Active Directory Password Cracking

These are the steps I use to get a dump of all password hashes from a domain controller and then crack the hashes with hashcat or john. Excluding the dumping of password hashes, these steps are all executed on a Linux host. If you are trying to do this completely from Windows you will need to adapt the commands to suite.

Dumping Password Hashes

First a dump of the active directory data needs to be taken so the list of password hashes can be extracted. There are multiple methods that can be used to do this, I have listed a few here for convenience:

ntdsutil "ac i ntds" "ifm" "create full c:\temp\ntdsdump" q q
'ntdsutil "ac i ntds" "ifm" "create full c:\temp\ntdsdump" q q' Wmic /node:COMPUTER /user:DOMAIN\USERNAME /password:PASSWORD process call create $command
$command = 'ntdsutil "ac i ntds" "ifm" "create full c:\temp\ntdsdump" q q' winrs –r:COMPUTER $command

Once the command has been executed you will need to get the c:\temp\ntdsdump directory and copy it over to the device doing the password cracking. Make sure to delete the directory on the domain controller after it has been copied.

Extracting Hashes

The hashes need to be extracted, for this task I will be using secretsdump.py from the impacket repository. The required impacket classes can be installed using pip:

python3 -m pip install impacket

Change to the directory containing the dump created from the previous step and get the secretsdump.py script:

cd ~/Temp/ntdsdump
wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/secretsdump.py

Dump the password hashes into a file (they will be dumped into the file specified with the -outputfile flag with the .ntds extension added, ntlm_hashes.ntds in this case):

python3 secretsdump.py -ntds Active\ Directory/ntds.dit -system registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm_hashes

I don’t want to bother trying to crack passwords for computer objects, so I will filter those out:

grep -v '$:' ntlm_hashes.ntds > ntlm_hashes_filtered

Once done take a look at ntlm_hashes_filtered to make sure it has a list of the hashes as expected; it should have lines that look like this:

mydomain.com\Administrator:500:<hash>:<hash>:::

Now the cracking can begin.

Cracking Passwords

Personally for cracking passwords I prefer to use hashcat, but you can use either one. A convenient location to download word lists from is Weakpass.

Both hashcat and john have extensive flags that can be used; the manual should be checked for both before running anything.

Hashcat

To crack passwords without using any rules with hashcat:

hashcat -a 0 -m 1000 -w 3 -O -o cracked ntlm_hashes_filtered WORDLIST.txt

To use rules (the path to rules may vary depending on the Linux distribution, this is assuming Ubuntu):

hashcat -a 0 -m 1000 -w 3 -O -o cracked -r /usr/share/hashcat/rules/d3ad0ne.rule ntlm_hashes_filtered WORDLIST.txt

The important flags for the commands above are:

  • -a 0: Set the attack mode to “Straight”
  • -m 1000: Set the hash mode to “NTLM”
  • -w 3: Set the word load profile to “High”
  • -O: Enable optimized kernels
  • -o cracked: Set the output filename for recovered hashes to “cracked”
  • -r <path to rule>: Use the specified rule

There should be other rules available, so you can experiment with different options to see what works best for your situation.

During the crack or after the crack session has completed you can retrieve the list of credentials with the –show flag:

hashcat -m 1000 --show --username ntlm_hashes_filtered

John

To use john to crack passwords (in this case it would be using my CPU instead of GPU):

john --session=ntlm_hashes --wordlist=WORDLIST.txt --fork=8 --format=nt --pot=ntlm.pot ntlm_hashes_filtered

As with hashcat, john is able to use various rules with the --rules flag:

john --session=ntlm_hashes --wordlist=WORDLIST.txt --rules=Jumbo --fork=8 --format=nt --pot=ntlm.pot ntlm_hashes_filtered

Leave a Reply

Your email address will not be published.