Summary:
This tutorial is for password auditing of network credentials inside your domain. We volition piece of job Kali Linux along amongst to a greater extent than or less opened upward source software to validate your password policies. As e'er brand certain you lot convey permission to perform this audit at the to the lowest degree every everyone should cheque to verify that people using privileged accounts are non using the same password for their privileged concern human relationship in addition to normal user account.Preparation:
1) Access to a domain controller for the domain that nosotros volition hold upward auditing
2) Kali Linux
3) ntdsxtract-master.zip (https://github.com/csababarta/ntdsxtract)
4) libesedb-experimental-20160622.tar.gz (https://github.com/libyal/libesedb/releases)
5) Install ntdsextract in addition to libesedb using instructions given inside the archive.
Get your NTDS database off the server:
- Log into your Domain controller using in addition to admin score account
- Open a command prompt
- Type ntdsutil
- Your prompt should alter to ntdsutil:
- Type active illustration ntds
- Type ifm
- Your prompt should alter to ifm:
- Type produce total <location of where you lot desire your backup> (i.e. c:pentest)
- Once the backup is complete, type quit.
- Now re-create the folder amongst your backup to your Kali Linux system
- navigate to the ntds.dit file (i.e. /root/pentest/Active Directory)
- run esedbexport -m tables /ntds.dit
- run dsusers.py ./ntds.dit.export/datatable.4 ./ntds.dit.export/link_table.7 ./hashdumpwork –syshive ../SYSTEM –passwordhashes –lmoutfile lm-out.txt –ntoutfile nt-out.txt –pwdformat john
- dsuser.py is the programme nosotros only installed for this to clit the hashes out of the database
- ./ntds.dit.export/datatable.4 database tabular array for the ntds database give away may hold upward different
- ./ntds.dit.export/link_table.7 same every bit inward a higher house give away may likewise hold upward different
- these ii tables are quest to allow the programme to fit upward usernames amongst their associated hashes
- ./hashdumpwork only a squeamish agency to continue your directory cleaned upward volition dump all supported files that volition hold upward generated hither along amongst our output files
- –lmoutfile lm-out.txt this is our file for whatsoever lm passwords commonly volition hold upward blank for modern domains
- –ntoutfile nt-out.txt this is our file for ntlm passwords this is where all the skilful materials goes
- –pwdformat lav this tells our programme how nosotros wanted this formatted nosotros volition format for lav the ripper
This is where nosotros tin directly start to audit our passwords I prefer to opened upward every bit a spreadsheet first. This allows me to variety the accounts past times hashes. I tin directly easily come across if my admins are using the same password for their normal concern human relationship in addition to their privileged accounts, same hash = same password. If you lot convey multiple domains you lot are auditing you lot tin likewise easily cheque if people are using the same password across multiple domains which likewise is a no-no.
Everything upward to this indicate should hold upward done every bit a regular password auditing even in addition to thence to a greater extent than or less organizations may desire to choke a pace further. Make certain you lot clear this first, if you lot produce upward one's hear to cheque for ‘weak’ passwords, every bit this could choke a ‘resume producing event’.
Remember nosotros formatted our output files for lav the ripper? Let’s opened upward johnny in addition to charge inward our password file, in addition to your favorite give-and-take list. If you lot don’t convey 1 yet a quick search volition give you lot enough to guide from. I e'er likewise edit it to comprise known default passwords. Remember nosotros are non going overboard to come across if nosotros tin cleft everyone’s passwords nosotros only desire to cheque for ‘weak’ passwords in addition to you lot would hold upward surprised at what volition popular upward fifty-fifty amongst a skilful domain password policy.