diff --git a/Documentation/CHANGELOG.md b/Documentation/CHANGELOG.md index 1b514a6..a85eecf 100644 --- a/Documentation/CHANGELOG.md +++ b/Documentation/CHANGELOG.md @@ -9,10 +9,12 @@ All notable changes to this project will be documented in this file. The format - New logo and package icons! - Both [lastLogon](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada1/93258066-276d-4357-8458-981c19caad95) and [lastLogonTimestamp](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada1/530d7194-20f6-4aaa-8d80-9ca6b6350ad6) user account attributes are now exposed. +- The `-Server` parameter of the [Get-ADSIAccount](PowerShell/Get-ADSIAccount.md#get-adsiaccount) cmdlet now has the standard `-ComputerName` alias. ### Changed - The PowerShell module now advertizes `Desktop` as the required edition. Note that *PowerShell Core* is not supported because of heavy dependency on Win32 API. +- Major [PowerShell module documentation](PowerShell/Readme.md#directory-services-internals-powershell-module) improvements. ## [4.2] - 2020-03-18 diff --git a/Documentation/PowerShell/Add-ADDBSidHistory.md b/Documentation/PowerShell/Add-ADDBSidHistory.md index ae1cfcb..f064515 100644 --- a/Documentation/PowerShell/Add-ADDBSidHistory.md +++ b/Documentation/PowerShell/Add-ADDBSidHistory.md @@ -46,7 +46,10 @@ Note that the Active Directory Migration Tool (ADMT) is the only supported way o ### Example 1 ```powershell PS C:\> Stop-Service -Name ntds -Force -PS C:\> Add-ADDBSidHistory -SamAccountName John -SidHistory S-1-5-21-3623811102-3361044346-30300840-512,S-1-5-21-3623811102-3361044346-30300840-519 -DBPath C:\Windows\NTDS\ntds.dit +PS C:\> Add-ADDBSidHistory -SamAccountName John ` + -SidHistory 'S-1-5-21-3623811102-3361044346-30300840-512', + 'S-1-5-21-3623811102-3361044346-30300840-519' ` + -DatabasePath C:\Windows\NTDS\ntds.dit PS C:\> Start-Service -Name ntds ``` @@ -54,7 +57,7 @@ Adds the SIDs of the *Domain Admins* and *Enterprise Admins* groups into user *J ### Example 2 ```powershell -PS C:\> Import-Csv user.csv | Add-ADDBSidHistory -DBPath C:\Windows\NTDS\ntds.dit +PS C:\> Import-Csv user.csv | Add-ADDBSidHistory -DatabasePath C:\Windows\NTDS\ntds.dit ``` Imports a CSV file containing *SamAccountName* and *SidHistory* columns into a nds.dit file. diff --git a/Documentation/PowerShell/ConvertFrom-ADManagedPasswordBlob.md b/Documentation/PowerShell/ConvertFrom-ADManagedPasswordBlob.md index f89957f..6ce310a 100644 --- a/Documentation/PowerShell/ConvertFrom-ADManagedPasswordBlob.md +++ b/Documentation/PowerShell/ConvertFrom-ADManagedPasswordBlob.md @@ -27,11 +27,13 @@ The password is actually a cryptographically generated array of 256 bytes that i ```powershell PS C:\> $gmsa = Get-ADServiceAccount -Identity 'SQL_HQ_Primary' -Properties 'msDS-ManagedPassword' PS C:\> ConvertFrom-ADManagedPasswordBlob -Blob $gmsa.'msDS-ManagedPassword' +<# Sample Output: Version : 1 CurrentPassword : 湤ୟɰ橣낔饔ᦺ几᧾ʞꈠ⿕ՔὬ랭뷾햾咶郸�렇ͧ퀟᝘럓몚ꬶ佩䎖∘Ǐ㦗ן뱷鼹⽩Ⲃ⫝咽㠅E䠹鸞왶婰鞪 PreviousPassword : QueryPasswordInterval : 29.17:15:36.3736817 UnchangedPasswordInterval : 29.17:10:36.3736817 +#> ``` Decodes the managed password information from a group-managed service account (GMSA) called *SQL_HQ_Primary*. The user retrieving the managed password needs to be listed in the *PrincipalsAllowedToRetrieveManagedPassword* property of the GMSA. diff --git a/Documentation/PowerShell/ConvertTo-KerberosKey.md b/Documentation/PowerShell/ConvertTo-KerberosKey.md index 17d72d9..5c53cae 100644 --- a/Documentation/PowerShell/ConvertTo-KerberosKey.md +++ b/Documentation/PowerShell/ConvertTo-KerberosKey.md @@ -25,6 +25,7 @@ Supports the derivation of AES256, AES128 and DES encryption keys. To calculate ```powershell PS C:\> $pwd = ConvertTo-SecureString -String 'Pa$$w0rd' -AsPlainText -Force PS C:\> ConvertTo-KerberosKey -Password $pwd -Salt 'CONTOSO.COMAdministrator' +<# Sample Output: AES256_CTS_HMAC_SHA1_96 Key: 660e61042b190b5724c62bb473facca12058fb9ad3c03c0d2809f839c0352502 @@ -37,6 +38,7 @@ AES128_CTS_HMAC_SHA1_96 DES_CBC_MD5 Key: aed02c52204ca2ce Iterations: 4096 +#> ``` Applies 3 different kerberos key derivation functions to the specified password and salt. diff --git a/Documentation/PowerShell/ConvertTo-OrgIdHash.md b/Documentation/PowerShell/ConvertTo-OrgIdHash.md index 31005cb..f830f6e 100644 --- a/Documentation/PowerShell/ConvertTo-OrgIdHash.md +++ b/Documentation/PowerShell/ConvertTo-OrgIdHash.md @@ -31,7 +31,9 @@ The OrgId hash is defined as PBKDF2( UTF-16( ToUpper( ToHex( MD4( UTF-16(plainte ```powershell PS C:\> $pwd = ConvertTo-SecureString -String 'Pa$$w0rd' -AsPlainText -Force PS C:\> ConvertTo-OrgIdHash -Password $pwd +<# Sample Output: v1;PPH1_MD4,60eaffd2c886b419df7a,1000,ab9c532104713157395a70da85cc8a1b418508753c6997f02341d541328ef16b; +#> ``` Calculates the OrgId hash from a cleartext password using a random salt. @@ -39,7 +41,9 @@ Calculates the OrgId hash from a cleartext password using a random salt. ### Example 2 ```powershell PS C:\> ConvertTo-OrgIdHash -NTHash 92937945b518814341de3f726500d4ff +<# Sample Output: v1;PPH1_MD4,46c0c5d9095185ce5cf8,1000,6bb7b360d9105ed5157460b343d5d143e465a59195bc9b568718268c334ea4a9; +#> ``` Calculates the OrgId hash from a NT hash while using a random salt. @@ -47,7 +51,9 @@ Calculates the OrgId hash from a NT hash while using a random salt. ### Example 3 ```powershell PS C:\> ConvertTo-OrgIdHash -NTHash 92937945b518814341de3f726500d4ff -Salt a42b92067e4b8123101a +<# Sample Output: v1;PPH1_MD4,a42b92067e4b8123101a,1000,f0fc762ea9051ef754652becd83ee5e54c1c857c1c0965abac5d85de9c143911; +#> ``` Calculates the OrgId hash from a NT hash while using the given salt. diff --git a/Documentation/PowerShell/Get-ADDBAccount.md b/Documentation/PowerShell/Get-ADDBAccount.md index b701ce3..bc0cf44 100644 --- a/Documentation/PowerShell/Get-ADDBAccount.md +++ b/Documentation/PowerShell/Get-ADDBAccount.md @@ -42,14 +42,16 @@ Get-ADDBAccount [-BootKey ] -ObjectGuid -DatabasePath [- ``` ## DESCRIPTION -{{Fill in the Description}} + +Reads one or more accounts from an Active Directory database file. When provided with a boot key (AKA SysKey or system key), it also decrypts secret attributes. ## EXAMPLES ### Example 1 ```powershell -PS C:\> Get-ADDBAccount -SamAccountName Administrator -DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit' - +PS C:\> Get-ADDBAccount -SamAccountName Administrator ` + -DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit' +<# Sample Output: DistinguishedName: CN=Administrator,CN=Users,DC=contoso,DC=com Sid: S-1-5-21-1236425271-2880748467-2592687428-500 Guid: b3d02974-6b1c-484c-9103-fd2f60d592c4 @@ -81,6 +83,7 @@ Credential Roaming Created: Modified: Credentials: +#> ``` Retrieves information about a single account from an Active Directory database. Secret attributes are not decrypted as no boot key is provided. @@ -91,7 +94,7 @@ PS C:\> $key = Get-BootKey -SystemHiveFilePath 'C:\IFM Backup\registry\SYSTEM' PS C:\> Get-ADDBAccount -DistinguishedName: 'CN=Joe Smith,OU=Employees,DC=contoso,DC=com' ` -BootKey $key ` -DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit' - +<# Sample Output: DistinguishedName: CN=Joe Smith,OU=Employees,DC=contoso,DC=com Sid: S-1-5-21-1236425271-2880748467-2592687428-1110 Guid: 6fb7aca4-fe85-4dc5-9acd-b5b2529fe2bc @@ -189,10 +192,69 @@ Credential Roaming CNGCertificate: joe\SystemCertificates\My\Certificates\3B83BFA7037F6A79B3F3D17D229E1BC097F35B51 RSAPrivateKey: joe\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1110\701577141985b6923998dcca035c007a_f8b7bbef-d227-4ac7-badd-3a238a7f741e CNGPrivateKey: joe\Crypto\Keys\E8F13C2BA0209401C4DFE839CD57375E26BBE38F +#> ``` Retrieves information about a single account from an Active Directory database. Secret attributes are decrypted using the provided boot key. +### Example 3 +```powershell +PS C:\> $results = Get-ADDBAccount -DatabasePath '.\Active Directory\ntds.dit' ` + -BootKey acdba64a3929261b04e5270c3ef973cf ` + -All | + Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt +``` + +Performs an offline credential hygiene audit of AD database against HIBP. + +### Example 4 +```powershell +PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key | + Format-Custom -View PwDump | + Out-File -FilePath users.pwdump -Encoding ascii +``` + +Exports NT and LM password hashes from an Active Directory database to a pwdump file. + +### Example 5 +```powershell +PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` + -BootKey 0be7a2afe1713642182e9b96f73a75da | + Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADDBAccount -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit' | + Save-DPAPIBlob -DirectoryPath '.\Output' +``` + +Extracts DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from an Active Directory database file and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. + +### Example 6 +```powershell +PS C:\> Get-ADDBAccount -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit' | + Select-Object -ExpandProperty KeyCredentials | + Where-Object Usage -eq NGC | + Format-Table -View ROCA +<# Sample Output: + +Usage IsWeak Source DeviceId Created HolderDN +----- ------ ------ -------- ------- -------- +NGC True AzureAD fd591087-245c-4ff5-a5ea-c14de5e2b32d 2017-07-19 CN=John Doe,CN=Users,DC=contoso,DC=com +NGC False AD 1966d4da-14da-4581-a7a7-5e8e07e93ad9 2019-08-01 CN=Jane Doe,CN=Users,DC=contoso,DC=com +#> +``` + +Lists weak public keys registered in Active Directory that were generated on ROCA-vulnerable TPMs. + +### Example 7 +```powershell +PS C:\> $dc = Get-ADDBDomainController -DatabasePath '.