How to extract hashes from IFM backup

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed.
Methods exist to extract hashes directly for a live domain however this article describes a process to extract user data, including hashes from an IFM backup.

1) Overview

Overpermission and weak/reused passwords are probably the most common security issues found in Active Directory. To address the password issues, it is important to do regular password audits, to address over permissions, see my article about Active Directory delegation.


2) Password Hashes

Passwords are stored in Active Directory (NTDS.dit encrypted with a boot key) as an unsalted MD4 hash and as such, to check for password reuse it is a simple case of checking for duplicate hashes in the extracted hashes list.


Finding weak passwords are a little trickier. You need to lookup hashes against a rainbow table to ensure you do not have any weak/compromised hashes within your environment.


Both of these are out-of-scope for this article, this article focuses on extracting password hashes.


3) Extracting Password Hashes

a) On a Domain Controller


Start an elevated command prompt and run:


activate instance ntds
create sysvol full C:\Temp\Backups\IFM\


Command Output

IFM Files


b) On Administrative Computer


Copy the IFM folder and run the following PowerShell script elevated (just copy and paste):


//Download DSInternals from PowerShell Gallery
Save-Module -Name DSInternals -path 'C:\temp\DSInternals'

//Install DSInternals
Install-Module -Name DSInternals

//Import DSInternals Module
Import-Module DSInternals

//Get Boot Key from Registry section of the IFM. If Boot Key is blank, Get-ADDBAccount will still return usernames
$key = Get-BootKey -SystemHivePath 'C:\Temp\Backups\IFM\registry\SYSTEM'

//Store objects data
$hashes = Get-ADDBAccount -All -DBPath 'C:\Temp\Backups\IFM\Active Directory\ntds.dit' -BootKey $key

//Convert object data to the desired format
$hashes | Format-Custom -View Ophcrack | Out-File C:\Temp\Backups\Hashes.txt


Hashes.txt File



Weak Passwords Found (Getting password from hashes out-of-scope for this article)



MoveSysvol – Automate the relocation of the Sysvol folder (DFSR Version)

MoveSysvol (DFSR version) automated by Shaun Vermaak is a batch to automatically relocate the Sysvol folder as per

The following must be in the working folder or in path:

UPDATE: Please ensure that all DCs are in the default Domain Controllers OU

Example: MoveSysvol.bat C:WindowsSYSVOL D:SYSVOL TESTDOMAIN.COM


Fixed drive letter in WinPE

This script can be added to a WinPE environment to ensure that the removable boot media always have a specific drive letter.

All you need to do is create a file called “72821acd-379a-478a-a2c6-1ebd72cbead5.txt” on the media that you want to have a fixed drive letter, in this example drive letter M is assigned. After this add the script as a startup script into your PE boot media.

[sourcecode language=”vb”]
Option Explicit

Dim objWMIService
Dim objFileSystemObject
Dim colVolumes
Dim objVolume

Set objWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2”)
Set objFileSystemObject = CreateObject(“Scripting.FileSystemObject”)

Set colVolumes = objWMIService.ExecQuery(“Select * from Win32_Volume”)
For Each objVolume in colVolumes
If objFileSystemObject.FileExists(objVolume.DriveLetter & “\72821acd-379a-478a-a2c6-1ebd72cbead5.txt”) Then
objVolume.DriveLetter = “M:”
End If

Attachment(s): [list-attachments]

Non-standard success exit codes

Some software distribution tools do not allow custom success exit codes. This means that if a software package returns a non-standard success exit code that the deployment status might return a failure instead of a success.

With this script an installation package’s non-standard success exit codes can be translated to exit code 0 within the software distribution tool.

Example: CScript.exe Setup.vbs /Command:SomeSetup.exe /SuccessCodes:1;2;3
In this example exit code 1,2 and 3 for SomeSetup.exe will be changed to 0

Attachment(s): [list-attachments]

[sourcecode language=”vb”]
Option Explicit

On Error Resume Next

Dim strCommand
Dim strSuccessCodes

strCommand = WScript.Arguments.Named("Command")
strSuccessCodes = WScript.Arguments.Named("SuccessCodes")

If Len(Trim(strCommand)) = 0 Or Len(Trim(strSuccessCodes)) = 0 Then
End If

Dim arrSuccessCodes
Dim intSuccessCode

arrSuccessCodes = Split(strSuccessCodes,";")

Dim objShell
Dim objExec
Dim intReturnCode

Set objShell = CreateObject("WScript.Shell")

Set objExec = objShell.Exec(strCommand)
If Err.Number <> 0 Then
WScript.Echo "Problem with command"
End If

