Dumping Active Directory Password Hashes

Getting ready to do a password strength testing, I’ve spent over a week researching various tools for the task, specifically the easiest and least intrusive way (don’t want to crash the domain controller!) of dumping password hashes.

Surely, I thought at first, over the years that AD has been around, there should be plenty of polished tools for the task. My testing was done on Windows 2012 R2 and Windows 2008 R2 SP1 domain controllers. Surprisingly, I had issues dumping hashes from the W2008 server using some of the widely known (proven?) tools.

The approach I describe here worked consistently well for me for both OS versions and is based on using scripts included with the impacket library (https://github.com/CoreSecurity/impacket). Advantages of this approach is that you can do it remotely from either a Linux or a Windows machine, and that it doesn’t install or execute any agent on the target DC, but rather uses standard network RPC calls.

Installing impacket on Linux is as easy as:

pip install pyasn1
pip install impacket

On Windows it’s a bit more complicated as it requires PyCrypto library, here’s a quick guide I wrote earlier: https://medium.com/@infosec_stuff/installing-impacket-on-windows-ded7ba8bec9a

Once impacket is installed, we can use the included secretsdump.py script to remotely dump the password hashes:

secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>

It will ask for the password, the account used should have Domain Admin rights on the target domain. If you want to output results into a pwdump file, use -outputfile option. secretsdump.py can dump other information as well (LSASS secrets etc.), which you might want to explore in a penetration test scenario (remove -just-dc-ntlm to start with), but are not relevant for my use case.

Alternative Approach

If you are able to logon to the target domain controller, alternative approach is to manually extract a snapshot of Active Directory database NTDS.dit using Volume Shadow Copy. I believe you can do this remotely using psexec, but haven’t tried. Instructions below are based on https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/:

  • Run cmd.exe as Administrator on the domain controller.
  • Run ntdsutil and type the following commands:
snapshot
activate instance NTDS
create
  • This will create a snapshot and show you the UUID of the newly created snapshot. ntdsutil is using Volume Shadow Copy for the snapshot creation, but also ensures the database consistency. Use the UUID for the following command:
mount <UUID>
  • The output will show the path where the snapshot was mounted. Start another cmd.exe as Administrator and copy NTDS.dit (located in Windows\NTDS\NTDS.dit by default).
  • Create a copy of the SYSTEM registry hive:
reg.exe save HKLM\SYSTEM <path_where_you_want_to_save_it>
  • Go back to the cmd.exe window with ntdsutil running, and unmount (and optionally delete) the snapshot and exit:
unmount <UUID>
delete <UUID>
quit
quit
  • Using the two saved files (NTDS.dit and SYSTEM registry hive) you can use the same secretsdump.py script to extract password hashes offline (doesn’t need to be done on the domain controller):
secretsdump.py -system <path_to_system_hive> -ntds <path_to_ntds.dit> LOCAL
Like what you read? Give Airman a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.