How to extract hashes from IFM backup

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed.
Methods exist to extract hashes directly for a live domain however this article describes a process to extract user data, including hashes from an IFM backup.

1) Overview

Overpermission and weak/reused passwords are probably the most common security issues found in Active Directory. To address the password issues, it is important to do regular password audits, to address over permissions, see my article about Active Directory delegation.

 

2) Password Hashes

Passwords are stored in Active Directory (NTDS.dit encrypted with a boot key) as an unsalted MD4 hash and as such, to check for password reuse it is a simple case of checking for duplicate hashes in the extracted hashes list.

 

Finding weak passwords are a little trickier. You need to lookup hashes against a rainbow table to ensure you do not have any weak/compromised hashes within your environment.

 

Both of these are out-of-scope for this article, this article focuses on extracting password hashes.

 

3) Extracting Password Hashes

a) On a Domain Controller

 

Start an elevated command prompt and run:

 

ntdsutil
activate instance ntds
ifm
create sysvol full C:\Temp\Backups\IFM\

 

Command Output

IFM Files

 

b) On Administrative Computer

 

Copy the IFM folder and run the following PowerShell script elevated (just copy and paste):

 

//Download DSInternals from PowerShell Gallery https://www.powershellgallery.com/packages/DSInternals
Save-Module -Name DSInternals -path 'C:\temp\DSInternals'


//Install DSInternals
Install-Module -Name DSInternals


//Import DSInternals Module
Import-Module DSInternals


//Get Boot Key from Registry section of the IFM. If Boot Key is blank, Get-ADDBAccount will still return usernames
$key = Get-BootKey -SystemHivePath 'C:\Temp\Backups\IFM\registry\SYSTEM'


//Store objects data
$hashes = Get-ADDBAccount -All -DBPath 'C:\Temp\Backups\IFM\Active Directory\ntds.dit' -BootKey $key


//Convert object data to the desired format
$hashes | Format-Custom -View Ophcrack | Out-File C:\Temp\Backups\Hashes.txt

 

Hashes.txt File

 

 

Weak Passwords Found (Getting password from hashes out-of-scope for this article)

 

 

MoveSysvol – Automate the relocation of the Sysvol folder (DFSR Version)

MoveSysvol (DFSR version) automated by Shaun Vermaak is a batch to automatically relocate the Sysvol folder as per https://technet.microsoft.com/en-us/library/cc816594(v=ws.10).aspx

The following must be in the working folder or in path:
MoveSysvol.bat
SetDFSR.vbs
sysvol.inf

UPDATE: Please ensure that all DCs are in the default Domain Controllers OU

Usage: MoveSysvol.bat OLDSYSVOLPATH NEWSYSVOLPATH DOMAINFQDN
Example: MoveSysvol.bat C:WindowsSYSVOL D:SYSVOL TESTDOMAIN.COM

Attachment(s):

CMD line break after the prompt

Get some extra space in the command prompt

This adds a line break after the prompt

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Environment]
"prompt"="$p$g$_"

Fixed drive letter in WinPE

This script can be added to a WinPE environment to ensure that the removable boot media always have a specific drive letter.

All you need to do is create a file called “72821acd-379a-478a-a2c6-1ebd72cbead5.txt” on the media that you want to have a fixed drive letter, in this example drive letter M is assigned. After this add the script as a startup script into your PE boot media.

Option Explicit

Dim objWMIService
Dim objFileSystemObject
Dim colVolumes
Dim objVolume

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set objFileSystemObject = CreateObject("Scripting.FileSystemObject")

Set colVolumes = objWMIService.ExecQuery("Select * from Win32_Volume")
For Each objVolume in colVolumes
    If objFileSystemObject.FileExists(objVolume.DriveLetter & "\72821acd-379a-478a-a2c6-1ebd72cbead5.txt") Then
        objVolume.DriveLetter = "M:"
        objVolume.Put_
    End If
Next

Attachment(s):

Non-standard success exit codes

Some software distribution tools do not allow custom success exit codes. This means that if a software package returns a non-standard success exit code that the deployment status might return a failure instead of a success.

With this script an installation package’s non-standard success exit codes can be translated to exit code 0 within the software distribution tool.

Example: CScript.exe Setup.vbs /Command:SomeSetup.exe /SuccessCodes:1;2;3
In this example exit code 1,2 and 3 for SomeSetup.exe will be changed to 0

Attachment(s):

Option Explicit

On Error Resume Next

Dim strCommand
Dim strSuccessCodes

strCommand = WScript.Arguments.Named("Command")
strSuccessCodes = WScript.Arguments.Named("SuccessCodes")

If Len(Trim(strCommand)) = 0 Or Len(Trim(strSuccessCodes)) = 0 Then
    WScript.Quit(1)
End If

Dim arrSuccessCodes
Dim intSuccessCode

arrSuccessCodes = Split(strSuccessCodes,";")

Dim objShell
Dim objExec
Dim intReturnCode

Set objShell = CreateObject("WScript.Shell")

