Extract Password Hashes from Active Directory LDAP

  • Currently we are working on a monthly internal security test which among other should contain a verification of the real password strength the users choose. For this reason I want to extract the password hashes of all users via LDAP. Everything I found was this technet discussion telling me I cant extract the hashes even not as an Administrator which I really can't (don't want) to believe.

    Is there any way to extract the password hashes from an Active Directory Server?

    What we want to do is extracting the hashes though we can run a syllable attack against them to verify if the passwords are really or just technically good.

    Even if you got them out, how would you verify the passwords? The hashes are, by definition, not reversible. That is, you can't get a password from a hash.

    Of cause they arent reversable. We are creating wordlists based on common words, technical terms,... and then run a syllable attack against the hashes to verify if they are really secure or just a common word with a number and a special char attached.

    Alright. That makes sense. So you are asking us if the answer you pointed to that has an MS employee stating that you can't get the hashes is incorrect or can somehow be bypassed. I suspect not but I"m not an AD wiz.

  • shift_tab

    shift_tab Correct answer

    6 years ago

    You need to get the NTDS.DIT binary file out of %SystemRoot%\ntds.

    You can use ntdsutil to create a snapshot of the AD database so that you can copy NTDS.DIT.

    Then you can use something like the Windows Password Recovery tool to extract the hashes.

    https://technet.microsoft.com/en-us/library/cc753343.aspx

    https://technet.microsoft.com/en-us/library/cc753609(WS.10).aspx

    http://www.passcape.com/windows_password_recovery

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM