lastly, I have been following an interesting tool/service to be released by Praetorian called PWAudit and it looks extremely promising and bad ass! 

sign me up!!!


  1. Thanks for the shout out! Have you signed up for the Beta yet?

    1. Hey Paul,

      Pleasure, yeah I signed up for the beta long ago, as it was announced but haven't received logon details...yet (;