Err.Clear
Set objExec = objShell.Exec(strCommand)
If Err.Number <> 0 Then
    WScript.Echo "Problem with command"
    WScript.Quit(1)
End If

Do While objExec.Status = 0
    Call WScript.Sleep(100)
Loop

intReturnCode = objExec.ExitCode

For Each intSuccessCode In arrSuccessCodes
    If IsNumeric(intSuccessCode) Then
        If intReturnCode = CInt(intSuccessCode) Then
            WScript.Echo "Success"
            intReturnCode = 0
            Exit For
        End If
    End If
Next

Set objExec = Nothing
Set objShell = Nothing

Call WScript.Quit(intReturnCode)

Remotely Rename A Computer

Remotely rename a computer and its Active Directory account using PSExec and batch file (vbs dropper)

Usage: PSExec.exe \\CURRENTCOMPUTERNAME -c -d -f RenameComputer.bat NEWCOMPUTERNAME
(Account needs Admin on target computer and modify rights on computer object in AD)

RenameComputer.bat

@ECHO OFF
ECHO Option Explicit > RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO On Error Resume Next >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO Dim objWMIService >> RenameComputer.vbs
ECHO Dim colComputers >> RenameComputer.vbs
ECHO Dim objComputer >> RenameComputer.vbs
ECHO Dim varError >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO Set colComputers = objWMIService.ExecQuery("Select * from Win32_ComputerSystem") >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO For Each objComputer in colComputers >> RenameComputer.vbs
ECHO     varError = objComputer.Rename("%1") >> RenameComputer.vbs
ECHO Next >> RenameComputer.vbs
ECHO WScript.Echo varError >> RenameComputer.vbs

CScript //NOLOGO RenameComputer.vbs
DEL RenameComputer.vbs

Shutdown -r -f -t 60

Generic RegEx Script


Option Explicit

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

Dim objRegEx
Dim targetString
Dim colMatch
Dim objMatch
Dim objFSO
Dim strInputFile
Dim strOutputFile
Dim objInputFile
Dim objOutputFile
Dim strLine
Dim strPattern
Dim strMatch

strInputFile = Wscript.Arguments.Named("InputFile")
strOutputFile = Wscript.Arguments.Named("OutputFile")
strPattern = Wscript.Arguments.Named("Pattern")
strPattern = Replace(strPattern,""","""")

If Trim(strInputFile) <> "" And Trim(strPattern) <> "" Then
    Set objRegEx = CreateObject("vbscript.regexp")
    With objRegEx
        .Pattern = strPattern
        .Global = True
        .IgnoreCase = True
    End With
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    If objFSO.FileExists(strInputFile) Then
        Set objInputFile = objFSO.OpenTextFile(strInputFile, ForReading )
        If Trim(strOutputFile) <> "" Then
            Set objOutputFile = objFSO.OpenTextFile(strOutputFile, ForAppending, True)
        End If
        Do While Not objInputFile.AtEndOfStream
            strLine = objInputFile.ReadLine
            If Trim(strLine) <> "" Then
                Set colMatch = objRegEx.Execute(strLine)
                For each objMatch in colMatch
                    strMatch = Replace(Replace(objMatch.Value,"UniqueID=",""),"""","")
                    If Trim(strOutputFile) <> "" Then
                        objOutputFile.WriteLine(strMatch)
                    Else
                        WScript.Echo(strMatch)
                    End If
                Next
            End If
        Loop
        objInputFile.Close
        If Trim(strOutputFile) <> "" Then
            objOutputFile.Close
        End If
        Set objInputFile = Nothing
        Set objOutputFile = Nothing
        Set objFSO = Nothing
    End If
Else
    ShowUsage()
End If
Sub ShowUsage
    WScript.Echo "Usage: CScript.exe " & WScript.ScriptName & " /InputFile:""FILENAME"" [/OutputFile:""FILENAME]"" /Pattern:""PATTERN"""
    WScript.Echo ""
    WScript.Echo "Is OutputFile is omitted, matches will be displayed"
    WScript.Echo ""
    WScript.Echo "Substitute "" with ""
End Sub

Command Prompt with Random Color on Startup

Add REG_SZ to HKLM\SOFTWARE\Microsoft\Command Processor with name AutoRun and value of RndColor.bat

Create file RndColor.bat in %WINDIR%\System32

@Echo Off
Echo Loading...

SET rnd=%random%

IF %rnd% LSS 4681 GOTO 1
IF %rnd% LSS 9362 GOTO 2
IF %rnd% LSS 14043 GOTO 3
IF %rnd% LSS 18724 GOTO 4
IF %rnd% LSS 23405 GOTO 5
IF %rnd% LSS 28086 GOTO 6
IF %rnd% LSS 32767 GOTO 7

Goto END

:1
Color 1F
Goto END

:2
Color 20
Goto END

:3
Color 30
Goto END

:4
Color 4E
Goto END

:5
Color 5F
Goto END

:6
Color 80
Goto END

:7
Color 4F
Goto END

:END
CLS