Password Audit

Obtaining NTDS.dit Using In-Built Windows Commands

Further to our article on Password Audit of a Domain Controller, we've discovered a couple of short-cuts that greatly simplify the process.

Using the same underlying technique (Volume Shadow Service), there is an in-built command (Windows 2008 and later) that does a backup of the crucial NTDS.dit file, and the SYSTEM file (containing the key required to extract the password hashes), without the need to use VB Script, third-party tools or injecting into running processes.

Password Audit of a Domain Controller

Some fantastic research has been carried out on the ntds.dit file over the last couple of years - it wasn't that long ago forensic recovery of such information was limited to getting a live running image of the host up and running, then executing fgdump or similar. Now however, other options do exist if you have an offline copy of the directory store, namely retrieval of the two main tables - the data table and the link table.

Remote Windows SAM Retrieval with VBScript

There's no denying that PSExec and FGDump are useful tools on a infrastructure penetration test. FGDump is a problem however, in the fact that it needs to inject into a running process (lsass.dll) and therefore is often blocked by antivirus. Whilst you can disable AV, this isn't advisable on a production server, especially if an alternative [safe] solution is available. Since XP, there has been an option to export both the SAM and System hives from a running Windows machine, without injecting into any running processes.

The commands are simple: