RepoMirrors/DSInternals
1
0
Fork 0
mirror of https://github.com/MichaelGrafnetter/DSInternals synced 2025-01-29 10:12:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Resolved #104: Major documentation update

Browse Source
This commit is contained in:
Michael Grafnetter 2020-03-27 21:13:43 +01:00
parent aa4e6b5149
commit 3df26c9327
27 changed files with 1085 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Documentation/CHANGELOG.md
View File

@ -9,10 +9,12 @@ All notable changes to this project will be documented in this file. The format
- New logo and package icons!
- Both [lastLogon](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada1/93258066-276d-4357-8458-981c19caad95) and [lastLogonTimestamp](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada1/530d7194-20f6-4aaa-8d80-9ca6b6350ad6) user account attributes are now exposed.
- The `-Server` parameter of the [Get-ADSIAccount](PowerShell/Get-ADSIAccount.md#get-adsiaccount) cmdlet now has the standard `-ComputerName` alias.
### Changed
- The PowerShell module now advertizes `Desktop` as the required edition. Note that *PowerShell Core* is not supported because of heavy dependency on Win32 API.
- Major [PowerShell module documentation](PowerShell/Readme.md#directory-services-internals-powershell-module) improvements.
## [4.2] - 2020-03-18

7
Documentation/PowerShell/Add-ADDBSidHistory.md
View File

@ -46,7 +46,10 @@ Note that the Active Directory Migration Tool (ADMT) is the only supported way o
### Example 1
```powershell
PS C:\> Stop-Service -Name ntds -Force
PS C:\> Add-ADDBSidHistory -SamAccountName John -SidHistory S-1-5-21-3623811102-3361044346-30300840-512,S-1-5-21-3623811102-3361044346-30300840-519 -DBPath C:\Windows\NTDS\ntds.dit
PS C:\> Add-ADDBSidHistory -SamAccountName John `
-SidHistory 'S-1-5-21-3623811102-3361044346-30300840-512',
'S-1-5-21-3623811102-3361044346-30300840-519' `
-DatabasePath C:\Windows\NTDS\ntds.dit
PS C:\> Start-Service -Name ntds
```
@ -54,7 +57,7 @@ Adds the SIDs of the *Domain Admins* and *Enterprise Admins* groups into user *J
### Example 2
```powershell
PS C:\> Import-Csv user.csv | Add-ADDBSidHistory -DBPath C:\Windows\NTDS\ntds.dit
PS C:\> Import-Csv user.csv | Add-ADDBSidHistory -DatabasePath C:\Windows\NTDS\ntds.dit
```
Imports a CSV file containing *SamAccountName* and *SidHistory* columns into a nds.dit file.

2
Documentation/PowerShell/ConvertFrom-ADManagedPasswordBlob.md
View File

@ -27,11 +27,13 @@ The password is actually a cryptographically generated array of 256 bytes that i
```powershell
PS C:\> $gmsa = Get-ADServiceAccount -Identity 'SQL_HQ_Primary' -Properties 'msDS-ManagedPassword'
PS C:\> ConvertFrom-ADManagedPasswordBlob -Blob $gmsa.'msDS-ManagedPassword'
<# Sample Output:
Version : 1
CurrentPassword : 湤ୟɰ橣낔饔ᦺ几᧾ʞꈠ⿕ՔὬ랭뷾햾咶郸<E592B6>렇ͧ퀟᝘럓몚ꬶ佩䎖∘Ǐ㦗ן뱷鼹⽩Ⲃ⫝咽㠅䠹鸞왶婰鞪
PreviousPassword :
QueryPasswordInterval : 29.17:15:36.3736817
UnchangedPasswordInterval : 29.17:10:36.3736817
#>
```
Decodes the managed password information from a group-managed service account (GMSA) called *SQL_HQ_Primary*. The user retrieving the managed password needs to be listed in the *PrincipalsAllowedToRetrieveManagedPassword* property of the GMSA.

2
Documentation/PowerShell/ConvertTo-KerberosKey.md
View File

@ -25,6 +25,7 @@ Supports the derivation of AES256, AES128 and DES encryption keys. To calculate
```powershell
PS C:\> $pwd = ConvertTo-SecureString -String 'Pa$$w0rd' -AsPlainText -Force
PS C:\> ConvertTo-KerberosKey -Password $pwd -Salt 'CONTOSO.COMAdministrator'
<# Sample Output:
AES256_CTS_HMAC_SHA1_96
Key: 660e61042b190b5724c62bb473facca12058fb9ad3c03c0d2809f839c0352502
@ -37,6 +38,7 @@ AES128_CTS_HMAC_SHA1_96
DES_CBC_MD5
Key: aed02c52204ca2ce
Iterations: 4096
#>
```
Applies 3 different kerberos key derivation functions to the specified password and salt.

6
Documentation/PowerShell/ConvertTo-OrgIdHash.md
View File

@ -31,7 +31,9 @@ The OrgId hash is defined as PBKDF2( UTF-16( ToUpper( ToHex( MD4( UTF-16(plainte
```powershell
PS C:\> $pwd = ConvertTo-SecureString -String 'Pa$$w0rd' -AsPlainText -Force
PS C:\> ConvertTo-OrgIdHash -Password $pwd
<# Sample Output:
v1;PPH1_MD4,60eaffd2c886b419df7a,1000,ab9c532104713157395a70da85cc8a1b418508753c6997f02341d541328ef16b;
#>
```
Calculates the OrgId hash from a cleartext password using a random salt.
@ -39,7 +41,9 @@ Calculates the OrgId hash from a cleartext password using a random salt.
### Example 2
```powershell
PS C:\> ConvertTo-OrgIdHash -NTHash 92937945b518814341de3f726500d4ff
<# Sample Output:
v1;PPH1_MD4,46c0c5d9095185ce5cf8,1000,6bb7b360d9105ed5157460b343d5d143e465a59195bc9b568718268c334ea4a9;
#>
```
Calculates the OrgId hash from a NT hash while using a random salt.
@ -47,7 +51,9 @@ Calculates the OrgId hash from a NT hash while using a random salt.
### Example 3
```powershell
PS C:\> ConvertTo-OrgIdHash -NTHash 92937945b518814341de3f726500d4ff -Salt a42b92067e4b8123101a
<# Sample Output:
v1;PPH1_MD4,a42b92067e4b8123101a,1000,f0fc762ea9051ef754652becd83ee5e54c1c857c1c0965abac5d85de9c143911;
#>
```
Calculates the OrgId hash from a NT hash while using the given salt.

