4) From within this new command prompt, everything you open will open as the SYSTEM account.
Viewing NT Secrets
Open Regedit.exe and you will be able to see content of HKEY_LOCAL_MACHINE\SECURITY
This allows you to view passwords that were stored as NT Secrets
Opening SQL Server Management Studio as SYSTEM
Open SQL Management Studio and you will be able to log on with SYSTEM
This allows you to access SQL without directly having been granted SQL right yet you have administrative rights to SQL Server
You will be able to browse to any folder that only allows SYSTEM account
You can export permissions with SetACL/ICACLS to folders that administrators group might have been removed on
Kill processes that give error Access Denied when you try to terminate it with normal Administrator rights
Running something like TreeSize as SYSTEM will actually give you a better view and understanding of what is using space because you will get less access denials
Simulate GPO start scripts
Simulate GPO based MSI installation
Diagnose why scheduled tasks that run as SYSTEM don’t run as intended
Start/stop protected services
Using this process, (or one similar) will allow you to start processes as the SYSTEM account allowing you to access parts of files system, registry and application not accessible with normal Administrative rights.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed.
Methods exist to extract hashes directly for a live domain however this article describes a process to extract user data, including hashes from an IFM backup.
Overpermission and weak/reused passwords are probably the most common security issues found in Active Directory. To address the password issues, it is important to do regular password audits, to address over permissions, see my article about Active Directory delegation.
2) Password Hashes
Passwords are stored in Active Directory (NTDS.dit encrypted with a boot key) as an unsalted MD4 hash and as such, to check for password reuse it is a simple case of checking for duplicate hashes in the extracted hashes list.
Finding weak passwords are a little trickier. You need to lookup hashes against a rainbow table to ensure you do not have any weak/compromised hashes within your environment.
Both of these are out-of-scope for this article, this article focuses on extracting password hashes.
3) Extracting Password Hashes
a) On a Domain Controller
Start an elevated command prompt and run:
activate instance ntds
create sysvol full C:\Temp\Backups\IFM\
b) On Administrative Computer
Copy the IFM folder and run the following PowerShell script elevated (just copy and paste):
//Download DSInternals from PowerShell Gallery https://www.powershellgallery.com/packages/DSInternals
Save-Module -Name DSInternals -path 'C:\temp\DSInternals'
Install-Module -Name DSInternals
//Import DSInternals Module
//Get Boot Key from Registry section of the IFM. If Boot Key is blank, Get-ADDBAccount will still return usernames
$key = Get-BootKey -SystemHivePath 'C:\Temp\Backups\IFM\registry\SYSTEM'
//Store objects data
$hashes = Get-ADDBAccount -All -DBPath 'C:\Temp\Backups\IFM\Active Directory\ntds.dit' -BootKey $key
//Convert object data to the desired format
$hashes | Format-Custom -View Ophcrack | Out-File C:\Temp\Backups\Hashes.txt
Weak Passwords Found (Getting password from hashes out-of-scope for this article)