Check your version with:
$Psversiontable.psversion
If you are below Major: 5, Minor:1
head to Microsoft's download site to get the latest.
Once PowerShell is updated, run this command to install DSInternals:
install-module dsinternals -force -AllowClobber
Type Y
when asked about installing the NuGet provider, and basically answer Y
to anything else that comes up.
Then type:
import-module dsinternals
Run these commands to create a folder called c:\dcbackup
and dump an AD backup to it:
mkdir c:\dcbackup
ntdsutil "ac i ntds" "ifm" "create full c:\dcbackup" q q
Run the script below:
$key = Get-BootKey -SystemHivePath 'C:\dcbackup\registry\SYSTEM'
Get-ADDBAccount -All -DBPath 'C:\dcbackup\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File 'c:\dcbackup\hashesNT-and-users.txt' -Encoding ASCII
Get-ADDBAccount -All -DBPath 'C:\dcbackup\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatLM | Out-File 'c:\dcbackup\hashesLM.txt' -Encoding ASCII
$hashdump =
foreach ($hash in get-content 'c:\dcbackup\hashesNT-and-users.txt')
{
$hash.Split(':')[-1]
}
$hashdump | where {$_} | out-file 'C:\dcbackup\hashesNT-just-hashes.txt'
The script will extract the hashes from the backup you put in c:\dcbackup
and then parse them out in a few different files:
hashesNT-and-users.txt
- contains usernames and hasheshashesNT-just-hashes.txt
- Only the hashes from the hashesNT-and-users.txt
After the initial AD dump as described above, I ended up having to clean up the "user:hash" format on a Linux box rather than with Windows/Powershell. This command cleaned up the file (crackme.txt) nicely:
sed 's/.*://' crackme.txt