71
Documentation/PowerShell/Get-ADDBAccount.md
View File

@ -42,14 +42,16 @@ Get-ADDBAccount [-BootKey <Byte[]>] -ObjectGuid <Guid> -DatabasePath <String> [-
```
## DESCRIPTION
{{Fill in the Description}}
Reads one or more accounts from an Active Directory database file. When provided with a boot key (AKA SysKey or system key), it also decrypts secret attributes.
## EXAMPLES
### Example 1
```powershell
PS C:\> Get-ADDBAccount -SamAccountName Administrator -DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit'
PS C:\> Get-ADDBAccount -SamAccountName Administrator `
-DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit'
<# Sample Output:
DistinguishedName: CN=Administrator,CN=Users,DC=contoso,DC=com
Sid: S-1-5-21-1236425271-2880748467-2592687428-500
Guid: b3d02974-6b1c-484c-9103-fd2f60d592c4
@ -81,6 +83,7 @@ Credential Roaming
Created:
Modified:
Credentials:
#>
```
Retrieves information about a single account from an Active Directory database. Secret attributes are not decrypted as no boot key is provided.
@ -91,7 +94,7 @@ PS C:\> $key = Get-BootKey -SystemHiveFilePath 'C:\IFM Backup\registry\SYSTEM'
PS C:\> Get-ADDBAccount -DistinguishedName: 'CN=Joe Smith,OU=Employees,DC=contoso,DC=com' `
-BootKey $key `
-DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit'
<# Sample Output:
DistinguishedName: CN=Joe Smith,OU=Employees,DC=contoso,DC=com
Sid: S-1-5-21-1236425271-2880748467-2592687428-1110
Guid: 6fb7aca4-fe85-4dc5-9acd-b5b2529fe2bc
@ -189,10 +192,69 @@ Credential Roaming
CNGCertificate: joe\SystemCertificates\My\Certificates\3B83BFA7037F6A79B3F3D17D229E1BC097F35B51
RSAPrivateKey: joe\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1110\701577141985b6923998dcca035c007a_f8b7bbef-d227-4ac7-badd-3a238a7f741e
CNGPrivateKey: joe\Crypto\Keys\E8F13C2BA0209401C4DFE839CD57375E26BBE38F
#>
```
Retrieves information about a single account from an Active Directory database. Secret attributes are decrypted using the provided boot key.
### Example 3
```powershell
PS C:\> $results = Get-ADDBAccount -DatabasePath '.\Active Directory\ntds.dit' `
-BootKey acdba64a3929261b04e5270c3ef973cf `
-All |
Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt
```
Performs an offline credential hygiene audit of AD database against HIBP.
### Example 4
```powershell
PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key |
Format-Custom -View PwDump |
Out-File -FilePath users.pwdump -Encoding ascii
```
Exports NT and LM password hashes from an Active Directory database to a pwdump file.
### Example 5
```powershell
PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' `
-BootKey 0be7a2afe1713642182e9b96f73a75da |
Save-DPAPIBlob -DirectoryPath '.\Output'
PS C:\> Get-ADDBAccount -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit' |
Save-DPAPIBlob -DirectoryPath '.\Output'
```
Extracts DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from an Active Directory database file and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys.
### Example 6
```powershell
PS C:\> Get-ADDBAccount -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit' |
Select-Object -ExpandProperty KeyCredentials |
Where-Object Usage -eq NGC |
Format-Table -View ROCA
<# Sample Output:
Usage IsWeak Source DeviceId Created HolderDN
----- ------ ------ -------- ------- --------
NGC True AzureAD fd591087-245c-4ff5-a5ea-c14de5e2b32d 2017-07-19 CN=John Doe,CN=Users,DC=contoso,DC=com
NGC False AD 1966d4da-14da-4581-a7a7-5e8e07e93ad9 2019-08-01 CN=Jane Doe,CN=Users,DC=contoso,DC=com
#>
```
Lists weak public keys registered in Active Directory that were generated on ROCA-vulnerable TPMs.
### Example 7
```powershell
PS C:\> $dc = Get-ADDBDomainController -DatabasePath '.\ADBackup\Active Directory\ntds.dit'
PS C:\> $adminSid = '{0}-500' -f $dc.DomainSid
PS C:\> $account = Get-ADDBAccount -Sid $adminSid `
-DatabasePath '.\ADBackup\Active Directory\ntds.dit' `
-BootKey 0be7a2afe1713642182e9b96f73a75da
```
Retrieves information about a the the built-in Administrator account, even if it was renamed.
## PARAMETERS
### -All
@ -339,3 +401,4 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
[Get-ADSIAccount](Get-ADSIAccount.md)
[Test-PasswordQuality](Test-PasswordQuality.md)
[Save-DPAPIBlob](Save-DPAPIBlob.md)
[Get-ADKeyCredential](Get-ADKeyCredential.md)

62
Documentation/PowerShell/Get-ADDBBackupKey.md
View File

@ -17,16 +17,71 @@ Get-ADDBBackupKey -BootKey <Byte[]> -DatabasePath <String> [-LogPath <String>] [
```
## DESCRIPTION
{{Fill in the Description}}
Reads and decrypts Data Protection API (DPAPI) backup keys from an Active Directory database file. The output can be saved to the file system using the Save-DPAPIBlob cmdlet.
DPAPI is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key.
## EXAMPLES
### Example 1
```powershell
PS C:\> {{ Add example code here }}
PS C:\> $key = Get-BootKey -SystemHiveFilePath '.\ADBackup\registry\SYSTEM'
PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' `
-BootKey $key | Format-List
<# Sample Output:
FilePath : ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key
KiwiCommand :
Type : LegacyKey
DistinguishedName : CN=BCKUPKEY_b116cbfa-b881-43e6-ba85-ef3efa64ba22
Secret,CN=System,DC=contoso,DC=com
KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22
Data : {1, 0, 0, 0...}
FilePath :
KiwiCommand :
Type : PreferredLegacyKeyPointer
DistinguishedName : CN=BCKUPKEY_P Secret,CN=System,DC=contoso,DC=com
KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22
Data : {250, 203, 22, 177...}
FilePath : ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk
KiwiCommand : REM Add this parameter to at least the first dpapi::masterkey
command: /pvk:"ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk"
Type : RSAKey
DistinguishedName : CN=BCKUPKEY_290914ed-b1a8-482e-a89f-7caa217bf3c3
Secret,CN=System,DC=contoso,DC=com
KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3
Data : {2, 0, 0, 0...}
FilePath :
KiwiCommand :
Type : PreferredRSAKeyPointer
DistinguishedName : CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=contoso,DC=com
KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3
Data : {237, 20, 9, 41...}
#>
```
{{ Add example description here }}
Extracts the boot key (AKA SysKey or system key) from a backup of the SYSTEM registry hive and decrypts all DPAPI backup keys stored in the an Active Directory database file.
### Example 2
```powershell
PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' `
-BootKey 0be7a2afe1713642182e9b96f73a75da |
Save-DPAPIBlob -DirectoryPath '.\Output'
PS C:\> Get-ChildItem -Path '.\Output' | Select-Object -ExpandProperty Name
<# Sample Output:
kiwiscript.txt
ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key
ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer
ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pfx
ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk
#>
```
Exports DPAPI backup keys to the Output directory.
## PARAMETERS
@ -92,3 +147,4 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
[Save-DPAPIBlob](Save-DPAPIBlob.md)
[Get-ADReplBackupKey](Get-ADReplBackupKey.md)
[Get-LsaBackupKey](Get-LsaBackupKey.md)

1
Documentation/PowerShell/Get-ADDBDomainController.md
View File

@ -25,7 +25,6 @@ Reads domain controller (DC) infromation from a ntds.dit file that is either ret
### Example 1
```powershell
PS C:\> Get-ADDBDomainController -DatabasePath .\ntds.dit
<# Sample Output:
Name : LON-DC1
DNSHostName : LON-DC1.contoso.com

9
Documentation/PowerShell/Get-ADDBKdsRootKey.md
View File

@ -29,10 +29,7 @@ KDS Root Keys are used to encrypt the following:
### Example 1
```powershell
PS C:\> Get-ADDBKdsRootKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit'
<#
Output:
<# Sample Output:
Id: 6a401799-8dd0-0b2c-3073-beb7ce2e734d
Version: 1
Creation Time: 7/27/2019 6:23:26 PM
@ -59,9 +56,7 @@ Secret Agreement
#>
PS C:\> .\CQDPAPINGPFXDecrypter.exe /pfx Certificate.p12 /master C16A0D16B80307D9CF102C7DB11F69FE015EB0DCD85C2FC0A5005C10E9DB963AC1E18BF161882ABEEAFF1B01CD50076F3C6F7807323253AB9598DBE027A77DD7
<#
Output:
<# Sample Output:
Successfully decrypted password: VBGpKPryuiWBSyq/+CjC0WjNsnZ1xS3Hs6IqGZwa0BM=
#>
```

17
Documentation/PowerShell/Get-ADKeyCredential.md
View File

@ -43,9 +43,9 @@ This cmdlet can be used to display existing key credentials from Active Director
### Example 1
```powershell
PS C:\> Get-ADObject -LDAPFilter '(msDS-KeyCredentialLink=*)' -Properties msDS-KeyCredentialLink |
Select-Object -ExpandProperty msDS-KeyCredentialLink |
Get-KeyCredential
<# Output:
Select-Object -ExpandProperty msDS-KeyCredentialLink |
Get-KeyCredential
<# Sample Output:
Usage Source Flags DeviceId Created HolderDN
----- ------ ----- -------- ------- --------
@ -67,8 +67,7 @@ PS C:\> Get-ADObject -LDAPFilter '(msDS-KeyCredentialLink=*)' -Properties msDS-K
Get-KeyCredential |
Where-Object Usage -eq NGC |
Format-Table -View ROCA
<# Output:
<# Sample Output:
Usage IsWeak Source DeviceId Created HolderDN
----- ------ ------ -------- ------- --------
@ -99,8 +98,7 @@ PS C:\> Get-ADObject -LDAPFilter '(msDS-KeyCredentialLink=*)' -Properties msDS-K
Get-KeyCredential |
Where-Object Usage -eq FIDO |
Format-Table -View FIDO
<# Output:
<# Sample Output:
DisplayName Flags FidoFlags Created HolderDN
----------- ----- --------- ------- --------
@ -128,7 +126,9 @@ Selectively deletes key credentials from Active Directory.
### Example 6
```powershell
PS C:\> $certificateSubject = 'S-1-5-21-1236425271-2880748467-2592687428-1109/13f787d5-4078-47ee-a6e7-b3af92f76c1e/login.windows.net/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/john@contoso.com'
PS C:\> $upn = 'john@contoso.com'
PS C:\> $userSid = 'S-1-5-21-1236425271-2880748467-2592687428-1109'
PS C:\> $certificateSubject = '{0}/{1}/login.windows.net/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/{2}' -f $userSid, (New-Guid), $upn
PS C:\> $certificate = New-SelfSignedCertificate -Subject $certificateSubject `
-KeyLength 2048 `
-Provider 'Microsoft Strong Cryptographic Provider' `
@ -143,6 +143,7 @@ PS C:\> Set-ADObject -Identity $ngcKey.HolderDN -Add @{ 'msDS-KeyCredentialLink'
```
Generates a new NGC key for a user account and registers it in Active Directory.
Note that the value of the certificate Subject has no effect on the functionality, but as it appears in DC logs, this example uses the same format as Windows does.
### Example 7
```powershell