\ADBackup\Active Directory\ntds.dit' +PS C:\> $adminSid = '{0}-500' -f $dc.DomainSid +PS C:\> $account = Get-ADDBAccount -Sid $adminSid ` + -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` + -BootKey 0be7a2afe1713642182e9b96f73a75da +``` + +Retrieves information about a the the built-in Administrator account, even if it was renamed. + ## PARAMETERS ### -All @@ -339,3 +401,4 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable [Get-ADSIAccount](Get-ADSIAccount.md) [Test-PasswordQuality](Test-PasswordQuality.md) [Save-DPAPIBlob](Save-DPAPIBlob.md) +[Get-ADKeyCredential](Get-ADKeyCredential.md) diff --git a/Documentation/PowerShell/Get-ADDBBackupKey.md b/Documentation/PowerShell/Get-ADDBBackupKey.md index 3e96027..d95b860 100644 --- a/Documentation/PowerShell/Get-ADDBBackupKey.md +++ b/Documentation/PowerShell/Get-ADDBBackupKey.md @@ -17,16 +17,71 @@ Get-ADDBBackupKey -BootKey -DatabasePath [-LogPath ] [ ``` ## DESCRIPTION -{{Fill in the Description}} + +Reads and decrypts Data Protection API (DPAPI) backup keys from an Active Directory database file. The output can be saved to the file system using the Save-DPAPIBlob cmdlet. + +DPAPI is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key. ## EXAMPLES ### Example 1 ```powershell -PS C:\> {{ Add example code here }} +PS C:\> $key = Get-BootKey -SystemHiveFilePath '.\ADBackup\registry\SYSTEM' +PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` + -BootKey $key | Format-List +<# Sample Output: + +FilePath : ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key +KiwiCommand : +Type : LegacyKey +DistinguishedName : CN=BCKUPKEY_b116cbfa-b881-43e6-ba85-ef3efa64ba22 + Secret,CN=System,DC=contoso,DC=com +KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22 +Data : {1, 0, 0, 0...} + +FilePath : +KiwiCommand : +Type : PreferredLegacyKeyPointer +DistinguishedName : CN=BCKUPKEY_P Secret,CN=System,DC=contoso,DC=com +KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22 +Data : {250, 203, 22, 177...} + +FilePath : ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk +KiwiCommand : REM Add this parameter to at least the first dpapi::masterkey + command: /pvk:"ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk" +Type : RSAKey +DistinguishedName : CN=BCKUPKEY_290914ed-b1a8-482e-a89f-7caa217bf3c3 + Secret,CN=System,DC=contoso,DC=com +KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3 +Data : {2, 0, 0, 0...} + +FilePath : +KiwiCommand : +Type : PreferredRSAKeyPointer +DistinguishedName : CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=contoso,DC=com +KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3 +Data : {237, 20, 9, 41...} +#> ``` -{{ Add example description here }} +Extracts the boot key (AKA SysKey or system key) from a backup of the SYSTEM registry hive and decrypts all DPAPI backup keys stored in the an Active Directory database file. + +### Example 2 +```powershell +PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` + -BootKey 0be7a2afe1713642182e9b96f73a75da | + Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ChildItem -Path '.\Output' | Select-Object -ExpandProperty Name +<# Sample Output: +kiwiscript.txt +ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key +ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pfx +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk +#> +``` + +Exports DPAPI backup keys to the Output directory. ## PARAMETERS @@ -92,3 +147,4 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable [Save-DPAPIBlob](Save-DPAPIBlob.md) [Get-ADReplBackupKey](Get-ADReplBackupKey.md) +[Get-LsaBackupKey](Get-LsaBackupKey.md) diff --git a/Documentation/PowerShell/Get-ADDBDomainController.md b/Documentation/PowerShell/Get-ADDBDomainController.md index bd7288c..a1b0327 100644 --- a/Documentation/PowerShell/Get-ADDBDomainController.md +++ b/Documentation/PowerShell/Get-ADDBDomainController.md @@ -25,7 +25,6 @@ Reads domain controller (DC) infromation from a ntds.dit file that is either ret ### Example 1 ```powershell PS C:\> Get-ADDBDomainController -DatabasePath .\ntds.dit - <# Sample Output: Name : LON-DC1 DNSHostName : LON-DC1.contoso.com diff --git a/Documentation/PowerShell/Get-ADDBKdsRootKey.md b/Documentation/PowerShell/Get-ADDBKdsRootKey.md index aed87d5..2a113af 100644 --- a/Documentation/PowerShell/Get-ADDBKdsRootKey.md +++ b/Documentation/PowerShell/Get-ADDBKdsRootKey.md @@ -29,10 +29,7 @@ KDS Root Keys are used to encrypt the following: ### Example 1 ```powershell PS C:\> Get-ADDBKdsRootKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' - -<# -Output: - +<# Sample Output: Id: 6a401799-8dd0-0b2c-3073-beb7ce2e734d Version: 1 Creation Time: 7/27/2019 6:23:26 PM @@ -59,9 +56,7 @@ Secret Agreement #> PS C:\> .\CQDPAPINGPFXDecrypter.exe /pfx Certificate.p12 /master C16A0D16B80307D9CF102C7DB11F69FE015EB0DCD85C2FC0A5005C10E9DB963AC1E18BF161882ABEEAFF1B01CD50076F3C6F7807323253AB9598DBE027A77DD7 - -<# -Output: +<# Sample Output: Successfully decrypted password: VBGpKPryuiWBSyq/+CjC0WjNsnZ1xS3Hs6IqGZwa0BM= #> ``` diff --git a/Documentation/PowerShell/Get-ADKeyCredential.md b/Documentation/PowerShell/Get-ADKeyCredential.md index 0d12e70..78bbe89 100644 --- a/Documentation/PowerShell/Get-ADKeyCredential.md +++ b/Documentation/PowerShell/Get-ADKeyCredential.md @@ -43,9 +43,9 @@ This cmdlet can be used to display existing key credentials from Active Director ### Example 1 ```powershell PS C:\> Get-ADObject -LDAPFilter '(msDS-KeyCredentialLink=*)' -Properties msDS-KeyCredentialLink | - Select-Object -ExpandProperty msDS-KeyCredentialLink | - Get-KeyCredential -<# Output: + Select-Object -ExpandProperty msDS-KeyCredentialLink | + Get-KeyCredential +<# Sample Output: Usage Source Flags DeviceId Created HolderDN ----- ------ ----- -------- ------- -------- @@ -67,8 +67,7 @@ PS C:\> Get-ADObject -LDAPFilter '(msDS-KeyCredentialLink=*)' -Properties msDS-K Get-KeyCredential | Where-Object Usage -eq NGC | Format-Table -View ROCA - -<# Output: +<# Sample Output: Usage IsWeak Source DeviceId Created HolderDN ----- ------ ------ -------- ------- -------- @@ -99,8 +98,7 @@ PS C:\> Get-ADObject -LDAPFilter '(msDS-KeyCredentialLink=*)' -Properties msDS-K Get-KeyCredential | Where-Object Usage -eq FIDO | Format-Table -View FIDO - -<# Output: +<# Sample Output: DisplayName Flags FidoFlags Created HolderDN ----------- ----- --------- ------- -------- @@ -128,7 +126,9 @@ Selectively deletes key credentials from Active Directory. ### Example 6 ```powershell -PS C:\> $certificateSubject = 'S-1-5-21-1236425271-2880748467-2592687428-1109/13f787d5-4078-47ee-a6e7-b3af92f76c1e/login.windows.net/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/john@contoso.com' +PS C:\> $upn = 'john@contoso.com' +PS C:\> $userSid = 'S-1-5-21-1236425271-2880748467-2592687428-1109' +PS C:\> $certificateSubject = '{0}/{1}/login.windows.net/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/{2}' -f $userSid, (New-Guid), $upn PS C:\> $certificate = New-SelfSignedCertificate -Subject $certificateSubject ` -KeyLength 2048 ` -Provider 'Microsoft Strong Cryptographic Provider' ` @@ -143,6 +143,7 @@ PS C:\> Set-ADObject -Identity $ngcKey.HolderDN -Add @{ 'msDS-KeyCredentialLink' ``` Generates a new NGC key for a user account and registers it in Active Directory. +Note that the value of the certificate Subject has no effect on the functionality, but as it appears in DC logs, this example uses the same format as Windows does. ### Example 7 ```powershell diff --git a/Documentation/PowerShell/Get-ADReplAccount.md b/Documentation/PowerShell/Get-ADReplAccount.md index 9f85126..45990a7 100644 --- a/Documentation/PowerShell/Get-ADReplAccount.md +++ b/Documentation/PowerShell/Get-ADReplAccount.md @@ -49,16 +49,148 @@ Get-ADReplAccount -ObjectGuid -Server [-Credential {{ Add example code here }} +PS C:\> Get-ADReplAccount -SamAccountName joe -Server 'lon-dc1.contoso.com' +<# Sample Output: +DistinguishedName: CN=Joe Smith,OU=Employees,DC=contoso,DC=com +Sid: S-1-5-21-1236425271-2880748467-2592687428-1110 +Guid: 6fb7aca4-fe85-4dc5-9acd-b5b2529fe2bc +SamAccountName: joe +SamAccountType: User +UserPrincipalName: joe@contoso.com +PrimaryGroupId: 513 +SidHistory: +Enabled: True +UserAccountControl: NormalAccount, PasswordNeverExpires +AdminCount: False +Deleted: False +LastLogon: +DisplayName: Joe Smith +GivenName: Joe +Surname: Smith +Description: +ServicePrincipalName: +SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited, SelfRelative +Owner: S-1-5-21-1236425271-2880748467-2592687428-512 +Secrets + NTHash: 92937945b518814341de3f726500d4ff + LMHash: + NTHashHistory: + Hash 01: 92937945b518814341de3f726500d4ff + LMHashHistory: + Hash 01: 30ce97eef1084cf1656cc4be70d68600 + SupplementalCredentials: + ClearText: + NTLMStrongHash: 2c6d57beebeafdae65b3f40f2a0d5430 + Kerberos: + Credentials: + DES_CBC_MD5 + Key: 7f16bc4ada0b8a52 + OldCredentials: + Salt: CONTOSO.COMjoe + Flags: 0 + KerberosNew: + Credentials: + AES256_CTS_HMAC_SHA1_96 + Key: cd541be0838c787b5c6a34d7b19274aee613545a0e6cc6f5ac5918d8a464d24f + Iterations: 4096 + AES128_CTS_HMAC_SHA1_96 + Key: 5c88972747bd454704c117ae52c474e4 + Iterations: 4096 + DES_CBC_MD5 + Key: 7f16bc4ada0b8a52 + Iterations: 4096 + OldCredentials: + OlderCredentials: + ServiceCredentials: + Salt: CONTOSO.COMjoe + DefaultIterationCount: 4096 + Flags: 0 + WDigest: + Hash 01: 61fed940f0e8d03a49d3727f55800497 + Hash 02: a1d54499dda6a6b5431f29a8d741a640 + Hash 03: b6cdf00bc0c4578992f718de81251721 + Hash 04: 61fed940f0e8d03a49d3727f55800497 + Hash 05: a1d54499dda6a6b5431f29a8d741a640 + Hash 06: 9a8991bd99763df2e37f1e1e67d71cc8 + Hash 07: 61fed940f0e8d03a49d3727f55800497 + Hash 08: 8a9fe94883c8ccf3bcfc6591ddd2288f + Hash 09: 8a9fe94883c8ccf3bcfc6591ddd2288f + Hash 10: 1b7b16b49ecd8d9d59c1d0db6fa2cc36 + Hash 11: d4c24695cfa4dc3810a469d5efb8ecaf + Hash 12: 8a9fe94883c8ccf3bcfc6591ddd2288f + Hash 13: a5b8aa5088280298c8c27fa99dcaa1e3 + Hash 14: d4c24695cfa4dc3810a469d5efb8ecaf + Hash 15: 1aa8e567622fe53d6fb36f1f34f12aaa + Hash 16: 1aa8e567622fe53d6fb36f1f34f12aaa + Hash 17: 2af425244079f8f45927c34fa115e45b + Hash 18: cf283a35102b820e25003b1ddf270221 + Hash 19: b98c902c57449253e6f06b5d585866bd + Hash 20: 2a690b1eeda9cb8f3157a4a3ba0be9c3 + Hash 21: af2654776d5f9f27f3283ecb0aa25011 + Hash 22: af2654776d5f9f27f3283ecb0aa25011 + Hash 23: ba6fe0513ed2a60ec253a41bbde6a837 + Hash 24: 8bf5a67b598087be948e040f85c72b4d + Hash 25: 8bf5a67b598087be948e040f85c72b4d + Hash 26: aa5ff46d23a5c7ebd603e1793225350d + Hash 27: 656b6a7f5b52d05b3ce9168a2b7ac8ac + Hash 28: ae884c92ecd87e8d54f1844f09c5a519 + Hash 29: a500a9e26afc9f817df8a07e15771577 +Key Credentials: + Usage=NGC, Source=ActiveDirectory, Device=1966d4da-14da-4581-a7a7-5e8e07e93ad9, Created=8/1/2019 10:53:12 PM, LastLogon=8/1/2019 10:53:12 PM + Usage=NGC, Source=ActiveDirectory, Device=cfe9a872-13ff-4751-a777-aec88c30a762, Created=8/1/2019 11:09:15 PM, LastLogon=8/1/2019 11:09:15 PM +Credential Roaming + Created: 3/12/2017 9:15:56 AM + Modified: 3/13/2017 10:01:18 AM + Credentials: + DPAPIMasterKey: joe\Protect\S-1-5-21-1236425271-2880748467-2592687428-1110\47070660-c259-4d90-8bc9-187605323450 + DPAPIMasterKey: joe\Protect\S-1-5-21-1236425271-2880748467-2592687428-1110\7fc19508-7b85-4a7c-9e5d-15f9e00e7ce5 + CryptoApiCertificate: joe\SystemCertificates\My\Certificates\574E4687133998544C0095C7B348C52CD398182E + CNGCertificate: joe\SystemCertificates\My\Certificates\3B83BFA7037F6A79B3F3D17D229E1BC097F35B51 + RSAPrivateKey: joe\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1110\701577141985b6923998dcca035c007a_f8b7bbef-d227-4ac7-badd-3a238a7f741e + CNGPrivateKey: joe\Crypto\Keys\E8F13C2BA0209401C4DFE839CD57375E26BBE38F +#> ``` -{{ Add example description here }} +Replicates a single Active Directory account from the target domain controller. + +### Example 2 +```powershell +PS C:\> $accounts = Get-ADReplAccount -All -Server 'lon-dc1.contoso.com' +``` + +Replicates all Active Directory accounts from the target domain controller. + +### Example 3 +```powershell +PS C:\> $results = Get-ADReplAccount -All -Server 'lon-dc1.contoso.com' | + Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt +``` + +Performs an online credential hygiene audit of AD against HIBP. + +### Example 4 + +```powershell +PS C:\> Get-ADReplAccount -All -Server LON-DC1 | + Format-Custom -View PwDump | + Out-File -FilePath users.pwdump -Encoding ascii +``` + +Replicates all Active Directory accounts from the target domain controller and exports their NT and LM password hashes to a pwdump file. + +### Example 5 +```powershell +PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADReplAccount -All -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +``` + +Replicates all DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from the target Active Directory domain controller and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. ## PARAMETERS diff --git a/Documentation/PowerShell/Get-ADReplBackupKey.md b/Documentation/PowerShell/Get-ADReplBackupKey.md index 0c58d84..4690b43 100644 --- a/Documentation/PowerShell/Get-ADReplBackupKey.md +++ b/Documentation/PowerShell/Get-ADReplBackupKey.md @@ -8,7 +8,7 @@ schema: 2.0.0 # Get-ADReplBackupKey ## SYNOPSIS -Reads the DPAPI backup keys through the MS-DRSR protocol. +Reads the DPAPI backup keys from a domain controller through the MS-DRSR protocol. ## SYNTAX @@ -18,16 +18,67 @@ Get-ADReplBackupKey [-Domain ] -Server [-Credential {{ Add example code here }} +PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.contoso.com' +<# Sample Output: + +FilePath : ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key +KiwiCommand : +Type : LegacyKey +DistinguishedName : CN=BCKUPKEY_b116cbfa-b881-43e6-ba85-ef3efa64ba22 + Secret,CN=System,DC=contoso,DC=com +KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22 +Data : {1, 0, 0, 0...} + +FilePath : +KiwiCommand : +Type : PreferredLegacyKeyPointer +DistinguishedName : CN=BCKUPKEY_P Secret,CN=System,DC=contoso,DC=com +KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22 +Data : {250, 203, 22, 177...} + +FilePath : ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk +KiwiCommand : REM Add this parameter to at least the first dpapi::masterkey + command: /pvk:"ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk" +Type : RSAKey +DistinguishedName : CN=BCKUPKEY_290914ed-b1a8-482e-a89f-7caa217bf3c3 + Secret,CN=System,DC=contoso,DC=com +KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3 +Data : {2, 0, 0, 0...} + +FilePath : +KiwiCommand : +Type : PreferredRSAKeyPointer +DistinguishedName : CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=contoso,DC=com +KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3 +Data : {237, 20, 9, 41...} +#> ``` -{{ Add example description here }} +Replicates all DPAPI backup keys from the target Active Directory domain controller. + +### Example 2 +```powershell +PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ChildItem -Path '.\Output' | Select-Object -ExpandProperty Name +<# Sample Output: +kiwiscript.txt +ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key +ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pfx +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk +#> +``` + +Replicates all DPAPI backup keys from the target Active Directory domain controller and saves them to the Output directory. ## PARAMETERS @@ -47,7 +98,7 @@ Accept wildcard characters: False ``` ### -Domain -TODO +Specifies the DNS name of the target Active Directory domain. ```yaml Type: String diff --git a/Documentation/PowerShell/Get-ADSIAccount.md b/Documentation/PowerShell/Get-ADSIAccount.md index ee90693..26c9271 100644 --- a/Documentation/PowerShell/Get-ADSIAccount.md +++ b/Documentation/PowerShell/Get-ADSIAccount.md @@ -17,21 +17,40 @@ Get-ADSIAccount [-Server ] [-Credential ] [ {{ Add example code here }} +PS C:\> Get-LsaBackupKey -ComputerName 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADSIAccount -Server 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output' ``` -{{ Add example description here }} +Retrieves DPAPI backup keys from the target domain controller through the MS-LSAD protocol. Also retrieves roamed credentials (certificates, private keys, and DPAPI master keys) from this domain controller through LDAP and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. + +### Example 2 +```powershell +PS C:\> Get-ADSIAccount -Server 'lon-dc1.contoso.com' | + Select-Object -ExpandProperty KeyCredentials | + Where-Object Usage -eq NGC | + Format-Table -View ROCA +<# Sample Output: + +Usage IsWeak Source DeviceId Created HolderDN +----- ------ ------ -------- ------- -------- +NGC True AzureAD fd591087-245c-4ff5-a5ea-c14de5e2b32d 2017-07-19 CN=John Doe,CN=Users,DC=contoso,DC=com +NGC False AD 1966d4da-14da-4581-a7a7-5e8e07e93ad9 2019-08-01 CN=Jane Doe,CN=Users,DC=contoso,DC=com +#> +``` + +Lists weak public keys registered in Active Directory that were generated on ROCA-vulnerable TPMs. ## PARAMETERS ### -Credential -{{Fill Credential Description}} +Specifies a user account to use when connecting to the target domain controller. The default is the current user. ```yaml Type: PSCredential @@ -51,7 +70,7 @@ Specifies the target computer for the operation. Enter a fully qualified domain ```yaml Type: String Parameter Sets: (All) -Aliases: Host, DomainController, DC +Aliases: Host, DomainController, DC, ComputerName Required: False Position: Named @@ -77,5 +96,5 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable [Get-ADDBAccount](Get-ADDBAccount.md) [Get-ADReplAccount](Get-ADReplAccount.md) -[Test-PasswordQuality](Test-PasswordQuality.md) -[Save-DPAPIBlob](Save-DPAPIBlob.md) \ No newline at end of file +[Save-DPAPIBlob](Save-DPAPIBlob.md) +[Get-ADKeyCredential](Get-ADKeyCredential.md) diff --git a/Documentation/PowerShell/Get-BootKey.md b/Documentation/PowerShell/Get-BootKey.md index de1a627..a93a90f 100644 --- a/Documentation/PowerShell/Get-BootKey.md +++ b/Documentation/PowerShell/Get-BootKey.md @@ -32,6 +32,7 @@ The Boot Key is returned in hexadecimal format. ### Example 1 ```powershell PS C:\> Get-BootKey -Online +0be7a2afe1713642182e9b96f73a75da ``` Retrieves the BootKey from the currently running OS. @@ -39,7 +40,7 @@ Retrieves the BootKey from the currently running OS. ### Example 2 ```powershell PS C:\> reg.exe SAVE