Domain Password Hashes
During a penetration test this week i was having a very interesting conversation with our security expert, he was walking me though and detailing how its pretty common during these tests once domain admin had been reached, to extract the password hashes of all domain users for offline cracking. These hashes are stored in a database file on the domain controller (NTDS.DIT) with some additional information like group memberships and user info.
The NTDS.DIT file is constantly in use by the operating system and therefore cannot be copied directly to another location for extraction of data. The file can be found in the following location:
There are apparently various underhanded and sneaky techniques to extract information from this file, however the majority of them are using one of these methods:
- Domain Controller Replication Services
- Native Windows Binaries
My security expert mentioned a number of tools including but not limited to Mimikatz (which uses the replication service), Empire (DCSync attack) along with various powershell scripts. As a tool of choice my guy was using a powershell script named “Invoke-DCSync” which leverages PowerView, Invoke-ReflectivePEInjection, and a DLL wrapper of PowerKatz to retrieve hashes.
With this revelation from my security expert, i decided to have a bit of a dig into the possibilities of what we can actually get. I then come across a very interesting blog by Sean Metcalf
This details all the attacks and how to get the data, i have linked here for future reference, and ill be looking at some test environments going forward about how this actually performs.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
- Credential Prompt in Outlook/Office 365 21/04/2021
- Consuming Content 14/04/2021
- Disabling SMB1 on your servers. 20/12/2018
- Reset a Unifi AP to Factory Settings via SSH 12/11/2018
- Domain Password Hashes 30/10/2018
- Hyper V Hardware Versions 30/05/2018
- Wireless Heaven (Part 1) 11/05/2018
- Hyper-V NAT Switch 08/05/2018