AD password audit with Kali linux

The very first step will be to extract the NTDIS database from the domain controller. If you have admin access to the DC it is easy, if don’t you can use Metasploit or some other techniques. In our example, we have access to the Domain controller so we can use the native tools to create a snapshot and copy NTDS. Log in to your server using admin account, open a command prompt and start ntdsutil.
Type the following commands:
activate instance ntds
create full c:\pen

Your command prompt windows must look like this:

After that in c:\pen you’ll have a copy of your ntds.dit, SYSTEM and SECURITY files. Copy them to the Kali linux machines. To keep thing simple rename the folder Active Directory to AD. Now we can extract the hashes from NTDS file using Run:

/usr/share/doc/python-impacket/examples/ -system registry/SYSTEM -ntds AD/ntds.dit LOCAL -outputfile passwords.hash

And wait till it finishes, it may take few minutes. Once finished you’ll have 3 new files in the folder: passwords.hash.ntds, passwords.hash.ntds.cleartext and passwords.hash.ntds.kerberos. We will focus on the passwords.hash.ntds in our example and will use hashcat and a password list to crack the hashes there. The command is:

hashcat -m 1000 passwords.hash.ntds /home/audit/passwords.txt

As a result, you’ll get the list of cracked hashes. To see a list again you can run:

hashcat -m 1000 --show passwords.hash.ntds




Leave a Reply

Your email address will not be published. Required fields are marked *