HKLM\SYSTEM C:\RegBackup\SYSTEM.hiv -PS C:\> Get-BootKey -SystemHiveFilePath C:\RegBackup\SYSTEM.hiv +PS C:\> $key = Get-BootKey -SystemHiveFilePath C:\RegBackup\SYSTEM.hiv ``` Creates a backup of the SYSTEM registry hive and then retrieves the BootKey from this backup. @@ -95,4 +96,4 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable [Get-ADDBBackupKey](Get-ADDBBackupKey.md) [Set-ADDBAccountPassword](Set-ADDBAccountPassword.md) [Set-ADDBAccountPasswordHash](Set-ADDBAccountPasswordHash.md) -[Set-ADDBBootKey](Set-ADDBBootKey.md) \ No newline at end of file +[Set-ADDBBootKey](Set-ADDBBootKey.md) diff --git a/Documentation/PowerShell/Get-LsaBackupKey.md b/Documentation/PowerShell/Get-LsaBackupKey.md index fdc9d1a..8d0ac51 100644 --- a/Documentation/PowerShell/Get-LsaBackupKey.md +++ b/Documentation/PowerShell/Get-LsaBackupKey.md @@ -18,13 +18,16 @@ Get-LsaBackupKey [[-ComputerName] ] [] ## DESCRIPTION -The Data Protection API (DPAPI) is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key. +Reads the Data Protection API (DPAPI) backup keys from an Active Directory domain controller through the MS-LSAD (AKA LSARPC) protocol. The output can be saved to the file system using the Save-DPAPIBlob cmdlet. + +DPAPI is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key. ## EXAMPLES ### Example 1 ```powershell PS C:\> Get-LsaBackupKey -ComputerName LON-DC1 +<# Sample Output: FilePath : ntds_capi_b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d.pvk KiwiCommand : REM Add this parameter to at least the first dpapi::masterkey command: @@ -40,16 +43,25 @@ Type : LegacyKey DistinguishedName : KeyId : 7882b20e-96ef-4ce5-a2b9-3efdccbbce28 Data : {1, 0, 0, 0...} +#> ``` Displays the DPAPI domain backup keys. ### Example 2 ```powershell -PS C:\> Get-LsaBackupKey -ComputerName LON-DC1 | Save-DPAPIBlob -DirectoryPath .\ +PS C:\> Get-LsaBackupKey -ComputerName LON-DC1 | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ChildItem -Path '.\Output' | Select-Object -ExpandProperty Name +<# Sample Output: +kiwiscript.txt +ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key +ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pfx +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk +#> ``` -Saves the DPAPI domain backup keys to the working directory. +Saves the DPAPI domain backup keys to the Output directory. ## PARAMETERS diff --git a/Documentation/PowerShell/Get-LsaPolicyInformation.md b/Documentation/PowerShell/Get-LsaPolicyInformation.md index ead60b8..2db937b 100644 --- a/Documentation/PowerShell/Get-LsaPolicyInformation.md +++ b/Documentation/PowerShell/Get-LsaPolicyInformation.md @@ -27,12 +27,13 @@ The local security policy of a system is a set of information about the security ### Example 1 ```powershell PS C:\> Get-LSAPolicyInformation - +<# Sample Output: Domain/Workgroup Name : WORKGROUP Account Domain Name : MYPC Account Domain SID : S-1-5-21-2814909047-1086830290-2660982408 Local Domain Name : MYPC Local Domain SID : S-1-5-21-2814909047-1086830290-2660982408 +#> ``` Retrieves LSA Policy from the local computer. @@ -40,7 +41,7 @@ Retrieves LSA Policy from the local computer. ### Example 2 ```powershell PS C:\> Get-LSAPolicyInformation -ComputerName LON-DC1 - +<# Sample Output: Domain/Workgroup Name : ADATUM Forest DNS Name : Adatum.com Domain DNS Name : Adatum.com @@ -50,6 +51,7 @@ Account Domain Name : ADATUM Account Domain SID : S-1-5-21-3180365339-800773672-3767752645 Local Domain Name : LON-DC1 Local Domain SID : S-1-5-21-2929860833-2984454239-2848460202 +#> ``` Retrieves LSA Policy from a remote computer called LON-DC1. diff --git a/Documentation/PowerShell/Get-SamPasswordPolicy.md b/Documentation/PowerShell/Get-SamPasswordPolicy.md index dd2698e..0515f06 100644 --- a/Documentation/PowerShell/Get-SamPasswordPolicy.md +++ b/Documentation/PowerShell/Get-SamPasswordPolicy.md @@ -24,13 +24,14 @@ Retrieves the current password policy for a domain through the MS-SAMR protocol. ### Example 1 ```powershell PS C:\> Get-SamPasswordPolicy -Domain CONTOSO -Server LON-DC1 - +<# Sample Output: MinPasswordLength : 8 ComplexityEnabled : True ReversibleEncryptionEnabled : False MaxPasswordAge : 90.00:00:00.0 MinPasswordAge : 01:00:00 PasswordHistoryCount : 10 +#> ``` Queries the LON-DC1 domain controller for default domain password policy. @@ -38,13 +39,14 @@ Queries the LON-DC1 domain controller for default domain password policy. ### Example 2 ```powershell PS C:\> Get-SamPasswordPolicy -Domain Builtin - +<# Sample Output: MinPasswordLength : 0 ComplexityEnabled : False ReversibleEncryptionEnabled : False MaxPasswordAge : 42.22:47:31.7437440 MinPasswordAge : 00:00:00 PasswordHistoryCount : 0 +#> ``` Queries the local computer for its current password policy. diff --git a/Documentation/PowerShell/Readme.md b/Documentation/PowerShell/Readme.md index 3a88be2..b41aac8 100644 --- a/Documentation/PowerShell/Readme.md +++ b/Documentation/PowerShell/Readme.md @@ -66,7 +66,7 @@ Physically removes specified object from a ntds.dit file, making it semantically Reads one or more accounts through the MS-DRSR protocol, including secret attributes. ### [Get-ADReplBackupKey](Get-ADReplBackupKey.md#get-adreplbackupkey) -Reads the DPAPI backup keys through the MS-DRSR protocol. +Reads the DPAPI backup keys from a domain controller through the MS-DRSR protocol. ### [Add-ADReplNgcKey](Add-ADReplNgcKey.md#add-adreplngckey) Composes and updates the msDS-KeyCredentialLink value on an object through the MS-DRSR protocol. @@ -123,15 +123,23 @@ The output of the [Get-ADDBAccount](Get-ADDBAccount.md#get-addbaccount) and [Get ### Example 1 ```powershell -Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key | Format-Custom -View PwDump | Out-File -FilePath users.pwdump -Encoding ascii +PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key | + Format-Custom -View PwDump | + Out-File -FilePath users.pwdump -Encoding ascii ``` +Exports NT and LM password hashes from an Active Directory database to a pwdump file. + ### Example 2 ```powershell -Get-ADReplAccount -All -NamingContext 'DC=adatum,DC=com' -Server LON-DC1 | Format-Custom -View JohnNT | Out-File -FilePath users.txt -Encoding ascii +PS C:\> Get-ADReplAccount -All -Server LON-DC1 | + Format-Custom -View JohnNT | + Out-File -FilePath users.txt -Encoding ascii ``` +Replicates all Active Directory accounts from the target domain controller and exports their NT password hashes to a file format that is supported by John the Ripper. + ## Cmdlets for Password Hash Calculation ### [ConvertTo-KerberosKey](ConvertTo-KerberosKey.md#convertto-kerberoskey) @@ -149,7 +157,7 @@ Calculates OrgId hash of a given password. Used by Azure Active Directory Connec ## Cmdlets for Credential Decryption ### [Save-DPAPIBlob](Save-DPAPIBlob.md#save-dpapiblob) -Saves DPAPI and Credential Roaming data returned by the [Get-ADReplBackupKey](Get-ADReplBackupKey.md#get-adreplbackupkey), [Get-ADDBBackupKey](Get-ADDBBackupKey.md#get-addbbackupkey), [Get-ADReplAccount](Get-ADReplAccount.md#get-adreplaccount), [Get-ADDBAccount](Get-ADDBAccount.md#get-addbaccount) and [Get-ADSIAccount](Get-ADSIAccount.md#get-adsiaccount) cmdlets to files for further processing. +Saves DPAPI and Credential Roaming data retrieved from Active Directory to the filesystem for further processing. ### [ConvertFrom-ADManagedPasswordBlob](ConvertFrom-ADManagedPasswordBlob.md#convertfrom-admanagedpasswordblob) Decodes the value of the msDS-ManagedPassword attribute of a Group Managed Service Account. diff --git a/Documentation/PowerShell/Save-DPAPIBlob.md b/Documentation/PowerShell/Save-DPAPIBlob.md index fa0777a..efafe37 100644 --- a/Documentation/PowerShell/Save-DPAPIBlob.md +++ b/Documentation/PowerShell/Save-DPAPIBlob.md @@ -8,7 +8,7 @@ schema: 2.0.0 # Save-DPAPIBlob ## SYNOPSIS -Saves DPAPI and Credential Roaming data returned by the Get-ADReplBackupKey, Get-ADDBBackupKey, Get-ADReplAccount, Get-ADDBAccount and Get-ADSIAccount cmdlets to files for further processing. +Saves DPAPI and Credential Roaming data retrieved from Active Directory to the filesystem for further processing. ## SYNTAX @@ -24,20 +24,97 @@ Save-DPAPIBlob -Account [-DirectoryPath] [ Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` -BootKey 0be7a2afe1713642182e9b96f73a75da | - Save-DPAPIBlob -DirectoryPath .\Output -PS C:\> Get-ADDBAccount -All ` - -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` - -BootKey 0be7a2afe1713642182e9b96f73a75da | - Save-DPAPIBlob -DirectoryPath .\Output + Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADDBAccount -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit' | + Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ChildItem -Path '.\Output' -Recurse -File | + Foreach-Object { $PSItem.FullName.Replace((Resolve-Path -Path '.