Check your version with:
$Psversiontable.psversion
If you are below Major: 5, Minor:1
head to Microsoft's download site to get the latest.
Once PowerShell is updated, run this command (as Administrator) to install DSInternals:
install-module dsinternals
Type Y
when asked about installing the NuGet provider, and basically answer Y
to anything else that comes up. If you get a warning that it is already installed, try uninstall-module -name dsinternals
. With v3, you may get a message saying (WARNING: Version '3.0' of module 'DSInternals' is already installed at 'C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals'.)
If that's the case, manually delete the folder.
Then type:
import-module dsinternals
Run these commands to create a NEW folder called c:\dcbackup
(or whatever you want to call it) and dump an AD backup to it:
mkdir c:\dcbackup
ntdsutil "ac i ntds" "ifm" "create full c:\dcbackup" q q
Note: UAC may ask for approval.
Run the script below:
$key = Get-BootKey -SystemHivePath 'C:\dcbackup\registry\SYSTEM'
Get-ADDBAccount -All -DBPath 'C:\dcbackup\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File 'c:\dcbackup\hashesNT-and-users.txt' -Encoding ASCII
Get-ADDBAccount -All -DBPath 'C:\dcbackup\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatLM | Out-File 'c:\dcbackup\hashesLM.txt' -Encoding ASCII
$hashdump =
foreach ($hash in get-content 'c:\dcbackup\hashesNT-and-users.txt')
{
$hash.Split(':')[-1]
}
$hashdump | out-file 'C:\dcbackup\hashesNT-just-hashes.txt'
get-content 'C:\dcbackup\hashesNT-just-hashes.txt' | where {$_} | set-content 'C:\dcbackup\hashesNT-just-hashes-nospaces.txt'
The script will extract the hashes from the backup you put in c:\dcbackup
and then parse them out in a few different files:
hashesNT-and-users.txt
- contains usernames and hasheshashesNT-just-hashes.txt
- a cleaned up list of only the hashes from the hashesNT-and-users.txt, but this file contains a bunch of empty lines, and so...hashesNT-just-hashes-nospaces.txt
- a nice clean list of only hashes, one hash per line
Note to self: I realize I need to clean this script up to be more efficient :-)
After the initial AD dump as described above, I ended up having to clean up the "user:hash" format on a Linux box rather than with Windows/Powershell. This command cleaned up the file (crackme.txt) nicely:
sed 's/.*://' crackme.txt
@braimee I've updated this methodology to remove the file with a bunch of whitespace :)
Thank for all your hard work!
You can find the fork here
I haven't tested the linux option though.