| Module Name | Module Guid | Download Help Link | Help Version | Locale |
|---|---|---|---|---|
DSInternals |
766b3ad8-eb78-48e6-84bd-61b31d96b53e |
1.0 |
en-US |
The DSInternals PowerShell Module exposes several internal features of Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups, and password hash calculation.
Reads one or more accounts from a ntds.dit file, including secret attributes.
Enables an Active Directory account in an offline ntds.dit file.
Disables an Active Directory account in an offline ntds.dit file.
Unlocks an Active Directory account in an offline ntds.dit file.
Modifies user account control values for an Active Directory account in an offline ntds.dit file.
Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
Warning
This cmdlet has been removed from the DSInternals PowerShell module. Information in this topic is provided for reference purposes only.
Sets the password for a user, computer, or service account stored in a ntds.dit file.
Sets the password hash for a user, computer, or service account stored in a ntds.dit file.
Modifies the primaryGroupId attribute of an object in a ntds.dit file.
Reads inter-domain trust objects from a ntds.dit and decrypts the trust passwords.
Reads the DPAPI backup keys from a ntds.dit file.
Reads KDS Root Keys from a ntds.dit file. Can be used to aid DPAPI-NG decryption, e.g. SID-protected PFX files.
Reads all Group Managed Service Accounts (gMSAs) and Delegated Managed Service Accounts (dMSAs) from a ntds.dit file, while deriving their current passwords from KDS root keys.
Reads BitLocker recovery passwords from a ntds.dit file.
Retrieves DNS resource records from an Active Directory database.
Retrieves the list of DNS zones stored in an Active Directory database.
Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name, and DC site.
Writes information about the DC to a ntds.dit file, including the highest committed USN and database epoch.
Reads AD schema from a ntds.dit file, including datatable column names.
Reads the Boot Key (AKA SysKey or System Key) from an online or offline SYSTEM registry hive.
Re-encrypts a ntds.dit file with a new BootKey/SysKey.
Physically removes the specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!
Reads one or more accounts through the MS-DRSR protocol, including secret attributes.
Reads the DPAPI backup keys from a domain controller through the MS-DRSR protocol.
Fetches the specified KDS Root Key through the MS-DRSR protocol.
Composes and updates the msDS-KeyCredentialLink value on an object through the MS-DRSR protocol.
Adds SID history from a source principal to a destination principal through the MS-DRSR protocol.
Queries Active Directory for the default password policy.
Sets NT and LM hashes of an Active Directory or local account through the MS-SAMR protocol.
Gets all Active Directory user accounts from a given domain controller using ADSI. Typically used for Credential Roaming data retrieval through LDAP.
Reads the DPAPI backup keys from a domain controller through the LSARPC protocol.
Retrieves AD-related information from the Local Security Authority Policy of the local computer or a remote one.
Configures AD-related Local Security Authority Policies of the local computer or a remote one.
The output of the Get-ADDBAccount and Get-ADReplAccount cmdlets can be formatted using the following custom Views to support different password cracking tools. ASCII file encoding is strongly recommended.
- HashcatNT - NT hashes in Hashcat's format.
- HashcatLM - LM hashes in Hashcat's format.
- HashcatNTHistory - NT hashes, including historical ones, in Hashcat's format.
- HashcatLMHistory - LM hashes, including historical ones, in Hashcat's format.
The following command replicates all Active Directory accounts from the target domain controller and exports their NT password hashes to a file format that is supported by Hashcat:
PS C:\> Get-ADReplAccount -All -Server LON-DC1 -ExportFormat HashcatNT |
Where-Object SamAccountType -eq User |
Where-Object Enabled -eq $true |
Where-Object NTHash -ne $null |
Out-File -FilePath users.txt -Encoding asciiThe file can then be loaded into Hashcat:
hashcat --hash-type 1000 --username --attack-mode 0 users.txt /usr/share/wordlists/rockyou.txt- JohnNT - NT hashes in the format supported by John the Ripper.
- JohnLM - LM hashes in the format supported by John the Ripper.
- JohnNTHistory - NT hashes, including historical ones, in the format supported by John the Ripper.
- JohnLMHistory - LM hashes, including historical ones, in the format supported by John the Ripper.
The following command exports NT password hashes from an Active Directory database to a file format that is supported by John the Ripper:
PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key -ExportFormat JohnNT |
Where-Object SamAccountType -eq User |
Where-Object Enabled -eq $true |
Where-Object NTHash -ne $null |
Out-File -FilePath users.txt -Encoding utf8The file can then be loaded into John the Ripper:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT users.txt- Ophcrack - NT and LM hashes in Ophcrack's format.
- PWDump - NT and LM hashes in the pwdump format that is supported various password cracking tools, e.g. ElcomSoft Distributed Password Recovery, rcracki-mt or John the Ripper.
- PWDumpHistory - NT and LM hashes, including historical ones, in the pwdump format.
- NTHash - NT hashes only, without account names.
- LMHash - LM hashes only, without account names.
- NTHashHistory - NT hashes, including historical ones, without account names.
- LMHashHistory - LM hashes, including historical ones, without account names.
The following command exports NT and LM password hashes from an Active Directory database to the pwdump file format:
PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key -ExportFormat PwDump |
Where-Object SamAccountType -eq User |
Where-Object Enabled -eq $true |
Where-Object NTHash -ne $null |
Out-File -FilePath users.pwdump -Encoding utf8The file can then be loaded into John the Ripper:
john --wordlist=/usr/share/wordlists/rockyou.txt users.pwdumpComputes Kerberos keys from a given password using Kerberos version 5 Key Derivation Functions.
Calculates NT hash of a given password.
Calculates LM hash of a given password.
Calculates OrgId hash of a given password. Used by Azure Active Directory Connect.
Saves DPAPI and Credential Roaming data retrieved from Active Directory to the file system for further processing.
Decodes the value of the msDS-ManagedPassword attribute of a Group Managed Service Account.
Creates an object representing Windows Hello for Business or FIDO credentials from its binary representation or an X.509 certificate.
Decodes a password from the format used by Group Policy Preferences.
Converts a password to the format used by Group Policy Preferences.
Decodes a password from the format used in unattend.xml files.
Converts a password to the format used in unattend.xml or *.ldif files.
Generates a PowerShell script that can be used to restore a domain controller from an IFM-equivalent backup (i.e. ntds.dit + SYSVOL).
Performs AD audit, including checks for weak, duplicate, default and empty passwords. Accepts input from the Get-ADReplAccount and Get-ADDBAccount cmdlets.
Helper cmdlet that converts binary input to a hexadecimal string.