\Output'), '') } +<# Sample Output: +\kiwiscript.txt +\ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer +\ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.pfx +\ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.pvk +\ntds_legacy_d78736ad-5206-4eda-bfd4-cd10cc49d163.key +\Abbi\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1304\99c6f954ca07d75267f9a369a0bf5cd3_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Abbi\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1304\ba7577742c7900c29f8e7f8193ca5f6d_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Abbi\Protect\S-1-5-21-4534338-1127018997-2609994386-1304\eadae2b5-3933-434a-9bcf-804175877104 +\Abbi\SystemCertificates\My\Certificates\366004B5FA21294B80B22DA1385F414C70DF611B +\Abbi\SystemCertificates\My\Certificates\6441367E7BF2D4C7DAA1CF27C72D6552F4A48B48 +\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\0b0c01d1f2bb6db4cd9496cd5e1214d6_f8b7bbef-d227-4ac7-badd-3a238a7f741e +\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\2907acacb201238bd89fe63b20c6d23b_f8b7bbef-d227-4ac7-badd-3a238a7f741e +\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\701577141985b6923998dcca035c007a_f8b7bbef-d227-4ac7-badd-3a238a7f741e +\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\d881dc8bbed7c3a08f03b01de4b9f45f_f8b7bbef-d227-4ac7-badd-3a238a7f741e +\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\e1b4cc613d831f27c664af17b8f98021_f8b7bbef-d227-4ac7-badd-3a238a7f741e +\Administrator\Protect\S-1-5-21-4534338-1127018997-2609994386-500\47070660-c259-4d90-8bc9-187605323450 +\Administrator\Protect\S-1-5-21-4534338-1127018997-2609994386-500\e13655bb-9519-45aa-abf8-a50a7b01317a +\Administrator\SystemCertificates\My\Certificates\01ADA5237C2D2D1F1571247A239CA66B31885389 +\Administrator\SystemCertificates\My\Certificates\5479CDDE0747E2CB5DF64F28A9E4AD3266AB27AF +\Administrator\SystemCertificates\My\Certificates\574E4687133998544C0095C7B348C52CD398182E +\Administrator\SystemCertificates\My\Certificates\B422F98237039C9836D24E22E5A92FCEC507EF89 +\Administrator\SystemCertificates\My\Certificates\DBE2B5417D56BC061B05B7265A47D3595EEC6A32 +\Administrator\SystemCertificates\Request\Certificates\AE1EBACC333E48E80C5DED7D0C644D80417CB6EC +\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\1eceade740dd71b94c3a7333522b9859_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\2995fb4c62c9211bc265c89fe1c85061_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\3183cd1aef41afc9af73e231607b5266_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\4f8bd0d10c208c8d57d2a1babd288a83_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Lara\Protect\S-1-5-21-4534338-1127018997-2609994386-1359\5f6d65d9-c363-4c78-af8d-034fb80efc5a +\Lara\SystemCertificates\My\Certificates\1307CE05C8247AA08508302431B6A99647FF600E +\Lara\SystemCertificates\My\Certificates\7B0928AF99A3244E73F7F17957ABD5A80818B210 +\Lara\SystemCertificates\My\Certificates\90E1D7F90AD73F66F2C8F60120C256D038FD1F2C +\Lara\SystemCertificates\My\Certificates\DB690E9D99D094D3E9746DE484D3050951516E29 +\Logan\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1272\fd56f510920bd55b31ff5207eafda8c8_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Logan\Protect\S-1-5-21-4534338-1127018997-2609994386-1272\9c6cc9e0-b5f8-48f4-a478-305ad77fceab +\Logan\SystemCertificates\My\Certificates\5D7A3A4FE8ADF5A61C5079EB7FDD1507B2753682 +#> + +PS C:\> Get-Content -Path '.\Output\kiwiscript.txt' +<# Sample Output: +REM Add this parameter to at least the first dpapi::masterkey command: /pvk:"ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk" +dpapi::masterkey /in:"Install\Protect\S-1-5-21-1236425271-2880748467-2592687428-1000\0f2ca69c-c144-4d80-905f-a6bcdfb0d659" /sid:S-1-5-21-1236425271-2880748467-2592687428-1000 +dpapi::masterkey /in:"Install\Protect\S-1-5-21-1236425271-2880748467-2592687428-1000\acdad60e-bcc0-48fb-9ceb-7514ca5aa558" /sid:S-1-5-21-1236425271-2880748467-2592687428-1000 +dpapi::cng /in:"Install\Crypto\Keys\002F8F86566CEFBC8694EE7F5BB24A5FF2BA2C18" +dpapi::cng /in:"Install\Crypto\Keys\476D927F1B009662D46D785BA58BD8E9DB42F687" +crypto::system /file:"Install\SystemCertificates\My\Certificates\EA4AD6192A82AB059BFA5E774515FDE0DA604160" /export +crypto::system /file:"Install\SystemCertificates\My\Certificates\D6F23BB7BD8C0099DF5F1324507EA0CA3DE7DEAB" /export +dpapi::masterkey /in:"john\Protect\S-1-5-21-1236425271-2880748467-2592687428-1109\bfefb3a6-5cdc-44f9-8521-a31feb3acdb1" /sid:S-1-5-21-1236425271-2880748467-2592687428-1109 +dpapi::masterkey /in:"john\Protect\S-1-5-21-1236425271-2880748467-2592687428-1109\c14e7f69-3bf5-4c49-92d8-78d759d74ece" /sid:S-1-5-21-1236425271-2880748467-2592687428-1109 +crypto::system /file:"john\SystemCertificates\My\Certificates\AF839B040D1257997A8D83EE71F96918F4C3EA01" /export +dpapi::cng /in:"john\Crypto\Keys\9F95F8E4F381BFFFD22B5EFAA013E53268451310" +dpapi::cng /in:"john\Crypto\Keys\C9ABDF8DC38EA2BA2E20AEC770D91210FF919F87" +crypto::system /file:"john\SystemCertificates\My\Certificates\DEFFADB62EE547CB88973DF664C4DC958E8E64D8" /export +crypto::system /file:"john\SystemCertificates\My\Certificates\49FD324E5CC4A6020AC9D12D4311C7B33393A1C4" /export +crypto::system /file:"john\SystemCertificates\My\Certificates\4E951C29567A261B2E90C94BCCEFAE1FA878A2CB" /export +dpapi::capi /in:"john\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1109\0581f4e6088649266038726d9f8786a9_edc46440-65c9-41ce-aaeb-73754e0e38c8" +dpapi::capi /in:"john\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1109\4771dfabcc8ad1ec2c84c489df041fad_edc46440-65c9-41ce-aaeb-73754e0e38c8" +#> ``` -Extracts DPAPI backup keys and roamed credentials (certificates, private keys and DPAPI master keys) to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. +Extracts DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from an Active Directory database file and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. + +### Example 2 +```powershell +PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADReplAccount -All -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +``` + +Replicates all DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from the target Active Directory domain controller and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. + +### Example 3 +```powershell +PS C:\> Get-LsaBackupKey -ComputerName 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADSIAccount -Server 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +``` + +Retrieves DPAPI backup keys from the target domain controller through the MS-LSAD protocol. Also retrieves roamed credentials (certificates, private keys, and DPAPI master keys) from this domain controller through LDAP and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. ## PARAMETERS @@ -107,4 +184,5 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable [Get-ADReplBackupKey](Get-ADReplBackupKey.md) [Get-LsaBackupKey](Get-LsaBackupKey.md) [Get-ADReplAccount](Get-ADReplAccount.md) -[Get-ADDBAccount](Get-ADDBAccount.md) +[Get-ADDBAccount](Get-ADDBAccount.md) +[Get-ADSIAccount](Get-ADSIAccount.md) diff --git a/Documentation/PowerShell/Set-ADDBPrimaryGroup.md b/Documentation/PowerShell/Set-ADDBPrimaryGroup.md index fefa63f..350a41c 100644 --- a/Documentation/PowerShell/Set-ADDBPrimaryGroup.md +++ b/Documentation/PowerShell/Set-ADDBPrimaryGroup.md @@ -43,7 +43,9 @@ Modifies the primaryGroupId attribute of an account in a ntds.dit file. The most ### Example 1 ```powershell -PS C:\> Set-ADDBPrimaryGroup -SamAccountName John -PrimaryGroupId 512 -DatabasePath 'D:\Windows\NTDS\ntds.dit' +PS C:\> Set-ADDBPrimaryGroup -SamAccountName John ` + -PrimaryGroupId 512 ` + -DatabasePath 'D:\Windows\NTDS\ntds.dit' ``` Moves the account *John* from the default *Domain Users* group to *Domain Admins*. diff --git a/Documentation/PowerShell/Set-LsaPolicyInformation.md b/Documentation/PowerShell/Set-LsaPolicyInformation.md index 8ed2ea4..f01b2ff 100644 --- a/Documentation/PowerShell/Set-LsaPolicyInformation.md +++ b/Documentation/PowerShell/Set-LsaPolicyInformation.md @@ -18,13 +18,20 @@ Set-LsaPolicyInformation -DomainName -DnsDomainName -DnsForest ``` ## DESCRIPTION -{{Fill in the Description}} + +Configures AD-related Local Security Authority (LSA) Policies of the local or a remote computer. +This functionality is helpful when restoring Active Directory domain controllers (DC) from IFM backups. +Note that running this command against a DC with parameters that do not match the information stored in its local AD database might prevent the target DC from booting ever again. ## EXAMPLES ### Example 1 ```powershell -PS C:\> Set-LsaPolicyInformation -DomainName 'ADATUM' -DnsDomainName 'Adatum.com' -DnsForestName 'Adatum.com' -DomainGuid 279b615e-ae79-4c86-a61a-50f687b9f7b8 -DomainSid S-1-5-21-1817670852-3242289776-1304069626 +PS C:\> Set-LsaPolicyInformation -DomainName 'ADATUM' ` + -DnsDomainName 'Adatum.com' ` + -DnsForestName 'Adatum.com' ` + -DomainGuid 279b615e-ae79-4c86-a61a-50f687b9f7b8 ` + -DomainSid S-1-5-21-1817670852-3242289776-1304069626 ``` Configures AD-related LSA Policy Information of the local computer. @@ -138,3 +145,5 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## NOTES ## RELATED LINKS + +[New-ADDBRestoreFromMediaScript](New-ADDBRestoreFromMediaScript.md) diff --git a/Documentation/PowerShell/Set-SamAccountPasswordHash.md b/Documentation/PowerShell/Set-SamAccountPasswordHash.md index 0183198..1b5f6b0 100644 --- a/Documentation/PowerShell/Set-SamAccountPasswordHash.md +++ b/Documentation/PowerShell/Set-SamAccountPasswordHash.md @@ -25,21 +25,26 @@ Set-SamAccountPasswordHash -Sid -NTHash [-LMHash < ``` ## DESCRIPTION -{{Fill in the Description}} + +Sets NT and LM password hashes of a user account in a local or remote Security Account Manager (SAM) or Active Directory (AD) database through the SAM Remote Protocol (MS-SAMR). +Note that kerberos AES and DES ekeys of the target account are cleared by this command. ## EXAMPLES ### Example 1 ```powershell -PS C:\> {{ Add example code here }} +PS C:\> Set-SamAccountPasswordHash -SamAccountName 'john' ` + -Domain CONTOSO ` + -NTHash ac5d3227c79791b451eb28fcd9efbfb2 ` + -Server 'lon-dc1.contoso.com' ``` -{{ Add example description here }} +Resets the NT password hash of the target Active Directory account through the MS-SAMR protocol. ## PARAMETERS ### -Credential -Specify the user account credentials to use to perform this task. +Specifies the user account credentials to be used to perform this task. The default credentials are the credentials of the currently logged on user. ```yaml @@ -55,7 +60,7 @@ Accept wildcard characters: False ``` ### -Domain -Specify the user's domain. +Specifies the target NetBIOS domain name the target account belongs to. ```yaml Type: String @@ -70,7 +75,7 @@ Accept wildcard characters: False ``` ### -LMHash -Specify a new LM password hash value in hexadecimal format. +Specifies a new LM password hash value in hexadecimal format. ```yaml Type: Byte[] @@ -85,7 +90,7 @@ Accept wildcard characters: False ``` ### -NTHash -Specify a new NT password hash value in hexadecimal format. +Specifies a new NT password hash value in hexadecimal format. ```yaml Type: Byte[] @@ -100,7 +105,7 @@ Accept wildcard characters: False ``` ### -SamAccountName -Specify user's login. +Specifies user's login. ```yaml Type: String @@ -130,7 +135,7 @@ Accept wildcard characters: False ``` ### -Sid -Specify user SID. +Specifies user SID. ```yaml Type: SecurityIdentifier @@ -162,3 +167,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## NOTES ## RELATED LINKS + +[Get-ADDBAccount](Get-ADDBAccount.md) +[Get-ADReplAccount](Get-ADReplAccount.md) +[Set-ADDBAccountPasswordHash](Set-ADDBAccountPasswordHash.md) diff --git a/Documentation/PowerShell/Test-PasswordQuality.md b/Documentation/PowerShell/Test-PasswordQuality.md index 6ec3a27..1c958a9 100644 --- a/Documentation/PowerShell/Test-PasswordQuality.md +++ b/Documentation/PowerShell/Test-PasswordQuality.md @@ -31,8 +31,8 @@ Although the cmdlet output is formatted in a human readable fashion, it is still ### Example 1 ```powershell PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey acdba64a3929261b04e5270c3ef973cf | - Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt -<# Sample Output + Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt +<# Sample Output: Active Directory Password Quality Report ---------------------------------------- @@ -93,7 +93,8 @@ Performs an offline credential hygiene audit of AD database against HIBP. ### Example 2 ```powershell PS C:\> $results = Get-ADReplAccount -All -Server LON-DC1 | - Test-PasswordQuality -WeakPasswords 'Pa$$w0rd','April2019' -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt + Test-PasswordQuality -WeakPasswords 'Pa$$w0rd','April2019' ` + -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt ``` Performs an online credential hygiene audit of AD against HIBP + a custom wordlist. @@ -111,7 +112,7 @@ Performs a dictionary attack against a set of accounts. The Test-PasswordQuality ```powershell PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key | where DistinguishedName -like '*OU=Employees,DC=contoso,DC=com' | - Test-PasswordQuality -IncludeDisabledAccounts -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt + Test-PasswordQuality -IncludeDisabledAccounts -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt ``` Performs an offline credential hygiene audit of a selected OU from AD database against HIBP. @@ -121,7 +122,7 @@ Performs an offline credential hygiene audit of a selected OU from AD database a PS C:\> $contosoAccounts = Get-ADReplAccount -All -Server LON-DC1.contoso.com PS C:\> $adatumAccounts = Get-ADReplAccount -All -Server NYC-DC1.adatum.com -Credential (Get-Credential) PS C:\> $contosoAccounts + $adatumAccounts | Test-PasswordQuality -<# Sample Output (Partial) +<# Sample Output (Partial): These groups of accounts have the same passwords: Group 1: diff --git a/Scripts/Update-PSHelp.ps1 b/Scripts/Update-PSHelp.ps1 index 2103a6d..96b1124 100644 --- a/Scripts/Update-PSHelp.ps1 +++ b/Scripts/Update-PSHelp.ps1 @@ -21,7 +21,7 @@ $aboutPagePath = Join-Path $xmlHelpSrcPath 'about_DSInternals.help.txt' Import-Module -Name platyPS # Remove any pre-existing XML help -Remove-Item $xmlHelpBuildPath -Recurse +Remove-Item $xmlHelpBuildPath -Recurse -ErrorAction SilentlyContinue # Load the freshly compiled module to generate the help for Import-Module -Name $dsInternalsModulePath diff --git a/Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec b/Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec index dfd7346..8c0b444 100644 --- a/Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec +++ b/Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec @@ -11,7 +11,7 @@ https://github.com/MichaelGrafnetter/DSInternals https://raw.githubusercontent.com/MichaelGrafnetter/DSInternals/master/Src/Icons/module_black.png (c) 2015-2020 Michael Grafnetter. All rights reserved. - https://github.com/MichaelGrafnetter/DSInternals/blob/master/LICENSE.md + https://github.com/MichaelGrafnetter/DSInternals/blob/master/Src/DSInternals.PowerShell/License.txt false https://github.com/MichaelGrafnetter/DSInternals/tree/master/Src https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Readme.md#dsinternals-powershell-module diff --git a/Src/DSInternals.PowerShell/Commands/Base/ADSICommandBase.cs b/Src/DSInternals.PowerShell/Commands/Base/ADSICommandBase.cs index 36100b3..66a9c19 100644 --- a/Src/DSInternals.PowerShell/Commands/Base/ADSICommandBase.cs +++ b/Src/DSInternals.PowerShell/Commands/Base/ADSICommandBase.cs @@ -10,7 +10,7 @@ #region Parameters [Parameter(Mandatory = false)] [ValidateNotNullOrEmpty] - [Alias("Host", "DomainController", "DC")] + [Alias("Host", "DomainController", "DC", "ComputerName")] public string Server { get; @@ -63,4 +63,4 @@ } } } -} \ No newline at end of file +} diff --git a/Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml b/Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml index cc007d7..2b34ca3 100644 --- a/Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml +++ b/Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml @@ -413,7 +413,10 @@ -------------------------- Example 1 -------------------------- PS C:\> Stop-Service -Name ntds -Force -PS C:\> Add-ADDBSidHistory -SamAccountName John -SidHistory S-1-5-21-3623811102-3361044346-30300840-512,S-1-5-21-3623811102-3361044346-30300840-519 -DBPath C:\Windows\NTDS\ntds.dit +PS C:\> Add-ADDBSidHistory -SamAccountName John ` + -SidHistory 'S-1-5-21-3623811102-3361044346-30300840-512', + 'S-1-5-21-3623811102-3361044346-30300840-519' ` + -DatabasePath C:\Windows\NTDS\ntds.dit PS C:\> Start-Service -Name ntds Adds the SIDs of the Domain Admins and Enterprise Admins groups into user John 's sIDHistory. @@ -421,7 +424,7 @@ PS C:\> Start-Service -Name ntds -------------------------- Example 2 -------------------------- - PS C:\> Import-Csv user.csv | Add-ADDBSidHistory -DBPath C:\Windows\NTDS\ntds.dit + PS C:\> Import-Csv user.csv | Add-ADDBSidHistory -DatabasePath C:\Windows\NTDS\ntds.dit Imports a CSV file containing SamAccountName and SidHistory columns into a nds.dit file. @@ -1073,11 +1076,13 @@ PS C:\> Start-Service -Name ntds -------------------------- Example 1 -------------------------- PS C:\> $gmsa = Get-ADServiceAccount -Identity 'SQL_HQ_Primary' -Properties 'msDS-ManagedPassword' PS C:\> ConvertFrom-ADManagedPasswordBlob -Blob $gmsa.'msDS-ManagedPassword' +<# Sample Output: Version : 1 CurrentPassword : 湤ୟɰ橣낔饔ᦺ几᧾ʞꈠ⿕ՔὬ랭뷾햾咶郸�렇ͧ퀟᝘럓몚ꬶ佩䎖∘Ǐ㦗ן뱷鼹⽩Ⲃ⫝咽㠅E䠹鸞왶婰鞪 PreviousPassword : QueryPasswordInterval : 29.17:15:36.3736817 -UnchangedPasswordInterval : 29.17:10:36.3736817 +UnchangedPasswordInterval : 29.17:10:36.3736817 +#> Decodes the managed password information from a group-managed service account (GMSA) called SQL_HQ_Primary . The user retrieving the managed password needs to be listed in the PrincipalsAllowedToRetrieveManagedPassword property of the GMSA. @@ -1591,6 +1596,7 @@ UnchangedPasswordInterval : 29.17:10:36.3736817 -------------------------- Example 1 -------------------------- PS C:\> $pwd = ConvertTo-SecureString -String 'Pa$$w0rd' -AsPlainText -Force PS C:\> ConvertTo-KerberosKey -Password $pwd -Salt 'CONTOSO.COMAdministrator' +<# Sample Output: AES256_CTS_HMAC_SHA1_96 Key: 660e61042b190b5724c62bb473facca12058fb9ad3c03c0d2809f839c0352502 @@ -1602,7 +1608,8 @@ AES128_CTS_HMAC_SHA1_96 DES_CBC_MD5 Key: aed02c52204ca2ce - Iterations: 4096 + Iterations: 4096 +#> Applies 3 different kerberos key derivation functions to the specified password and salt. @@ -1982,7 +1989,9 @@ PS C:\> ConvertTo-NTHash -Password $pwd -------------------------- Example 1 -------------------------- PS C:\> $pwd = ConvertTo-SecureString -String 'Pa$$w0rd' -AsPlainText -Force PS C:\> ConvertTo-OrgIdHash -Password $pwd -v1;PPH1_MD4,60eaffd2c886b419df7a,1000,ab9c532104713157395a70da85cc8a1b418508753c6997f02341d541328ef16b; +<# Sample Output: +v1;PPH1_MD4,60eaffd2c886b419df7a,1000,ab9c532104713157395a70da85cc8a1b418508753c6997f02341d541328ef16b; +#> Calculates