In this tutorial, I will show you how to do a password audit of a Windows Domain Controller by extracting the NTLM password hashes from the Ntds.dit file; In order to crack the hashes with Hashcat and see their clear text value.
Ntds.dit is a database that stores Active Directory data, which includes all the password hashes for all the users of the domain.
To be able to retrieve the NTLM password hashes, we need to make a copy of the Ntds.dit file; However, this is not straightforward as the file is constantly in use and locked by Active Directory:
We now need to extract the locked Ntds.dit file from a Windows Domain Controller, for this operation we need to use NTDSUTIL which is a tool used for accessing and managing the Windows Active Directory Database. these commands need to be run from an elevated command prompt; therefore, you will need to already have administrator rights on the Domain Controller.
NTDSUTIL : Database Extraction
This means the commands from the elevated command prompt will be:
ntdsutil
activate instance ntds
ifm
create full c:\ifm
That should then perform the snapshot backup and then return the ifm> feed when complete as below:
When you are here you can then type quit twice to return to the command prompt, then if you navigate to to c:\ifm folder it should look like this:
Folder2ISO - Extract files off the Domain Controller
activate instance ntds
ifm
create full c:\ifm
That should then perform the snapshot backup and then return the ifm> feed when complete as below:
When you are here you can then type quit twice to return to the command prompt, then if you navigate to to c:\ifm folder it should look like this:
Folder2ISO - Extract files off the Domain Controller
You can see the ntds.dit and the "system" file - both of these files are required for the next tool however you need to get these file off the Domain Controller and the way I do that is to use a utility called Folder2ISO that will take a folder and make it an ISO.
Folder2Iso.exe "c:\ifm" "c:\data.iso" "Data" 2992 20990 2677106637 "UTF-8"
This will then create a file called data.iso in the directory specified like this:
winSCP - copy ISO to Kali server
winSCP - copy ISO to Kali server
I have been using Kali Linux to complete the password audit so now we need to copy this file from the server to Kali Linux here you can see the source file (in red) and the destination file (in green)
Extract ISO in Kali
Extract ISO in Kali
We now need to extract the file in Kali to a folder, so move to that folder which here is /home/mooney/ISO we then to move up a directory and extract those files to a folder called "raw" with this command:
7z x temp.iso -o./../raw
7z x temp.iso -o./../raw
This will then extract the file system from earlier that looks like this. obviously we do not have an F: on Linux (same image as earlier)
We now need to get the files we require from "raw" to "NTLM" that means I have used these commands to get this accomplished:
mv /home/mooney/raw/ntds.dit /home/mooney/NTDS/ntds.dit
mv /home/mooney/raw/SYSTEM /home/mooney/NTDS/SYSTEM
mv /home/mooney/raw/SYSTEM /home/mooney/NTDS/SYSTEM
That should then put you in a position with the two files we require in the NTLM directory as below:
Impacket : secretsdump.py
We now need to use impacket which will extract the hashes from the ntds.dit file however we need to ensure this is a offline version (which is the command local) so I would always get the latest version then install it:
Successfully installed impacket-0.12.0
We now need to move these files from the current location to a folder called "Processed" which is the folder you see at the top of the screenshot above, so that requires some further commands, which need to be run from the NTLM directory:
mv ntlm-extract.ntds.kerberos /Processed/ntlm-extract.ntds.kerberos
mv ntlm-extract.ntds.cleartext /Processed/ntlm-extract.ntds.cleartext
mv ntlm-extract.ntds /Processed/ntlm-extract.ntds
Impacket : secretsdump.py
We now need to use impacket which will extract the hashes from the ntds.dit file however we need to ensure this is a offline version (which is the command local) so I would always get the latest version then install it:
sudo apt-get install python3-pip
sudo python3 -m pip install .
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install .
sudo python3 -m pip install .
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install .
Ensure you do not run the installer as sudo, that will cause errors, the install will then run and build as below:
You should see on the last time before the command terminal, in this instance we are on impacket-0.12.0:
You should see on the last time before the command terminal, in this instance we are on impacket-0.12.0:
Successfully installed impacket-0.12.0
Excellent, now we can extract the secrets with this command from the NTLM directory:
That will the initialise and then beginning extracting all the secrets
ntlm-extract.ntds.kerberos : Contains Kerberos account keys and secrets with the cipher
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
This will then start showing you all the secrets being extracted from the ntds.dit file after a short moment, this may take some time to complete depending on the size of your environment and Active Directory:
Once that is complete you will then notice that the NTLM directory how has some additional files, these are the ones in blue as below:
Once that is complete you will then notice that the NTLM directory how has some additional files, these are the ones in blue as below:
ntlm-extract.ntds.kerberos : Contains Kerberos account keys and secrets with the cipher
ntlm-extract.ntds.cleartext : Contains all the clear text passwords from your Active Directory
ntlm-extract.ntds : Contains all the non-Kerberos accounts and hashesWe now need to move these files from the current location to a folder called "Processed" which is the folder you see at the top of the screenshot above, so that requires some further commands, which need to be run from the NTLM directory:
mv ntlm-extract.ntds.kerberos /Processed/ntlm-extract.ntds.kerberos
mv ntlm-extract.ntds.cleartext /Processed/ntlm-extract.ntds.cleartext
mv ntlm-extract.ntds /Processed/ntlm-extract.ntds
This will then move all your files to a single folder as you can see here:
Clean the Hashes
Clean the Hashes
We now need to clean the data from the current format which looks like this:
The record currently is broken down like this:
cat ntlm-extract.ntds | cut -d : -f 4 > JustTheHashes.txt
Administrator:5000:aad3b435b51404eeaad3b435b51404ee:214e90b41e2752d80acd34e13f3e9831:::
The record currently is broken down like this:
- Username: (Administrator),
- Userid: (500)
- lmhash: (aad3b435b51404eeaad3b435b51404ee)
- ntlmhash: (214e90b41e2752d80acd34e13f3e9831)
cat ntlm-extract.ntds | cut -d : -f 4 > JustTheHashes.txt
This will leave you with a file called JusTheHases.txt that only contains the has we want to audit/reverse engineer:
Note : If you wanted compromise a network you don’t actually have to crack the hashes, you can use Pass the Hash to escalate your privileges using the -pth (pass the hash) with certain utilities.
Note : If you wanted compromise a network you don’t actually have to crack the hashes, you can use Pass the Hash to escalate your privileges using the -pth (pass the hash) with certain utilities.
Wordlist : Rockyou inbuilt Wordlist
Hashcat will be the weapon of choice to crack the hashes, this should come installed with Kali Linux but you do need the dictionary for this and you have a inbuilt version of "rockyou" built into Kali at the location and the commands to extract it:
/user/share/wordlists
gunzip rockyou.txt.gz
You can see the extracted file below however this is only 135mb in size so its is quite small and limited.
Wordlist : Rockyou 2021 breach wordlist
gunzip rockyou.txt.gz
You can see the extracted file below however this is only 135mb in size so its is quite small and limited.
Wordlist : Rockyou 2021 breach wordlist
This is the penultimate list of passwords that have been breached however for this you need to install Transmission a torrent manager with this command:
sudo apt-get install transmission
Then you need to use the Magnet link below to download the rockyou2021 database using Transmission, if this link is dead look for another one:
sudo apt-get install transmission
Then you need to use the Magnet link below to download the rockyou2021 database using Transmission, if this link is dead look for another one:
Then when you have downloaded the torrent file extract it using this command:
7z x rockyou2021.txt.7z.001
This may take some time as there is quite a bit of data with that files and lots of "archived" files:
The file when extracted is 96gb in size as you can see below:
CPU or GPU : Options and Choices
7z x rockyou2021.txt.7z.001
This may take some time as there is quite a bit of data with that files and lots of "archived" files:
The file when extracted is 96gb in size as you can see below:
CPU or GPU : Options and Choices
Yes, this is quite an important question, If you have a virtual machine and you’re only going to use virtual processor or physical processor it will take considerably longer and use a GPU.
CPU: A CPU, on the other hand, typically has fewer cores (ranging from 4 to 64 in most cases), and these cores are optimized for sequential processing rather than parallelism. While a CPU can handle complex operations, it doesn't match the raw parallel processing power of a GPU.
Running Hashcat on a cloud VM with 4 vCPUs might yield significantly slower hash-cracking speeds compared to a physical CPU with the same core count, due to resource contention and virtualization overhead.
GPU: A GPU is designed for highly parallel operations, capable of performing thousands of simultaneous calculations. This makes it ideal for tasks like hash cracking, where each hash attempt can be processed independently. For example, a modern GPU might have thousands of cores, allowing it to handle thousands of hash computations simultaneously.
A physical CPU like an Intel i9 with 16 cores might process, say, 100,000 hashes per second, while a modern GPU like an NVIDIA RTX 3090 could process over 10 billion hashes per second in the same scenario.
Prepare the GPU (highly recommended)
First you need to establish what type of GPU you have installed, I usually use Nvidia so to check the hardware use this command:
lspci -k | grep -A 2 -i "nvidia"
Then we need to install the prerequisites before we install the drivers with this command:
sudo apt install build-essential dkms
We then need to add the NVidia PPA (personal package archive) This needs to be done before we can install the drivers with this command:
sudo add-apt-repository ppa:graphics-drivers/ppa
sudo apt update
Now we need to install the latest CUDA drivers with the following command:
sudo apt install nvidia-driver nvidia-cuda-toolkit
We now need to blacklist the Nouveau driver, this is recommended because this driver can cause problems with the native Nvidia drivers - this step is recommended
sudo bash -c "echo 'blacklist nouveau' > /etc/modprobe.d/blacklist-nouveau.conf"
sudo bash -c "echo 'options nouveau modeset=0' >> /etc/modprobe.d/blacklist-nouveau.conf"
sudo update-initramfs -u
Now, you need to reboot your system with this command:
sudo reboot
Wait a moment for your system to restart, then once you are logged into the shell You can run this command to verify Kali can now see the GPU and it’s accessible:
nvidia-smi
This should show you the state of your hardware, here we have a Quadro P4000 for this exercise:
Hashcat : installation (where required)
If you do not have Hashcat and need to install it, this is quite a simple process and can be accomplished with the following commands:
sudo apt install hashcat
Optional : Build latest version
If you would rather get a latest version and not use the one referenced in the repository, then you can run this command to download and then install
git clone https://github.com/hashcat/hashcat.git
cd hashcat
make
Verify Hashcat can see the GPU
If you have successfully installed the drivers run Hashcat with the following command that should show the device information which should include the GPU:
hashcat -I
This should report any hardware it can see, as you can see here it has found the GPU:
Hashcat : Audit those hashes and passwords
Hashcat : Audit those hashes and passwords
Hashcat is a password-cracking tool used primarily for recovering passwords by performing brute-force attacks and various cryptographic hash attacks. It supports multiple attack modes, including dictionary attacks, combinator attacks, and mask attacks, allowing users to try different combinations of characters and words to crack password hashes.
Note : If you get an error with Hashcat saying no hashes imported open the files and save it in UTF-8 encoding, find UTF-8 encoding.
We need to tell Hashcat to start cracking hashes using the ”rockyou” wordlist, that command is outlined below:
hashcat -m 1000 JustTheHashes.txt rockyou2021.txt --force
Hashcat : Show recovered passwords
When the scan has completed you can use the following command to view all the passwords with the relevant hashes
hashcat -m 1000 JustTheHashes.txt --show
This command will not only give you the password in ASCII format, with the original hashed value.
Hashcat Optional Commands
If you wish to output to a text file you can use this to save the captured passwords to a text file:
hashcat -m 1000 JustTheHashes.txt rockyou2021.txt -o output.txt
If you wish to use a Mask Attack, which does not use the wordlist put tries to guess the password
hashcat -m 1000 JustTheHashes.txt -a 3 ?l?l?l?l?l?l?l?d
If you wish to limit the attack to first 1000 words in dictionary:
hashcat -m 1000 JustTheHashes.txt rockyou2021.txt --limit 1000
Hashcat : Performance Mode
If you wish to run Hashcat in benchmark Mode you can use this command
hashcat -b -m 1000
In my example this gave me the number of hashes, in millions that could be cracked per second, which for this GPU is 41 million per second:
Speed.#1.........: 22198.8 MH/s (41.21ms) @ Accel:512 Loops:256 Thr:512 Vec:1
If you wish to run in exhaustive attack (that will ignore the pot file or password already cracked)
hashcat -m 1000 JustTheHashes.txt rockyou2021.txt --force --potfile-disable