In order to check to see if passwords can be cracked or guessed by the evil-doers we have an advantage that we rarely use. By performing a simulated password crack on our existing AD users we can obtain the upper hand by finding the failing passwords before the bad guys do.
Firstly we need to extract the relevant data from the DC. Whilst LSSAS injection is an available method it is NOT advisable to perform it in a production environment unless absolutely necessary as it can result in the crash of the LSSAS service resulting in an outage. Since the DC is fundamentally the core of a Windows network this can result in catastrophic outages across the environment.
Gathering the NTDS.DIT Data
Firstly enable shadow copies on the C:/. Once enabled collect a shadow copy of the ntds.dit file located here:
C:\windows\ntds\ntds.dit
Also obtain a binary replica of the System hive with the following CLI
reg SAVE HKLM\SYSTEM c:\SYS
You can now copy these across to a nix box, preferably Kali but tools can be installed on all Debian distros manually if needed. Remove originals and if transferred via USB erase the drive with DBAN or equivalent.
Extracting the Hashes
Exporting the tables
Once within Kali you will need to perform an extraction of the users and hashes. This is done using LIBESEDB. You can do a git clone to your OPT folder (my preference) by using
git clone https://github.com/libyal/libesedb
After cloning run
esedbexport -m tables ntds.dit
This will extract the tables from within the NTDS.DIT file. This may take a few minutes depending on the size of your database. By default it will dump all extracted data into a folder named “ntds.dit.export”.
Exporting User Data
Fire up git clone again and get a copy of NTDSXtract
git clone https://github.com/csababarta/ntdsxtract
Within this repo is a file named dsusers.py which we will be using to dump user data from the exported tables.
py /path/to/ntdsxtract/dsusers.py /path/to/ntds.dit.export/datatable.X /path/to/ntds.dit.export/linktable.X /path/to/new/export/folder --syshive /path/to/sys-file --passwordhashes --lmoutfile "lmhashDump" --ntoutfile "nthashDump" --pwdformat john
This will extract the password hashes in a format the password cracker John/JTR can work with. The X’s in datatable.X and linktable.X change each time so check which one yours is and amend accordingly.
Collect your Hashes
Once done, go to your dump folder that you exported the hashes to in the previous paragraph. Any issues finding it just use
locate lmhashDump
Check both NT and LM versions. LM might not contain any data depending on your infrastructure.
You now possess the hashes for the entire infrastructure. Next we move onto cracking with JTR!!