the OrgId hash from a cleartext password using a random salt. @@ -1990,7 +1999,9 @@ v1;PPH1_MD4,60eaffd2c886b419df7a,1000,ab9c532104713157395a70da85cc8a1b418508753c -------------------------- Example 2 -------------------------- PS C:\> ConvertTo-OrgIdHash -NTHash 92937945b518814341de3f726500d4ff -v1;PPH1_MD4,46c0c5d9095185ce5cf8,1000,6bb7b360d9105ed5157460b343d5d143e465a59195bc9b568718268c334ea4a9; +<# Sample Output: +v1;PPH1_MD4,46c0c5d9095185ce5cf8,1000,6bb7b360d9105ed5157460b343d5d143e465a59195bc9b568718268c334ea4a9; +#> Calculates the OrgId hash from a NT hash while using a random salt. @@ -1998,7 +2009,9 @@ v1;PPH1_MD4,46c0c5d9095185ce5cf8,1000,6bb7b360d9105ed5157460b343d5d143e465a59195 -------------------------- Example 3 -------------------------- PS C:\> ConvertTo-OrgIdHash -NTHash 92937945b518814341de3f726500d4ff -Salt a42b92067e4b8123101a -v1;PPH1_MD4,a42b92067e4b8123101a,1000,f0fc762ea9051ef754652becd83ee5e54c1c857c1c0965abac5d85de9c143911; +<# Sample Output: +v1;PPH1_MD4,a42b92067e4b8123101a,1000,f0fc762ea9051ef754652becd83ee5e54c1c857c1c0965abac5d85de9c143911; +#> Calculates the OrgId hash from a NT hash while using the given salt. @@ -2862,7 +2875,7 @@ v1;PPH1_MD4,a42b92067e4b8123101a,1000,f0fc762ea9051ef754652becd83ee5e54c1c857c1c - {{Fill in the Description}} + Reads one or more accounts from an Active Directory database file. When provided with a boot key (AKA SysKey or system key), it also decrypts secret attributes. @@ -3262,8 +3275,9 @@ v1;PPH1_MD4,a42b92067e4b8123101a,1000,f0fc762ea9051ef754652becd83ee5e54c1c857c1c -------------------------- Example 1 -------------------------- - PS C:\> Get-ADDBAccount -SamAccountName Administrator -DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit' - + PS C:\> Get-ADDBAccount -SamAccountName Administrator ` + -DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit' +<# Sample Output: DistinguishedName: CN=Administrator,CN=Users,DC=contoso,DC=com Sid: S-1-5-21-1236425271-2880748467-2592687428-500 Guid: b3d02974-6b1c-484c-9103-fd2f60d592c4 @@ -3294,7 +3308,8 @@ Key Credentials: Credential Roaming Created: Modified: - Credentials: + Credentials: +#> Retrieves information about a single account from an Active Directory database. Secret attributes are not decrypted as no boot key is provided. @@ -3305,7 +3320,7 @@ Credential Roaming PS C:\> Get-ADDBAccount -DistinguishedName: 'CN=Joe Smith,OU=Employees,DC=contoso,DC=com' ` -BootKey $key ` -DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit' - +<# Sample Output: DistinguishedName: CN=Joe Smith,OU=Employees,DC=contoso,DC=com Sid: S-1-5-21-1236425271-2880748467-2592687428-1110 Guid: 6fb7aca4-fe85-4dc5-9acd-b5b2529fe2bc @@ -3402,11 +3417,70 @@ Credential Roaming CryptoApiCertificate: joe\SystemCertificates\My\Certificates\574E4687133998544C0095C7B348C52CD398182E CNGCertificate: joe\SystemCertificates\My\Certificates\3B83BFA7037F6A79B3F3D17D229E1BC097F35B51 RSAPrivateKey: joe\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1110\701577141985b6923998dcca035c007a_f8b7bbef-d227-4ac7-badd-3a238a7f741e - CNGPrivateKey: joe\Crypto\Keys\E8F13C2BA0209401C4DFE839CD57375E26BBE38F + CNGPrivateKey: joe\Crypto\Keys\E8F13C2BA0209401C4DFE839CD57375E26BBE38F +#> Retrieves information about a single account from an Active Directory database. Secret attributes are decrypted using the provided boot key. + + -------------------------- Example 3 -------------------------- + PS C:\> $results = Get-ADDBAccount -DatabasePath '.\Active Directory\ntds.dit' ` + -BootKey acdba64a3929261b04e5270c3ef973cf ` + -All | + Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt + + Performs an offline credential hygiene audit of AD database against HIBP. + + + + -------------------------- Example 4 -------------------------- + PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key | + Format-Custom -View PwDump | + Out-File -FilePath users.pwdump -Encoding ascii + + Exports NT and LM password hashes from an Active Directory database to a pwdump file. + + + + -------------------------- Example 5 -------------------------- + PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` + -BootKey 0be7a2afe1713642182e9b96f73a75da | + Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADDBAccount -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit' | + Save-DPAPIBlob -DirectoryPath '.\Output' + + Extracts DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from an Active Directory database file and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. + + + + -------------------------- Example 6 -------------------------- + PS C:\> Get-ADDBAccount -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit' | + Select-Object -ExpandProperty KeyCredentials | + Where-Object Usage -eq NGC | + Format-Table -View ROCA +<# Sample Output: + +Usage IsWeak Source DeviceId Created HolderDN +----- ------ ------ -------- ------- -------- +NGC True AzureAD fd591087-245c-4ff5-a5ea-c14de5e2b32d 2017-07-19 CN=John Doe,CN=Users,DC=contoso,DC=com +NGC False AD 1966d4da-14da-4581-a7a7-5e8e07e93ad9 2019-08-01 CN=Jane Doe,CN=Users,DC=contoso,DC=com +#> + + Lists weak public keys registered in Active Directory that were generated on ROCA-vulnerable TPMs. + + + + -------------------------- Example 7 -------------------------- + PS C:\> $dc = Get-ADDBDomainController -DatabasePath '.\ADBackup\Active Directory\ntds.dit' +PS C:\> $adminSid = '{0}-500' -f $dc.DomainSid +PS C:\> $account = Get-ADDBAccount -Sid $adminSid ` + -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` + -BootKey 0be7a2afe1713642182e9b96f73a75da + + Retrieves information about a the the built-in Administrator account, even if it was renamed. + + @@ -3433,6 +3507,10 @@ Credential Roaming Save-DPAPIBlob + + Get-ADKeyCredential + + @@ -3445,7 +3523,8 @@ Credential Roaming - {{Fill in the Description}} + Reads and decrypts Data Protection API (DPAPI) backup keys from an Active Directory database file. The output can be saved to the file system using the Save-DPAPIBlob cmdlet. + DPAPI is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key. @@ -3554,9 +3633,61 @@ Credential Roaming -------------------------- Example 1 -------------------------- - PS C:\> {{ Add example code here }} + PS C:\> $key = Get-BootKey -SystemHiveFilePath '.\ADBackup\registry\SYSTEM' +PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` + -BootKey $key | Format-List +<# Sample Output: + +FilePath : ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key +KiwiCommand : +Type : LegacyKey +DistinguishedName : CN=BCKUPKEY_b116cbfa-b881-43e6-ba85-ef3efa64ba22 + Secret,CN=System,DC=contoso,DC=com +KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22 +Data : {1, 0, 0, 0...} + +FilePath : +KiwiCommand : +Type : PreferredLegacyKeyPointer +DistinguishedName : CN=BCKUPKEY_P Secret,CN=System,DC=contoso,DC=com +KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22 +Data : {250, 203, 22, 177...} + +FilePath : ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk +KiwiCommand : REM Add this parameter to at least the first dpapi::masterkey + command: /pvk:"ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk" +Type : RSAKey +DistinguishedName : CN=BCKUPKEY_290914ed-b1a8-482e-a89f-7caa217bf3c3 + Secret,CN=System,DC=contoso,DC=com +KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3 +Data : {2, 0, 0, 0...} + +FilePath : +KiwiCommand : +Type : PreferredRSAKeyPointer +DistinguishedName : CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=contoso,DC=com +KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3 +Data : {237, 20, 9, 41...} +#> - {{ Add example description here }} + Extracts the boot key (AKA SysKey or system key) from a backup of the SYSTEM registry hive and decrypts all DPAPI backup keys stored in the an Active Directory database file. + + + + -------------------------- Example 2 -------------------------- + PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` + -BootKey 0be7a2afe1713642182e9b96f73a75da | + Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ChildItem -Path '.\Output' | Select-Object -ExpandProperty Name +<# Sample Output: +kiwiscript.txt +ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key +ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pfx +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk +#> + + Exports DPAPI backup keys to the Output directory. @@ -3573,6 +3704,10 @@ Credential Roaming Get-ADReplBackupKey + + Get-LsaBackupKey + + @@ -3671,7 +3806,6 @@ Credential Roaming -------------------------- Example 1 -------------------------- PS C:\> Get-ADDBDomainController -DatabasePath .\ntds.dit - <# Sample Output: Name : LON-DC1 DNSHostName : LON-DC1.contoso.com @@ -3830,10 +3964,7 @@ Epoch : 961 -------------------------- Example 1 -------------------------- PS C:\> Get-ADDBKdsRootKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' - -<# -Output: - +<# Sample Output: Id: 6a401799-8dd0-0b2c-3073-beb7ce2e734d Version: 1 Creation Time: 7/27/2019 6:23:26 PM @@ -3860,9 +3991,7 @@ Secret Agreement #> PS C:\> .