138
Documentation/PowerShell/Get-ADReplAccount.md
View File

@ -49,16 +49,148 @@ Get-ADReplAccount -ObjectGuid <Guid> -Server <String> [-Credential <PSCredential
```
## DESCRIPTION
{{Fill in the Description}}
Reads one or more accounts from a target Active Directory domain controller through the MS-DRSR protocol, including secret attributes.
## EXAMPLES
### Example 1
```powershell
PS C:\> {{ Add example code here }}
PS C:\> Get-ADReplAccount -SamAccountName joe -Server 'lon-dc1.contoso.com'
<# Sample Output:
DistinguishedName: CN=Joe Smith,OU=Employees,DC=contoso,DC=com
Sid: S-1-5-21-1236425271-2880748467-2592687428-1110
Guid: 6fb7aca4-fe85-4dc5-9acd-b5b2529fe2bc
SamAccountName: joe
SamAccountType: User
UserPrincipalName: joe@contoso.com
PrimaryGroupId: 513
SidHistory:
Enabled: True
UserAccountControl: NormalAccount, PasswordNeverExpires
AdminCount: False
Deleted: False
LastLogon:
DisplayName: Joe Smith
GivenName: Joe
Surname: Smith
Description:
ServicePrincipalName:
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited, SelfRelative
Owner: S-1-5-21-1236425271-2880748467-2592687428-512
Secrets
NTHash: 92937945b518814341de3f726500d4ff
LMHash:
NTHashHistory:
Hash 01: 92937945b518814341de3f726500d4ff
LMHashHistory:
Hash 01: 30ce97eef1084cf1656cc4be70d68600
SupplementalCredentials:
ClearText:
NTLMStrongHash: 2c6d57beebeafdae65b3f40f2a0d5430
Kerberos:
Credentials:
DES_CBC_MD5
Key: 7f16bc4ada0b8a52
OldCredentials:
Salt: CONTOSO.COMjoe
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: cd541be0838c787b5c6a34d7b19274aee613545a0e6cc6f5ac5918d8a464d24f
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 5c88972747bd454704c117ae52c474e4
Iterations: 4096
DES_CBC_MD5
Key: 7f16bc4ada0b8a52
Iterations: 4096
OldCredentials:
OlderCredentials:
ServiceCredentials:
Salt: CONTOSO.COMjoe
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: 61fed940f0e8d03a49d3727f55800497
Hash 02: a1d54499dda6a6b5431f29a8d741a640
Hash 03: b6cdf00bc0c4578992f718de81251721
Hash 04: 61fed940f0e8d03a49d3727f55800497
Hash 05: a1d54499dda6a6b5431f29a8d741a640
Hash 06: 9a8991bd99763df2e37f1e1e67d71cc8
Hash 07: 61fed940f0e8d03a49d3727f55800497
Hash 08: 8a9fe94883c8ccf3bcfc6591ddd2288f
Hash 09: 8a9fe94883c8ccf3bcfc6591ddd2288f
Hash 10: 1b7b16b49ecd8d9d59c1d0db6fa2cc36
Hash 11: d4c24695cfa4dc3810a469d5efb8ecaf
Hash 12: 8a9fe94883c8ccf3bcfc6591ddd2288f
Hash 13: a5b8aa5088280298c8c27fa99dcaa1e3
Hash 14: d4c24695cfa4dc3810a469d5efb8ecaf
Hash 15: 1aa8e567622fe53d6fb36f1f34f12aaa
Hash 16: 1aa8e567622fe53d6fb36f1f34f12aaa
Hash 17: 2af425244079f8f45927c34fa115e45b
Hash 18: cf283a35102b820e25003b1ddf270221
Hash 19: b98c902c57449253e6f06b5d585866bd
Hash 20: 2a690b1eeda9cb8f3157a4a3ba0be9c3
Hash 21: af2654776d5f9f27f3283ecb0aa25011
Hash 22: af2654776d5f9f27f3283ecb0aa25011
Hash 23: ba6fe0513ed2a60ec253a41bbde6a837
Hash 24: 8bf5a67b598087be948e040f85c72b4d
Hash 25: 8bf5a67b598087be948e040f85c72b4d
Hash 26: aa5ff46d23a5c7ebd603e1793225350d
Hash 27: 656b6a7f5b52d05b3ce9168a2b7ac8ac
Hash 28: ae884c92ecd87e8d54f1844f09c5a519
Hash 29: a500a9e26afc9f817df8a07e15771577
Key Credentials:
Usage=NGC, Source=ActiveDirectory, Device=1966d4da-14da-4581-a7a7-5e8e07e93ad9, Created=8/1/2019 10:53:12 PM, LastLogon=8/1/2019 10:53:12 PM
Usage=NGC, Source=ActiveDirectory, Device=cfe9a872-13ff-4751-a777-aec88c30a762, Created=8/1/2019 11:09:15 PM, LastLogon=8/1/2019 11:09:15 PM
Credential Roaming
Created: 3/12/2017 9:15:56 AM
Modified: 3/13/2017 10:01:18 AM
Credentials:
DPAPIMasterKey: joe\Protect\S-1-5-21-1236425271-2880748467-2592687428-1110\47070660-c259-4d90-8bc9-187605323450
DPAPIMasterKey: joe\Protect\S-1-5-21-1236425271-2880748467-2592687428-1110\7fc19508-7b85-4a7c-9e5d-15f9e00e7ce5
CryptoApiCertificate: joe\SystemCertificates\My\Certificates\574E4687133998544C0095C7B348C52CD398182E
CNGCertificate: joe\SystemCertificates\My\Certificates\3B83BFA7037F6A79B3F3D17D229E1BC097F35B51
RSAPrivateKey: joe\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1110\701577141985b6923998dcca035c007a_f8b7bbef-d227-4ac7-badd-3a238a7f741e
CNGPrivateKey: joe\Crypto\Keys\E8F13C2BA0209401C4DFE839CD57375E26BBE38F
#>
```
{{ Add example description here }}
Replicates a single Active Directory account from the target domain controller.
### Example 2
```powershell
PS C:\> $accounts = Get-ADReplAccount -All -Server 'lon-dc1.contoso.com'
```
Replicates all Active Directory accounts from the target domain controller.
### Example 3
```powershell
PS C:\> $results = Get-ADReplAccount -All -Server 'lon-dc1.contoso.com' |
Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt
```
Performs an online credential hygiene audit of AD against HIBP.
### Example 4
```powershell
PS C:\> Get-ADReplAccount -All -Server LON-DC1 |
Format-Custom -View PwDump |
Out-File -FilePath users.pwdump -Encoding ascii
```
Replicates all Active Directory accounts from the target domain controller and exports their NT and LM password hashes to a pwdump file.
### Example 5
```powershell
PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output'
PS C:\> Get-ADReplAccount -All -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output'
```
Replicates all DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from the target Active Directory domain controller and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys.
## PARAMETERS

63
Documentation/PowerShell/Get-ADReplBackupKey.md
View File

@ -8,7 +8,7 @@ schema: 2.0.0
# Get-ADReplBackupKey
## SYNOPSIS
Reads the DPAPI backup keys through the MS-DRSR protocol.
Reads the DPAPI backup keys from a domain controller through the MS-DRSR protocol.
## SYNTAX
@ -18,16 +18,67 @@ Get-ADReplBackupKey [-Domain <String>] -Server <String> [-Credential <PSCredenti
```
## DESCRIPTION
{{Fill in the Description}}
Replicates the Data Protection API (DPAPI) backup keys from an Active Directory domain controller through the MS-DRSR protocol. The output can be saved to the file system using the Save-DPAPIBlob cmdlet.
DPAPI is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key.
## EXAMPLES
### Example 1
### Example 2
```powershell
PS C:\> {{ Add example code here }}
PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.contoso.com'
<# Sample Output:
FilePath : ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key
KiwiCommand :
Type : LegacyKey
DistinguishedName : CN=BCKUPKEY_b116cbfa-b881-43e6-ba85-ef3efa64ba22
Secret,CN=System,DC=contoso,DC=com
KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22
Data : {1, 0, 0, 0...}
FilePath :
KiwiCommand :
Type : PreferredLegacyKeyPointer
DistinguishedName : CN=BCKUPKEY_P Secret,CN=System,DC=contoso,DC=com
KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22
Data : {250, 203, 22, 177...}
FilePath : ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk
KiwiCommand : REM Add this parameter to at least the first dpapi::masterkey
command: /pvk:"ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk"
Type : RSAKey
DistinguishedName : CN=BCKUPKEY_290914ed-b1a8-482e-a89f-7caa217bf3c3
Secret,CN=System,DC=contoso,DC=com
KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3
Data : {2, 0, 0, 0...}
FilePath :
KiwiCommand :
Type : PreferredRSAKeyPointer
DistinguishedName : CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=contoso,DC=com
KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3
Data : {237, 20, 9, 41...}
#>
```
{{ Add example description here }}
Replicates all DPAPI backup keys from the target Active Directory domain controller.
### Example 2
```powershell
PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output'
PS C:\> Get-ChildItem -Path '.\Output' | Select-Object -ExpandProperty Name
<# Sample Output:
kiwiscript.txt
ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key
ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer
ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pfx
ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk
#>
```
Replicates all DPAPI backup keys from the target Active Directory domain controller and saves them to the Output directory.
## PARAMETERS
@ -47,7 +98,7 @@ Accept wildcard characters: False
```
### -Domain
TODO
Specifies the DNS name of the target Active Directory domain.
```yaml
Type: String

33
Documentation/PowerShell/Get-ADSIAccount.md
View File

@ -17,21 +17,40 @@ Get-ADSIAccount [-Server <String>] [-Credential <PSCredential>] [<CommonParamete
```
## DESCRIPTION
{{Fill in the Description}}
Gets all Active Directory user accounts from a given domain controller using ADSI/LDAP. Typically used for Credential Roaming data retrieval and NGC key auditing.
## EXAMPLES
### Example 1
```powershell
PS C:\> {{ Add example code here }}
PS C:\> Get-LsaBackupKey -ComputerName 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output'
PS C:\> Get-ADSIAccount -Server 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output'
```
{{ Add example description here }}
Retrieves DPAPI backup keys from the target domain controller through the MS-LSAD protocol. Also retrieves roamed credentials (certificates, private keys, and DPAPI master keys) from this domain controller through LDAP and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys.
### Example 2
```powershell
PS C:\> Get-ADSIAccount -Server 'lon-dc1.contoso.com' |
Select-Object -ExpandProperty KeyCredentials |
Where-Object Usage -eq NGC |
Format-Table -View ROCA
<# Sample Output:
Usage IsWeak Source DeviceId Created HolderDN
----- ------ ------ -------- ------- --------
NGC True AzureAD fd591087-245c-4ff5-a5ea-c14de5e2b32d 2017-07-19 CN=John Doe,CN=Users,DC=contoso,DC=com
NGC False AD 1966d4da-14da-4581-a7a7-5e8e07e93ad9 2019-08-01 CN=Jane Doe,CN=Users,DC=contoso,DC=com
#>
```
Lists weak public keys registered in Active Directory that were generated on ROCA-vulnerable TPMs.
## PARAMETERS
### -Credential
{{Fill Credential Description}}
Specifies a user account to use when connecting to the target domain controller. The default is the current user.
```yaml
Type: PSCredential
@ -51,7 +70,7 @@ Specifies the target computer for the operation. Enter a fully qualified domain
```yaml
Type: String
Parameter Sets: (All)
Aliases: Host, DomainController, DC
Aliases: Host, DomainController, DC, ComputerName
Required: False
Position: Named
@ -77,5 +96,5 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
[Get-ADDBAccount](Get-ADDBAccount.md)
[Get-ADReplAccount](Get-ADReplAccount.md)
[Test-PasswordQuality](Test-PasswordQuality.md)
[Save-DPAPIBlob](Save-DPAPIBlob.md)
[Save-DPAPIBlob](Save-DPAPIBlob.md)
[Get-ADKeyCredential](Get-ADKeyCredential.md)

5
Documentation/PowerShell/Get-BootKey.md
View File

@ -32,6 +32,7 @@ The Boot Key is returned in hexadecimal format.
### Example 1
```powershell
PS C:\> Get-BootKey -Online
0be7a2afe1713642182e9b96f73a75da
```
Retrieves the BootKey from the currently running OS.
@ -39,7 +40,7 @@ Retrieves the BootKey from the currently running OS.
### Example 2
```powershell
PS C:\> reg.exe SAVE HKLM\SYSTEM C:\RegBackup\SYSTEM.hiv
PS C:\> Get-BootKey -SystemHiveFilePath C:\RegBackup\SYSTEM.hiv
PS C:\> $key = Get-BootKey -SystemHiveFilePath C:\RegBackup\SYSTEM.hiv
```
Creates a backup of the SYSTEM registry hive and then retrieves the BootKey from this backup.
@ -95,4 +96,4 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
[Get-ADDBBackupKey](Get-ADDBBackupKey.md)
[Set-ADDBAccountPassword](Set-ADDBAccountPassword.md)
[Set-ADDBAccountPasswordHash](Set-ADDBAccountPasswordHash.md)
[Set-ADDBBootKey](Set-ADDBBootKey.md)
[Set-ADDBBootKey](Set-ADDBBootKey.md)

18
Documentation/PowerShell/Get-LsaBackupKey.md
View File

@ -18,13 +18,16 @@ Get-LsaBackupKey [[-ComputerName] <String>] [<CommonParameters>]
## DESCRIPTION
The Data Protection API (DPAPI) is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key.
Reads the Data Protection API (DPAPI) backup keys from an Active Directory domain controller through the MS-LSAD (AKA LSARPC) protocol. The output can be saved to the file system using the Save-DPAPIBlob cmdlet.
DPAPI is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key.
## EXAMPLES
### Example 1
```powershell
PS C:\> Get-LsaBackupKey -ComputerName LON-DC1
<# Sample Output:
FilePath : ntds_capi_b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d.pvk
KiwiCommand : REM Add this parameter to at least the first dpapi::masterkey command:
@ -40,16 +43,25 @@ Type : LegacyKey
DistinguishedName :
KeyId : 7882b20e-96ef-4ce5-a2b9-3efdccbbce28
Data : {1, 0, 0, 0...}
#>
```
Displays the DPAPI domain backup keys.
### Example 2
```powershell
PS C:\> Get-LsaBackupKey -ComputerName LON-DC1 | Save-DPAPIBlob -DirectoryPath .\
PS C:\> Get-LsaBackupKey -ComputerName LON-DC1 | Save-DPAPIBlob -DirectoryPath '.\Output'
PS C:\> Get-ChildItem -Path '.\Output' | Select-Object -ExpandProperty Name
<# Sample Output:
kiwiscript.txt
ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key
ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer
ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pfx
ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk
#>
```
Saves the DPAPI domain backup keys to the working directory.
Saves the DPAPI domain backup keys to the Output directory.
## PARAMETERS

6
Documentation/PowerShell/Get-LsaPolicyInformation.md
View File

@ -27,12 +27,13 @@ The local security policy of a system is a set of information about the security
### Example 1
```powershell
PS C:\> Get-LSAPolicyInformation
<# Sample Output:
Domain/Workgroup Name : WORKGROUP
Account Domain Name : MYPC
Account Domain SID : S-1-5-21-2814909047-1086830290-2660982408
Local Domain Name : MYPC
Local Domain SID : S-1-5-21-2814909047-1086830290-2660982408
#>
```
Retrieves LSA Policy from the local computer.
@ -40,7 +41,7 @@ Retrieves LSA Policy from the local computer.
### Example 2
```powershell
PS C:\> Get-LSAPolicyInformation -ComputerName LON-DC1
<# Sample Output:
Domain/Workgroup Name : ADATUM
Forest DNS Name : Adatum.com
Domain DNS Name : Adatum.com
@ -50,6 +51,7 @@ Account Domain Name : ADATUM
Account Domain SID : S-1-5-21-3180365339-800773672-3767752645
Local Domain Name : LON-DC1
Local Domain SID : S-1-5-21-2929860833-2984454239-2848460202
#>
```
Retrieves LSA Policy from a remote computer called LON-DC1.

6
Documentation/PowerShell/Get-SamPasswordPolicy.md
View File

@ -24,13 +24,14 @@ Retrieves the current password policy for a domain through the MS-SAMR protocol.
### Example 1
```powershell
PS C:\> Get-SamPasswordPolicy -Domain CONTOSO -Server LON-DC1
<# Sample Output:
MinPasswordLength : 8
ComplexityEnabled : True
ReversibleEncryptionEnabled : False
MaxPasswordAge : 90.00:00:00.0
MinPasswordAge : 01:00:00
PasswordHistoryCount : 10
#>
```
Queries the LON-DC1 domain controller for default domain password policy.
@ -38,13 +39,14 @@ Queries the LON-DC1 domain controller for default domain password policy.
### Example 2
```powershell
PS C:\> Get-SamPasswordPolicy -Domain Builtin
<# Sample Output:
MinPasswordLength : 0
ComplexityEnabled : False
ReversibleEncryptionEnabled : False
MaxPasswordAge : 42.22:47:31.7437440
MinPasswordAge : 00:00:00
PasswordHistoryCount : 0
#>
```
Queries the local computer for its current password policy.

16
Documentation/PowerShell/Readme.md
View File

@ -66,7 +66,7 @@ Physically removes specified object from a ntds.dit file, making it semantically
Reads one or more accounts through the MS-DRSR protocol, including secret attributes.
### [Get-ADReplBackupKey](Get-ADReplBackupKey.md#get-adreplbackupkey)
Reads the DPAPI backup keys through the MS-DRSR protocol.
Reads the DPAPI backup keys from a domain controller through the MS-DRSR protocol.
### [Add-ADReplNgcKey](Add-ADReplNgcKey.md#add-adreplngckey)
Composes and updates the msDS-KeyCredentialLink value on an object through the MS-DRSR protocol.
@ -123,15 +123,23 @@ The output of the [Get-ADDBAccount](Get-ADDBAccount.md#get-addbaccount) and [Get
### Example 1
```powershell
Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key | Format-Custom -View PwDump | Out-File -FilePath users.pwdump -Encoding ascii
PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key |
Format-Custom -View PwDump |
Out-File -FilePath users.pwdump -Encoding ascii
```
Exports NT and LM password hashes from an Active Directory database to a pwdump file.
### Example 2
```powershell
Get-ADReplAccount -All -NamingContext 'DC=adatum,DC=com' -Server LON-DC1 | Format-Custom -View JohnNT | Out-File -FilePath users.txt -Encoding ascii
PS C:\> Get-ADReplAccount -All -Server LON-DC1 |
Format-Custom -View JohnNT |
Out-File -FilePath users.txt -Encoding ascii
```
Replicates all Active Directory accounts from the target domain controller and exports their NT password hashes to a file format that is supported by John the Ripper.
## Cmdlets for Password Hash Calculation
### [ConvertTo-KerberosKey](ConvertTo-KerberosKey.md#convertto-kerberoskey)
@ -149,7 +157,7 @@ Calculates OrgId hash of a given password. Used by Azure Active Directory Connec
## Cmdlets for Credential Decryption
### [Save-DPAPIBlob](Save-DPAPIBlob.md#save-dpapiblob)
Saves DPAPI and Credential Roaming data returned by the [Get-ADReplBackupKey](Get-ADReplBackupKey.md#get-adreplbackupkey), [Get-ADDBBackupKey](Get-ADDBBackupKey.md#get-addbbackupkey), [Get-ADReplAccount](Get-ADReplAccount.md#get-adreplaccount), [Get-ADDBAccount](Get-ADDBAccount.md#get-addbaccount) and [Get-ADSIAccount](Get-ADSIAccount.md#get-adsiaccount) cmdlets to files for further processing.
Saves DPAPI and Credential Roaming data retrieved from Active Directory to the filesystem for further processing.
### [ConvertFrom-ADManagedPasswordBlob](ConvertFrom-ADManagedPasswordBlob.md#convertfrom-admanagedpasswordblob)
Decodes the value of the msDS-ManagedPassword attribute of a Group Managed Service Account.

94
Documentation/PowerShell/Save-DPAPIBlob.md
View File

@ -8,7 +8,7 @@ schema: 2.0.0
# Save-DPAPIBlob
## SYNOPSIS
Saves DPAPI and Credential Roaming data returned by the Get-ADReplBackupKey, Get-ADDBBackupKey, Get-ADReplAccount, Get-ADDBAccount and Get-ADSIAccount cmdlets to files for further processing.
Saves DPAPI and Credential Roaming data retrieved from Active Directory to the filesystem for further processing.
## SYNTAX
@ -24,20 +24,97 @@ Save-DPAPIBlob -Account <DSAccount> [-DirectoryPath] <String> [<CommonParameters
## DESCRIPTION
This cmdlet saves DPAPI-related data retrieved from Active Directory to a selected directory. It also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys and to decode the certificates.
Supports DPAPI backup keys returned by the Get-ADReplBackupKey, Get-ADDBBackupKey, and Get-LsaBackupKey cmdlets and roamed credentials (certificates, private keys, and DPAPI master keys) returned by the Get-ADReplAccount, Get-ADDBAccount, and Get-ADSIAccount cmdlets.
## EXAMPLES
### Example 1
```powershell
PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' `
-BootKey 0be7a2afe1713642182e9b96f73a75da |
Save-DPAPIBlob -DirectoryPath .\Output
PS C:\> Get-ADDBAccount -All `
-DatabasePath '.\ADBackup\Active Directory\ntds.dit' `
-BootKey 0be7a2afe1713642182e9b96f73a75da |
Save-DPAPIBlob -DirectoryPath .\Output
Save-DPAPIBlob -DirectoryPath '.\Output'
PS C:\> Get-ADDBAccount -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit' |
Save-DPAPIBlob -DirectoryPath '.\Output'
PS C:\> Get-ChildItem -Path '.\Output' -Recurse -File |
Foreach-Object { $PSItem.FullName.Replace((Resolve-Path -Path '.\Output'), '') }
<# Sample Output:
\kiwiscript.txt
\ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer
\ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.pfx
\ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.pvk
\ntds_legacy_d78736ad-5206-4eda-bfd4-cd10cc49d163.key
\Abbi\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1304\99c6f954ca07d75267f9a369a0bf5cd3_9e75a609-18c7-4c98-8cd0-c34c3aeae423
\Abbi\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1304\ba7577742c7900c29f8e7f8193ca5f6d_9e75a609-18c7-4c98-8cd0-c34c3aeae423
\Abbi\Protect\S-1-5-21-4534338-1127018997-2609994386-1304\eadae2b5-3933-434a-9bcf-804175877104
\Abbi\SystemCertificates\My\Certificates\366004B5FA21294B80B22DA1385F414C70DF611B
\Abbi\SystemCertificates\My\Certificates\6441367E7BF2D4C7DAA1CF27C72D6552F4A48B48
\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\0b0c01d1f2bb6db4cd9496cd5e1214d6_f8b7bbef-d227-4ac7-badd-3a238a7f741e
\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\2907acacb201238bd89fe63b20c6d23b_f8b7bbef-d227-4ac7-badd-3a238a7f741e
\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\701577141985b6923998dcca035c007a_f8b7bbef-d227-4ac7-badd-3a238a7f741e
\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\d881dc8bbed7c3a08f03b01de4b9f45f_f8b7bbef-d227-4ac7-badd-3a238a7f741e
\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\e1b4cc613d831f27c664af17b8f98021_f8b7bbef-d227-4ac7-badd-3a238a7f741e
\Administrator\Protect\S-1-5-21-4534338-1127018997-2609994386-500\47070660-c259-4d90-8bc9-187605323450
\Administrator\Protect\S-1-5-21-4534338-1127018997-2609994386-500\e13655bb-9519-45aa-abf8-a50a7b01317a
\Administrator\SystemCertificates\My\Certificates\01ADA5237C2D2D1F1571247A239CA66B31885389
\Administrator\SystemCertificates\My\Certificates\5479CDDE0747E2CB5DF64F28A9E4AD3266AB27AF
\Administrator\SystemCertificates\My\Certificates\574E4687133998544C0095C7B348C52CD398182E
\Administrator\SystemCertificates\My\Certificates\B422F98237039C9836D24E22E5A92FCEC507EF89
\Administrator\SystemCertificates\My\Certificates\DBE2B5417D56BC061B05B7265A47D3595EEC6A32
\Administrator\SystemCertificates\Request\Certificates\AE1EBACC333E48E80C5DED7D0C644D80417CB6EC
\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\1eceade740dd71b94c3a7333522b9859_9e75a609-18c7-4c98-8cd0-c34c3aeae423
\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\2995fb4c62c9211bc265c89fe1c85061_9e75a609-18c7-4c98-8cd0-c34c3aeae423
\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\3183cd1aef41afc9af73e231607b5266_9e75a609-18c7-4c98-8cd0-c34c3aeae423
\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\4f8bd0d10c208c8d57d2a1babd288a83_9e75a609-18c7-4c98-8cd0-c34c3aeae423
\Lara\Protect\S-1-5-21-4534338-1127018997-2609994386-1359\5f6d65d9-c363-4c78-af8d-034fb80efc5a
\Lara\SystemCertificates\My\Certificates\1307CE05C8247AA08508302431B6A99647FF600E
\Lara\SystemCertificates\My\Certificates\7B0928AF99A3244E73F7F17957ABD5A80818B210
\Lara\SystemCertificates\My\Certificates\90E1D7F90AD73F66F2C8F60120C256D038FD1F2C
\Lara\SystemCertificates\My\Certificates\DB690E9D99D094D3E9746DE484D3050951516E29
\Logan\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1272\fd56f510920bd55b31ff5207eafda8c8_9e75a609-18c7-4c98-8cd0-c34c3aeae423
\Logan\Protect\S-1-5-21-4534338-1127018997-2609994386-1272\9c6cc9e0-b5f8-48f4-a478-305ad77fceab
\Logan\SystemCertificates\My\Certificates\5D7A3A4FE8ADF5A61C5079EB7FDD1507B2753682
#>
PS C:\> Get-Content -Path '.\Output\kiwiscript.txt'
<# Sample Output:
REM Add this parameter to at least the first dpapi::masterkey command: /pvk:"ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk"
dpapi::masterkey /in:"Install\Protect\S-1-5-21-1236425271-2880748467-2592687428-1000\0f2ca69c-c144-4d80-905f-a6bcdfb0d659" /sid:S-1-5-21-1236425271-2880748467-2592687428-1000
dpapi::masterkey /in:"Install\Protect\S-1-5-21-1236425271-2880748467-2592687428-1000\acdad60e-bcc0-48fb-9ceb-7514ca5aa558" /sid:S-1-5-21-1236425271-2880748467-2592687428-1000
dpapi::cng /in:"Install\Crypto\Keys\002F8F86566CEFBC8694EE7F5BB24A5FF2BA2C18"
dpapi::cng /in:"Install\Crypto\Keys\476D927F1B009662D46D785BA58BD8E9DB42F687"
crypto::system /file:"Install\SystemCertificates\My\Certificates\EA4AD6192A82AB059BFA5E774515FDE0DA604160" /export
crypto::system /file:"Install\SystemCertificates\My\Certificates\D6F23BB7BD8C0099DF5F1324507EA0CA3DE7DEAB" /export
dpapi::masterkey /in:"john\Protect\S-1-5-21-1236425271-2880748467-2592687428-1109\bfefb3a6-5cdc-44f9-8521-a31feb3acdb1" /sid:S-1-5-21-1236425271-2880748467-2592687428-1109
dpapi::masterkey /in:"john\Protect\S-1-5-21-1236425271-2880748467-2592687428-1109\c14e7f69-3bf5-4c49-92d8-78d759d74ece" /sid:S-1-5-21-1236425271-2880748467-2592687428-1109
crypto::system /file:"john\SystemCertificates\My\Certificates\AF839B040D1257997A8D83EE71F96918F4C3EA01" /export
dpapi::cng /in:"john\Crypto\Keys\9F95F8E4F381BFFFD22B5EFAA013E53268451310"
dpapi::cng /in:"john\Crypto\Keys\C9ABDF8DC38EA2BA2E20AEC770D91210FF919F87"
crypto::system /file:"john\SystemCertificates\My\Certificates\DEFFADB62EE547CB88973DF664C4DC958E8E64D8" /export
crypto::system /file:"john\SystemCertificates\My\Certificates\49FD324E5CC4A6020AC9D12D4311C7B33393A1C4" /export
crypto::system /file:"john\SystemCertificates\My\Certificates\4E951C29567A261B2E90C94BCCEFAE1FA878A2CB" /export
dpapi::capi /in:"john\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1109\0581f4e6088649266038726d9f8786a9_edc46440-65c9-41ce-aaeb-73754e0e38c8"
dpapi::capi /in:"john\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1109\4771dfabcc8ad1ec2c84c489df041fad_edc46440-65c9-41ce-aaeb-73754e0e38c8"
#>
```
Extracts DPAPI backup keys and roamed credentials (certificates, private keys and DPAPI master keys) to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys.
Extracts DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from an Active Directory database file and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys.
### Example 2
```powershell
PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output'
PS C:\> Get-ADReplAccount -All -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output'
```
Replicates all DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from the target Active Directory domain controller and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys.
### Example 3
```powershell
PS C:\> Get-LsaBackupKey -ComputerName 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output'
PS C:\> Get-ADSIAccount -Server 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output'
```
Retrieves DPAPI backup keys from the target domain controller through the MS-LSAD protocol. Also retrieves roamed credentials (certificates, private keys, and DPAPI master keys) from this domain controller through LDAP and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys.
## PARAMETERS
@ -107,4 +184,5 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
[Get-ADReplBackupKey](Get-ADReplBackupKey.md)
[Get-LsaBackupKey](Get-LsaBackupKey.md)
[Get-ADReplAccount](Get-ADReplAccount.md)
[Get-ADDBAccount](Get-ADDBAccount.md)
[Get-ADDBAccount](Get-ADDBAccount.md)
[Get-ADSIAccount](Get-ADSIAccount.md)

4
Documentation/PowerShell/Set-ADDBPrimaryGroup.md
View File

@ -43,7 +43,9 @@ Modifies the primaryGroupId attribute of an account in a ntds.dit file. The most
### Example 1
```powershell
PS C:\> Set-ADDBPrimaryGroup -SamAccountName John -PrimaryGroupId 512 -DatabasePath 'D:\Windows\NTDS\ntds.dit'
PS C:\> Set-ADDBPrimaryGroup -SamAccountName John `
-PrimaryGroupId 512 `
-DatabasePath 'D:\Windows\NTDS\ntds.dit'
```
Moves the account *John* from the default *Domain Users* group to *Domain Admins*.

13
Documentation/PowerShell/Set-LsaPolicyInformation.md
View File

@ -18,13 +18,20 @@ Set-LsaPolicyInformation -DomainName <String> -DnsDomainName <String> -DnsForest
```
## DESCRIPTION
{{Fill in the Description}}
Configures AD-related Local Security Authority (LSA) Policies of the local or a remote computer.
This functionality is helpful when restoring Active Directory domain controllers (DC) from IFM backups.
Note that running this command against a DC with parameters that do not match the information stored in its local AD database might prevent the target DC from booting ever again.
## EXAMPLES
### Example 1
```powershell
PS C:\> Set-LsaPolicyInformation -DomainName 'ADATUM' -DnsDomainName 'Adatum.com' -DnsForestName 'Adatum.com' -DomainGuid 279b615e-ae79-4c86-a61a-50f687b9f7b8 -DomainSid S-1-5-21-1817670852-3242289776-1304069626
PS C:\> Set-LsaPolicyInformation -DomainName 'ADATUM' `
-DnsDomainName 'Adatum.com' `
-DnsForestName 'Adatum.com' `
-DomainGuid 279b615e-ae79-4c86-a61a-50f687b9f7b8 `
-DomainSid S-1-5-21-1817670852-3242289776-1304069626
```
Configures AD-related LSA Policy Information of the local computer.
@ -138,3 +145,5 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
## NOTES
## RELATED LINKS
[New-ADDBRestoreFromMediaScript](New-ADDBRestoreFromMediaScript.md)