Do While objExec.Status = 0
Call WScript.Sleep(100)

intReturnCode = objExec.ExitCode

For Each intSuccessCode In arrSuccessCodes
If IsNumeric(intSuccessCode) Then
If intReturnCode = CInt(intSuccessCode) Then
WScript.Echo "Success"
intReturnCode = 0
Exit For
End If
End If

Set objExec = Nothing
Set objShell = Nothing

Call WScript.Quit(intReturnCode)

Remotely Rename A Computer

Remotely rename a computer and its Active Directory account using PSExec and batch file (vbs dropper)

Usage: PSExec.exe \\CURRENTCOMPUTERNAME -c -d -f RenameComputer.bat NEWCOMPUTERNAME
(Account needs Admin on target computer and modify rights on computer object in AD)

[sourcecode language=”plain”]
ECHO Option Explicit > RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO On Error Resume Next >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO Dim objWMIService >> RenameComputer.vbs
ECHO Dim colComputers >> RenameComputer.vbs
ECHO Dim objComputer >> RenameComputer.vbs
ECHO Dim varError >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO Set colComputers = objWMIService.ExecQuery("Select * from Win32_ComputerSystem") >> RenameComputer.vbs
ECHO. >> RenameComputer.vbs
ECHO For Each objComputer in colComputers >> RenameComputer.vbs
ECHO varError = objComputer.Rename("%1") >> RenameComputer.vbs
ECHO Next >> RenameComputer.vbs
ECHO WScript.Echo varError >> RenameComputer.vbs

CScript //NOLOGO RenameComputer.vbs
DEL RenameComputer.vbs

Shutdown -r -f -t 60

Generic RegEx Script

[sourcecode language=”vb”]

Option Explicit

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

Dim objRegEx
Dim targetString
Dim colMatch
Dim objMatch
Dim objFSO
Dim strInputFile
Dim strOutputFile
Dim objInputFile
Dim objOutputFile
Dim strLine
Dim strPattern
Dim strMatch

strInputFile = Wscript.Arguments.Named("InputFile")
strOutputFile = Wscript.Arguments.Named("OutputFile")
strPattern = Wscript.Arguments.Named("Pattern")
strPattern = Replace(strPattern,""","""")

If Trim(strInputFile) <> "" And Trim(strPattern) <> "" Then
Set objRegEx = CreateObject("vbscript.regexp")
With objRegEx
.Pattern = strPattern
.Global = True
.IgnoreCase = True
End With
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(strInputFile) Then
Set objInputFile = objFSO.OpenTextFile(strInputFile, ForReading )
If Trim(strOutputFile) <> "" Then
Set objOutputFile = objFSO.OpenTextFile(strOutputFile, ForAppending, True)
End If
Do While Not objInputFile.AtEndOfStream
strLine = objInputFile.ReadLine
If Trim(strLine) <> "" Then
Set colMatch = objRegEx.Execute(strLine)
For each objMatch in colMatch
strMatch = Replace(Replace(objMatch.Value,"UniqueID=",""),"""","")
If Trim(strOutputFile) <> "" Then
End If
End If
If Trim(strOutputFile) <> "" Then
End If
Set objInputFile = Nothing
Set objOutputFile = Nothing
Set objFSO = Nothing
End If
End If
Sub ShowUsage
WScript.Echo "Usage: CScript.exe " & WScript.ScriptName & " /InputFile:""FILENAME"" [/OutputFile:""FILENAME]"" /Pattern:""PATTERN"""
WScript.Echo ""
WScript.Echo "Is OutputFile is omitted, matches will be displayed"
WScript.Echo ""
WScript.Echo "Substitute "" with ""
End Sub


Command Prompt with Random Color on Startup

Add REG_SZ to HKLM\SOFTWARE\Microsoft\Command Processor with name AutoRun and value of RndColor.bat

Create file RndColor.bat in %WINDIR%\System32

[sourcecode language=”plain”]
@Echo Off
Echo Loading…

SET rnd=%random%

IF %rnd% LSS 4681 GOTO 1
IF %rnd% LSS 9362 GOTO 2
IF %rnd% LSS 14043 GOTO 3
IF %rnd% LSS 18724 GOTO 4
IF %rnd% LSS 23405 GOTO 5
IF %rnd% LSS 28086 GOTO 6
IF %rnd% LSS 32767 GOTO 7

Goto END

Color 1F
Goto END

Color 20
Goto END

Color 30
Goto END

Color 4E
Goto END

Color 5F
Goto END

Color 80
Goto END

Color 4F
Goto END