Domain Password Audits



With Anti-Virus technology continuing to block auditing/hacking tools like pwdump/fgdump, the ability to audit passwords on a domain is starting to increase in difficultly.  In a series of recent audits it has been challenging to extract the domain hashes, and upon using familiar common tools like pwdump the Windows Security Accounts Manager (SAM); surprisingly only reveals two accounts, where we would expect a long list of domain hashes.

Example Output:


These accounts are the two basic accounts that tend to always be available, as they are the local accounts installed by Microsoft Windows. So what happened to all the domain accounts?

Since Microsoft Windows 2000, Active Directory has stored credential information within a database engine called Extensible Storage Engine (ESE) based of the Jet database and used by Exchange v5.5 and WINS. The default location for this file is %SystemRoot%ntdsNTDS.DIT; as this file is in use by the domain controller, it is locked and cannot be accessed.

The problem at hand, is how to safely extract Domain password hashes without triggering Anti-Virus or even some HIDS/HIPS Vendors.  This post will cover NTDS password cracking and Volume Shadow Copying in order to capture the hashes.

Volume Shadow Copying Service (VSS)

Why use VSS… Well first you need administrator privileges to perform the password audit, so you should have the privileges to perform the necessary actions. VSS is build into Windows from 2003; as its a legitimate set of commands it does not trigger AntiVirus (with built-in HID/HIPS). Therefore, as an administrator (legitimate or compromised) your typically free to run the following commands, and exfiltrate the password hash database.

Create Shadow Copy Drive

Creating the Shadowcopy of the drive CONTAINING the ntds.dit file (generally C: drive but could be somewhere else if the file is big):
vssadmin create shadow /for=[drive letter:]

List Drives

Check the path to the Shadowcopy Copy Volume, i.e \?GLOBALROOT|device…
vssadmin list shadows

Copy Files

Copy the NTDS.dit and SYSTEM files out of the Volume(s):

copy \?GLOBALROOT{device_id}{device_name}path_tontdis.dit [your destination] copy \?GLOBALROOT{device_id}{device_name}path_toSYSTEM [your destination]

Optional: You only need the above to files to crack open the NTDS.DIT file. But you may also want the SAM for locally stored hashes. Though crakcing local SAM accounts will not be covered in this blog post:
copy \?GLOBALROOT{device_id}{device_name}path_toSAM [your destination]

Clean Up

vssadmin delete shadows


NTDS.DIT DB Breakdown

  • Schema tablethe types of objects that can be created in the Active Directory, relationships between them, and the optional and mandatory attributes on each type of object. This table is fairly static and much smaller than the data table.
  • Link tablecontains linked attributes, which contain values referring to other objects in the Active Directory. Take the MemberOf attribute on a user object. That attribute contains values that reference groups to which the user belongs. This is also far smaller than the data table.
  • Data tableusers, groups, application-specific data, and any other data stored in the Active Directory. The data table can be thought of as having rows where each row represents an instance of an object such as a user, and columns where each column represents an attribute in the schema such as GivenName.

A framework has been developed facilitating extraction of interesting data from these files – NTDSXtract – by Csaba Barta. Huge credit for his original paper, and subsequent work on the framework. The framework now works on the latest 64bit operating systems and has been tested successfully on Windows 2008 R2.

Cracking the Database

First download the libesedb libraries from:
Extract and compile the libesedb libraries:

make install

UPDATE: Alternatively, download the package from here:

Second download the NTDSXtract framework
After installing the libesedb libraries, extract the database tables from ntds.dit:
esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit extracted_ntds.dit
Extract the hashes/user info/password history:
python /tmp/ntds.dit.export/datatable /tmp/ntds.dit.export/link_table --passwordhashes --passwordhistory --certificates --supplcreds --membership > /tmp/ntds.dit.output
Note: the link_table id could be link_table.4 or link_table.5 depending on the previous output
Use Johnthe ripper to crack the hashes:
john /tmp/ntds.dit.output

Audit Analysis

What use is the audit data unless the data is presented in a useful and meaningful way.

This is where the work of Robin Wood (@digininja) is appreciated with his useful tool pipal (

Pipal will highlight the Top 10:

  • Passwords
  • Password Lengths
  • Dictionary Words
  • Dates
  • Years, Months or Days of the week
  • Integers
  • Patterns (for oclhashcat 😉 )

So if you don’t use Pipal, I strongly advise you download it now!

One thought on “Domain Password Audits

Comments are closed.