my personal blog about systemcenter

Dump AD user password hashes on-the-fly to a file of chosen format

So, you achieved Domain Admin permissions during a security assessment (penetration test) and you want to crack all of those nice password hashes from Active Directory, or you might have to perform a password audit, but you just hate exporting NTDS.DIT + SYSTEM and extracting the database afterwards…?

Instead you can now do live, in-memory on-the-fly Mimikatz-DCSync-style, synchronization of all those user password NT-hashes in PowerShell and write them to a pwddump format of your own choice, all ready for having lots of cracking fun!

Check out:

A few things to consider.

  1. Michael Grafnetter, who developed the DSInternals module, hasn’t released the source code yet. Therefore, you will have to trust his code (blindly) at the moment. However, Michael has told me that he will release the code later this year when he has had time to clean it up a bit. Thanks to Michael for his hard work and help.
  2. Be sure to have permissions to extract (and crack?) hashes from Active Directory 🙂

BTW. Have you seen this related tool and post: Crack and detect weak passwords in Active Directory on-the-fly

/Jakob H. Heidelberg