Using Lil Pwny – Part 1: Exporting Passwords from Active Directory

The first step in auditing passwords using Lil Pwny is to recover the passwords from Active Directory.

Passwords in a Windows Domain

Before we look at how to recover passwords, it is useful to know how Windows handles and stores passwords in general.

Windows uses the NTLM (New Technology LAN Manager) protocol to authenticate Active Directory users. This protocol dictates that passwords are hashed with two values, the LM hash and the NT hash. The LM hash is included for backwards compatibility, the hash that is actually used is the NT hash (usually just referred to as the NTLM hash, confusingly), which is simply the password hashed using the MD4 algorithm.

A copy of this NTLM hash is stored on the domain controller against the user’s account, as well as on local machines (as a cached credential) if caching of user profiles is configured in the environment. 

The most important thing to note about NTLM hashes is that they are not salted, meaning the hash is equivalent to the password, and can be used by itself to authenticate as a user without having to know the password. It also means that NTLM passwords are relatively easy to crack.

Step 1: Get a Database Dump from Active Directory

We have established that passwords are stored on domain controllers, but we need a way of getting them. The easiest way to do this is to extract them from the file Ntds.dit. The Ntds.dit file is a database that stores AD data, such as group membership, user objects and, most importantly for us, AD account password hashes.

Note

You will have noticed by now that this password recovery relies on access to the domain controller, whether you have access yourself, or you have sweet talked your SysAdmin into providing the data for you. This is fine, as we are doing this for defensive purposes after all. However, It does go to show the importance of keeping your domain controllers secure, and how they are the crown jewels if you are running a Windows environment. If an attacker gets access to this information on the DC, then the game is most likely already over.

This file is constantly in use by the DC, so obtaining it is not a simple copy and paste job. For this, we need to use the utility ntdsutil.

Ntdsutil is a management utility for AD databases. The command that we will be using, IFM, allows you to take a full Install From Media snapshot of the AD database, as well as the SYSTEM hive which is required to decrypt the data we recovered.

Open PowerShell and run the following:

ntdsutil
activate instance ntds
ifm
create full **OUTPUT PATH**

Once the snapshot has completed, the output directory will look like this:

C:\AD_DUMP
├───Active Directory
│       ntds.dit
│       ntds.jfm
│
└───registry
        SECURITY
        SYSTEM

You now have a full copy of the ntds.dit file

Step 2: Recover the Hashes

To recover the NTLM hashes of AD users from the ntds.dit file, we are going to use the DSInternals PowerShell module.

Installing this on PowerShell 5 and above is simple from the PowerShell Gallery:

Install-Module DSInternals

Otherwise, it can be installed from the GitHub repo above.

DSInternals allows us to recover the NTLM hashes in the format username:hash, which is required for Lil Pwny. We will need to use the SYSTEM hive recovered in the previous step as the BootKey to decrypt the ntds.dit file, and get the password hashes.

Run the following command in PowerShell, replacing **OUTPUT PATH** with your desired output path:

$bootKey = Get-BootKey -SystemHivePath '.\registry\SYSTEM'
Get-ADDBAccount -All -DBPath '.\Active Directory\ntds.dit' -BootKey $bootKey | Format-Custom -View HashcatNT | Out-File **OUTPUT PATH** -Encoding ASCII

Reading the output of the file produced shows the recovered NTLM hashes and usernames from AD

The contents of the output file

Now that we have the NTLM hashes and usernames, we are ready to use them with Lil Pwny. I will cover this in my next post.