Category: Scripts

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed.
Methods exist to extract hashes directly for a live domain however this article describes a process to extract user data, including hashes from an IFM backup.

1) Overview

Overpermission and weak/reused passwords are probably the most common security issues found in Active Directory. To address the password issues, it is important to do regular password audits, to address over permissions, see my article about Active Directory delegation.

 

2) Password Hashes

Passwords are stored in Active Directory (NTDS.dit encrypted with a boot key) as an unsalted MD4 hash and as such, to check for password reuse it is a simple case of checking for duplicate hashes in the extracted hashes list.

 

Finding weak passwords are a little trickier. You need to lookup hashes against a rainbow table to ensure you do not have any weak/compromised hashes within your environment.

 

Both of these are out-of-scope for this article, this article focuses on extracting password hashes.

 

3) Extracting Password Hashes

a) On a Domain Controller

 

Start an elevated command prompt and run:

 

ntdsutil
activate instance ntds
ifm
create sysvol full C:\Temp\Backups\IFM\

 

Command Output

IFM Files

 

b) On Administrative Computer

 

Copy the IFM folder and run the following PowerShell script elevated (just copy and paste):

 

//Download DSInternals from PowerShell Gallery https://www.powershellgallery.com/packages/DSInternals
Save-Module -Name DSInternals -path 'C:\temp\DSInternals'


//Install DSInternals
Install-Module -Name DSInternals


//Import DSInternals Module
Import-Module DSInternals


//Get Boot Key from Registry section of the IFM. If Boot Key is blank, Get-ADDBAccount will still return usernames
$key = Get-BootKey -SystemHivePath 'C:\Temp\Backups\IFM\registry\SYSTEM'


//Store objects data
$hashes = Get-ADDBAccount -All -DBPath 'C:\Temp\Backups\IFM\Active Directory\ntds.dit' -BootKey $key


//Convert object data to the desired format
$hashes | Format-Custom -View Ophcrack | Out-File C:\Temp\Backups\Hashes.txt

 

Hashes.txt File

 

 

Weak Passwords Found (Getting password from hashes out-of-scope for this article)

 

 

MoveSysvol (DFSR version) automated by Shaun Vermaak is a batch to automatically relocate the Sysvol folder as per https://technet.microsoft.com/en-us/library/cc816594(v=ws.10).aspx

The following must be in the working folder or in path:
MoveSysvol.bat
SetDFSR.vbs
sysvol.inf

UPDATE: Please ensure that all DCs are in the default Domain Controllers OU

Usage: MoveSysvol.bat OLDSYSVOLPATH NEWSYSVOLPATH DOMAINFQDN
Example: MoveSysvol.bat C:WindowsSYSVOL D:SYSVOL TESTDOMAIN.COM

Attachment(s):
[list-attachments]

Get some extra space in the command prompt

This adds a line break after the prompt

[sourcecode language=”vb”]
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Environment]
"prompt"="$p$g$_"
[/sourcecode]

This script can be added to a WinPE environment to ensure that the removable boot media always have a specific drive letter.

All you need to do is create a file called “72821acd-379a-478a-a2c6-1ebd72cbead5.txt” on the media that you want to have a fixed drive letter, in this example drive letter M is assigned. After this add the script as a startup script into your PE boot media.

[sourcecode language=”vb”]
Option Explicit

Dim objWMIService
Dim objFileSystemObject
Dim colVolumes
Dim objVolume

Set objWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2”)
Set objFileSystemObject = CreateObject(“Scripting.FileSystemObject”)

Set colVolumes = objWMIService.ExecQuery(“Select * from Win32_Volume”)
For Each objVolume in colVolumes
If objFileSystemObject.FileExists(objVolume.DriveLetter & “\72821acd-379a-478a-a2c6-1ebd72cbead5.txt”) Then
objVolume.DriveLetter = “M:”
objVolume.Put_
End If
Next
[/sourcecode]

Attachment(s): [list-attachments]

1. Copy RndColor.bat to “%SystemRoot%\System32”
2. Run RndColor.reg
3. Open a command prompt

Attachment(s): [list-attachments]

Some software distribution tools do not allow custom success exit codes. This means that if a software package returns a non-standard success exit code that the deployment status might return a failure instead of a success.

With this script an installation package’s non-standard success exit codes can be translated to exit code 0 within the software distribution tool.

Example: CScript.exe Setup.vbs /Command:SomeSetup.exe /SuccessCodes:1;2;3
In this example exit code 1,2 and 3 for SomeSetup.exe will be changed to 0

Attachment(s): [list-attachments]

[sourcecode language=”vb”]
Option Explicit

On Error Resume Next

Dim strCommand
Dim strSuccessCodes

strCommand = WScript.Arguments.Named("Command")
strSuccessCodes = WScript.Arguments.Named("SuccessCodes")

If Len(Trim(strCommand)) = 0 Or Len(Trim(strSuccessCodes)) = 0 Then
WScript.Quit(1)
End If

Dim arrSuccessCodes
Dim intSuccessCode

arrSuccessCodes = Split(strSuccessCodes,";")

Dim objShell
Dim objExec
Dim intReturnCode

Set objShell = CreateObject("WScript.Shell")