27
Documentation/PowerShell/Set-SamAccountPasswordHash.md
View File

@ -25,21 +25,26 @@ Set-SamAccountPasswordHash -Sid <SecurityIdentifier> -NTHash <Byte[]> [-LMHash <
```
## DESCRIPTION
{{Fill in the Description}}
Sets NT and LM password hashes of a user account in a local or remote Security Account Manager (SAM) or Active Directory (AD) database through the SAM Remote Protocol (MS-SAMR).
Note that kerberos AES and DES ekeys of the target account are cleared by this command.
## EXAMPLES
### Example 1
```powershell
PS C:\> {{ Add example code here }}
PS C:\> Set-SamAccountPasswordHash -SamAccountName 'john' `
-Domain CONTOSO `
-NTHash ac5d3227c79791b451eb28fcd9efbfb2 `
-Server 'lon-dc1.contoso.com'
```
{{ Add example description here }}
Resets the NT password hash of the target Active Directory account through the MS-SAMR protocol.
## PARAMETERS
### -Credential
Specify the user account credentials to use to perform this task.
Specifies the user account credentials to be used to perform this task.
The default credentials are the credentials of the currently logged on user.
```yaml
@ -55,7 +60,7 @@ Accept wildcard characters: False
```
### -Domain
Specify the user's domain.
Specifies the target NetBIOS domain name the target account belongs to.
```yaml
Type: String
@ -70,7 +75,7 @@ Accept wildcard characters: False
```
### -LMHash
Specify a new LM password hash value in hexadecimal format.
Specifies a new LM password hash value in hexadecimal format.
```yaml
Type: Byte[]
@ -85,7 +90,7 @@ Accept wildcard characters: False
```
### -NTHash
Specify a new NT password hash value in hexadecimal format.
Specifies a new NT password hash value in hexadecimal format.
```yaml
Type: Byte[]
@ -100,7 +105,7 @@ Accept wildcard characters: False
```
### -SamAccountName
Specify user's login.
Specifies user's login.
```yaml
Type: String
@ -130,7 +135,7 @@ Accept wildcard characters: False
```
### -Sid
Specify user SID.
Specifies user SID.
```yaml
Type: SecurityIdentifier
@ -162,3 +167,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
## NOTES
## RELATED LINKS
[Get-ADDBAccount](Get-ADDBAccount.md)
[Get-ADReplAccount](Get-ADReplAccount.md)
[Set-ADDBAccountPasswordHash](Set-ADDBAccountPasswordHash.md)

11
Documentation/PowerShell/Test-PasswordQuality.md
View File

@ -31,8 +31,8 @@ Although the cmdlet output is formatted in a human readable fashion, it is still
### Example 1
```powershell
PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey acdba64a3929261b04e5270c3ef973cf |
Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt
<# Sample Output
Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt
<# Sample Output:
Active Directory Password Quality Report
----------------------------------------
@ -93,7 +93,8 @@ Performs an offline credential hygiene audit of AD database against HIBP.
### Example 2
```powershell
PS C:\> $results = Get-ADReplAccount -All -Server LON-DC1 |
Test-PasswordQuality -WeakPasswords 'Pa$$w0rd','April2019' -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt
Test-PasswordQuality -WeakPasswords 'Pa$$w0rd','April2019' `
-WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt
```
Performs an online credential hygiene audit of AD against HIBP + a custom wordlist.
@ -111,7 +112,7 @@ Performs a dictionary attack against a set of accounts. The Test-PasswordQuality
```powershell
PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key |
where DistinguishedName -like '*OU=Employees,DC=contoso,DC=com' |
Test-PasswordQuality -IncludeDisabledAccounts -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt
Test-PasswordQuality -IncludeDisabledAccounts -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt
```
Performs an offline credential hygiene audit of a selected OU from AD database against HIBP.
@ -121,7 +122,7 @@ Performs an offline credential hygiene audit of a selected OU from AD database a
PS C:\> $contosoAccounts = Get-ADReplAccount -All -Server LON-DC1.contoso.com
PS C:\> $adatumAccounts = Get-ADReplAccount -All -Server NYC-DC1.adatum.com -Credential (Get-Credential)
PS C:\> $contosoAccounts + $adatumAccounts | Test-PasswordQuality
<# Sample Output (Partial)
<# Sample Output (Partial):
These groups of accounts have the same passwords:
Group 1:

2
Scripts/Update-PSHelp.ps1
View File

@ -21,7 +21,7 @@ $aboutPagePath = Join-Path $xmlHelpSrcPath 'about_DSInternals.help.txt'
Import-Module -Name platyPS
# Remove any pre-existing XML help
Remove-Item $xmlHelpBuildPath -Recurse
Remove-Item $xmlHelpBuildPath -Recurse -ErrorAction SilentlyContinue
# Load the freshly compiled module to generate the help for
Import-Module -Name $dsInternalsModulePath

2
Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec
View File

@ -11,7 +11,7 @@
<projectUrl>https://github.com/MichaelGrafnetter/DSInternals</projectUrl>
<iconUrl>https://raw.githubusercontent.com/MichaelGrafnetter/DSInternals/master/Src/Icons/module_black.png</iconUrl>
<copyright>(c) 2015-2020 Michael Grafnetter. All rights reserved.</copyright>
<licenseUrl>https://github.com/MichaelGrafnetter/DSInternals/blob/master/LICENSE.md</licenseUrl>
<licenseUrl>https://github.com/MichaelGrafnetter/DSInternals/blob/master/Src/DSInternals.PowerShell/License.txt</licenseUrl>
<requireLicenseAcceptance>false</requireLicenseAcceptance>
<projectSourceUrl>https://github.com/MichaelGrafnetter/DSInternals/tree/master/Src</projectSourceUrl>
<docsUrl>https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Readme.md#dsinternals-powershell-module</docsUrl>

4
Src/DSInternals.PowerShell/Commands/Base/ADSICommandBase.cs
View File

@ -10,7 +10,7 @@
#region Parameters
[Parameter(Mandatory = false)]
[ValidateNotNullOrEmpty]
[Alias("Host", "DomainController", "DC")]
[Alias("Host", "DomainController", "DC", "ComputerName")]
public string Server
{
get;
@ -63,4 +63,4 @@
}
}
}
}
}

647
Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml
View File

File diff suppressed because it is too large Load Diff