Err.Clear
Set objExec = objShell.Exec(strCommand)
If Err.Number <> 0 Then
WScript.Echo "Problem with command"
WScript.Quit(1)
End If

Do While objExec.Status = 0
Call WScript.Sleep(100)
Loop

intReturnCode = objExec.ExitCode

For Each intSuccessCode In arrSuccessCodes
If IsNumeric(intSuccessCode) Then
If intReturnCode = CInt(intSuccessCode) Then
WScript.Echo "Success"
intReturnCode = 0
Exit For
End If
End If
Next

Set objExec = Nothing
Set objShell = Nothing

Call WScript.Quit(intReturnCode)
[/sourcecode]

Remotely rename a computer and its Active Directory account using PSExec and batch file (vbs dropper)

Usage: PSExec.exe \\CURRENTCOMPUTERNAME -c -d -f RenameComputer.bat NEWCOMPUTERNAME
(Account needs Admin on target computer and modify rights on computer object in AD)

RenameComputer.bat
[sourcecode language=”plain”]
@ECHO OFF
ECHO Option Explicit > RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO On Error Resume Next >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO Dim objWMIService >> RenameComputer.vbs
ECHO Dim colComputers >> RenameComputer.vbs
ECHO Dim objComputer >> RenameComputer.vbs
ECHO Dim varError >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO Set colComputers = objWMIService.ExecQuery("Select * from Win32_ComputerSystem") >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO For Each objComputer in colComputers >> RenameComputer.vbs
ECHO varError = objComputer.Rename("%1") >> RenameComputer.vbs
ECHO Next >> RenameComputer.vbs
ECHO WScript.Echo varError >> RenameComputer.vbs

CScript //NOLOGO RenameComputer.vbs
DEL RenameComputer.vbs

Shutdown -r -f -t 60
[/sourcecode]

[sourcecode language=”vb”]

Option Explicit

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

Dim objRegEx
Dim targetString
Dim colMatch
Dim objMatch
Dim objFSO
Dim strInputFile
Dim strOutputFile
Dim objInputFile
Dim objOutputFile
Dim strLine
Dim strPattern
Dim strMatch

strInputFile = Wscript.Arguments.Named("InputFile")
strOutputFile = Wscript.Arguments.Named("OutputFile")
strPattern = Wscript.Arguments.Named("Pattern")
strPattern = Replace(strPattern,""","""")

If Trim(strInputFile) <> "" And Trim(strPattern) <> "" Then
Set objRegEx = CreateObject("vbscript.regexp")
With objRegEx
.Pattern = strPattern
.Global = True
.IgnoreCase = True
End With
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(strInputFile) Then
Set objInputFile = objFSO.OpenTextFile(strInputFile, ForReading )
If Trim(strOutputFile) <> "" Then
Set objOutputFile = objFSO.OpenTextFile(strOutputFile, ForAppending, True)
End If
Do While Not objInputFile.AtEndOfStream
strLine = objInputFile.ReadLine
If Trim(strLine) <> "" Then
Set colMatch = objRegEx.Execute(strLine)
For each objMatch in colMatch
strMatch = Replace(Replace(objMatch.Value,"UniqueID=",""),"""","")
If Trim(strOutputFile) <> "" Then
objOutputFile.WriteLine(strMatch)
Else
WScript.Echo(strMatch)
End If
Next
End If
Loop
objInputFile.Close
If Trim(strOutputFile) <> "" Then
objOutputFile.Close
End If
Set objInputFile = Nothing
Set objOutputFile = Nothing
Set objFSO = Nothing
End If
Else
ShowUsage()
End If
Sub ShowUsage
WScript.Echo "Usage: CScript.exe " & WScript.ScriptName & " /InputFile:""FILENAME"" [/OutputFile:""FILENAME]"" /Pattern:""PATTERN"""
WScript.Echo ""
WScript.Echo "Is OutputFile is omitted, matches will be displayed"
WScript.Echo ""
WScript.Echo "Substitute "" with ""
End Sub

[/sourcecode]

Add REG_SZ to HKLM\SOFTWARE\Microsoft\Command Processor with name AutoRun and value of RndColor.bat

Create file RndColor.bat in %WINDIR%\System32

[sourcecode language=”plain”]
@Echo Off
Echo Loading…

SET rnd=%random%

IF %rnd% LSS 4681 GOTO 1
IF %rnd% LSS 9362 GOTO 2
IF %rnd% LSS 14043 GOTO 3
IF %rnd% LSS 18724 GOTO 4
IF %rnd% LSS 23405 GOTO 5
IF %rnd% LSS 28086 GOTO 6
IF %rnd% LSS 32767 GOTO 7

Goto END

:1
Color 1F
Goto END

:2
Color 20
Goto END

:3
Color 30
Goto END

:4
Color 4E
Goto END

:5
Color 5F
Goto END

:6
Color 80
Goto END

:7
Color 4F
Goto END

:END
CLS
[/sourcecode]

[sourcecode language=”vb”]
Option Explicit

Dim objSMSClient
Dim varSiteID

varSiteID = Wscript.Arguments.Named("SiteID")

If Trim(varSiteID) <> "" Then
Set objSMSClient = CreateObject("Microsoft.SMS.Client")
objSMSClient.SetAssignedSite(varSiteID)
End If

[/sourcecode]