\CQDPAPINGPFXDecrypter.exe /pfx Certificate.p12 /master C16A0D16B80307D9CF102C7DB11F69FE015EB0DCD85C2FC0A5005C10E9DB963AC1E18BF161882ABEEAFF1B01CD50076F3C6F7807323253AB9598DBE027A77DD7 - -<# -Output: +<# Sample Output: Successfully decrypted password: VBGpKPryuiWBSyq/+CjC0WjNsnZ1xS3Hs6IqGZwa0BM= #> @@ -4281,9 +4410,9 @@ Successfully decrypted password: VBGpKPryuiWBSyq/+CjC0WjNsnZ1xS3Hs6IqGZwa0BM= -------------------------- Example 1 -------------------------- PS C:\> Get-ADObject -LDAPFilter '(msDS-KeyCredentialLink=*)' -Properties msDS-KeyCredentialLink | - Select-Object -ExpandProperty msDS-KeyCredentialLink | - Get-KeyCredential -<# Output: + Select-Object -ExpandProperty msDS-KeyCredentialLink | + Get-KeyCredential +<# Sample Output: Usage Source Flags DeviceId Created HolderDN ----- ------ ----- -------- ------- -------- @@ -4305,8 +4434,7 @@ FIDO AzureAD Attestation 00000000-0000-0000-0000-000000000000 2019-08-26 CN=Joh Get-KeyCredential | Where-Object Usage -eq NGC | Format-Table -View ROCA - -<# Output: +<# Sample Output: Usage IsWeak Source DeviceId Created HolderDN ----- ------ ------ -------- ------- -------- @@ -4337,8 +4465,7 @@ NGC False AD 1966d4da-14da-4581-a7a7-5e8e07e93ad9 2019-08-01 CN=Jane Doe Get-KeyCredential | Where-Object Usage -eq FIDO | Format-Table -View FIDO - -<# Output: +<# Sample Output: DisplayName Flags FidoFlags Created HolderDN ----------- ----- --------- ------- -------- @@ -4366,7 +4493,9 @@ Feitian BioPass FIDO2 Attestation UserPresent, UserVerified, AttestationData, Ex -------------------------- Example 6 -------------------------- - PS C:\> $certificateSubject = 'S-1-5-21-1236425271-2880748467-2592687428-1109/13f787d5-4078-47ee-a6e7-b3af92f76c1e/login.windows.net/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/john@contoso.com' + PS C:\> $upn = 'john@contoso.com' +PS C:\> $userSid = 'S-1-5-21-1236425271-2880748467-2592687428-1109' +PS C:\> $certificateSubject = '{0}/{1}/login.windows.net/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/{2}' -f $userSid, (New-Guid), $upn PS C:\> $certificate = New-SelfSignedCertificate -Subject $certificateSubject ` -KeyLength 2048 ` -Provider 'Microsoft Strong Cryptographic Provider' ` @@ -4379,7 +4508,7 @@ PS C:\> $certificate = New-SelfSignedCertificate -Subject $certificateSubject PS C:\> $ngcKey = Get-KeyCredential -Certificate $certificate -DeviceId (New-Guid) -HolderDN 'CN=John Doe,CN=Users,DC=contoso,DC=com' PS C:\> Set-ADObject -Identity $ngcKey.HolderDN -Add @{ 'msDS-KeyCredentialLink' = $ngcKey.ToDNWithBinary() } - Generates a new NGC key for a user account and registers it in Active Directory. + Generates a new NGC key for a user account and registers it in Active Directory. Note that the value of the certificate Subject has no effect on the functionality, but as it appears in DC logs, this example uses the same format as Windows does. @@ -4429,7 +4558,7 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ - {{Fill in the Description}} + Reads one or more accounts from a target Active Directory domain controller through the MS-DRSR protocol, including secret attributes. @@ -4970,9 +5099,140 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ -------------------------- Example 1 -------------------------- - PS C:\> {{ Add example code here }} + PS C:\> Get-ADReplAccount -SamAccountName joe -Server 'lon-dc1.contoso.com' +<# Sample Output: +DistinguishedName: CN=Joe Smith,OU=Employees,DC=contoso,DC=com +Sid: S-1-5-21-1236425271-2880748467-2592687428-1110 +Guid: 6fb7aca4-fe85-4dc5-9acd-b5b2529fe2bc +SamAccountName: joe +SamAccountType: User +UserPrincipalName: joe@contoso.com +PrimaryGroupId: 513 +SidHistory: +Enabled: True +UserAccountControl: NormalAccount, PasswordNeverExpires +AdminCount: False +Deleted: False +LastLogon: +DisplayName: Joe Smith +GivenName: Joe +Surname: Smith +Description: +ServicePrincipalName: +SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited, SelfRelative +Owner: S-1-5-21-1236425271-2880748467-2592687428-512 +Secrets + NTHash: 92937945b518814341de3f726500d4ff + LMHash: + NTHashHistory: + Hash 01: 92937945b518814341de3f726500d4ff + LMHashHistory: + Hash 01: 30ce97eef1084cf1656cc4be70d68600 + SupplementalCredentials: + ClearText: + NTLMStrongHash: 2c6d57beebeafdae65b3f40f2a0d5430 + Kerberos: + Credentials: + DES_CBC_MD5 + Key: 7f16bc4ada0b8a52 + OldCredentials: + Salt: CONTOSO.COMjoe + Flags: 0 + KerberosNew: + Credentials: + AES256_CTS_HMAC_SHA1_96 + Key: cd541be0838c787b5c6a34d7b19274aee613545a0e6cc6f5ac5918d8a464d24f + Iterations: 4096 + AES128_CTS_HMAC_SHA1_96 + Key: 5c88972747bd454704c117ae52c474e4 + Iterations: 4096 + DES_CBC_MD5 + Key: 7f16bc4ada0b8a52 + Iterations: 4096 + OldCredentials: + OlderCredentials: + ServiceCredentials: + Salt: CONTOSO.COMjoe + DefaultIterationCount: 4096 + Flags: 0 + WDigest: + Hash 01: 61fed940f0e8d03a49d3727f55800497 + Hash 02: a1d54499dda6a6b5431f29a8d741a640 + Hash 03: b6cdf00bc0c4578992f718de81251721 + Hash 04: 61fed940f0e8d03a49d3727f55800497 + Hash 05: a1d54499dda6a6b5431f29a8d741a640 + Hash 06: 9a8991bd99763df2e37f1e1e67d71cc8 + Hash 07: 61fed940f0e8d03a49d3727f55800497 + Hash 08: 8a9fe94883c8ccf3bcfc6591ddd2288f + Hash 09: 8a9fe94883c8ccf3bcfc6591ddd2288f + Hash 10: 1b7b16b49ecd8d9d59c1d0db6fa2cc36 + Hash 11: d4c24695cfa4dc3810a469d5efb8ecaf + Hash 12: 8a9fe94883c8ccf3bcfc6591ddd2288f + Hash 13: a5b8aa5088280298c8c27fa99dcaa1e3 + Hash 14: d4c24695cfa4dc3810a469d5efb8ecaf + Hash 15: 1aa8e567622fe53d6fb36f1f34f12aaa + Hash 16: 1aa8e567622fe53d6fb36f1f34f12aaa + Hash 17: 2af425244079f8f45927c34fa115e45b + Hash 18: cf283a35102b820e25003b1ddf270221 + Hash 19: b98c902c57449253e6f06b5d585866bd + Hash 20: 2a690b1eeda9cb8f3157a4a3ba0be9c3 + Hash 21: af2654776d5f9f27f3283ecb0aa25011 + Hash 22: af2654776d5f9f27f3283ecb0aa25011 + Hash 23: ba6fe0513ed2a60ec253a41bbde6a837 + Hash 24: 8bf5a67b598087be948e040f85c72b4d + Hash 25: 8bf5a67b598087be948e040f85c72b4d + Hash 26: aa5ff46d23a5c7ebd603e1793225350d + Hash 27: 656b6a7f5b52d05b3ce9168a2b7ac8ac + Hash 28: ae884c92ecd87e8d54f1844f09c5a519 + Hash 29: a500a9e26afc9f817df8a07e15771577 +Key Credentials: + Usage=NGC, Source=ActiveDirectory, Device=1966d4da-14da-4581-a7a7-5e8e07e93ad9, Created=8/1/2019 10:53:12 PM, LastLogon=8/1/2019 10:53:12 PM + Usage=NGC, Source=ActiveDirectory, Device=cfe9a872-13ff-4751-a777-aec88c30a762, Created=8/1/2019 11:09:15 PM, LastLogon=8/1/2019 11:09:15 PM +Credential Roaming + Created: 3/12/2017 9:15:56 AM + Modified: 3/13/2017 10:01:18 AM + Credentials: + DPAPIMasterKey: joe\Protect\S-1-5-21-1236425271-2880748467-2592687428-1110\47070660-c259-4d90-8bc9-187605323450 + DPAPIMasterKey: joe\Protect\S-1-5-21-1236425271-2880748467-2592687428-1110\7fc19508-7b85-4a7c-9e5d-15f9e00e7ce5 + CryptoApiCertificate: joe\SystemCertificates\My\Certificates\574E4687133998544C0095C7B348C52CD398182E + CNGCertificate: joe\SystemCertificates\My\Certificates\3B83BFA7037F6A79B3F3D17D229E1BC097F35B51 + RSAPrivateKey: joe\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1110\701577141985b6923998dcca035c007a_f8b7bbef-d227-4ac7-badd-3a238a7f741e + CNGPrivateKey: joe\Crypto\Keys\E8F13C2BA0209401C4DFE839CD57375E26BBE38F +#> - {{ Add example description here }} + Replicates a single Active Directory account from the target domain controller. + + + + -------------------------- Example 2 -------------------------- + PS C:\> $accounts = Get-ADReplAccount -All -Server 'lon-dc1.contoso.com' + + Replicates all Active Directory accounts from the target domain controller. + + + + -------------------------- Example 3 -------------------------- + PS C:\> $results = Get-ADReplAccount -All -Server 'lon-dc1.contoso.com' | + Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt + + Performs an online credential hygiene audit of AD against HIBP. + + + + -------------------------- Example 4 -------------------------- + PS C:\> Get-ADReplAccount -All -Server LON-DC1 | + Format-Custom -View PwDump | + Out-File -FilePath users.pwdump -Encoding ascii + + Replicates all Active Directory accounts from the target domain controller and exports their NT and LM password hashes to a pwdump file. + + + + -------------------------- Example 5 -------------------------- + PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADReplAccount -All -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output' + + Replicates all DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from the target Active Directory domain controller and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. @@ -5005,11 +5265,12 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ Get ADReplBackupKey - Reads the DPAPI backup keys through the MS-DRSR protocol. + Reads the DPAPI backup keys from a domain controller through the MS-DRSR protocol. - {{Fill in the Description}} + Replicates the Data Protection API (DPAPI) backup keys from an Active Directory domain controller through the MS-DRSR protocol. The output can be saved to the file system using the Save-DPAPIBlob cmdlet. + DPAPI is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key. @@ -5029,7 +5290,7 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ Domain - TODO + Specifies the DNS name of the target Active Directory domain. String @@ -5085,7 +5346,7 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ Domain - TODO + Specifies the DNS name of the target Active Directory domain. String @@ -5146,10 +5407,58 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ - -------------------------- Example 1 -------------------------- - PS C:\> {{ Add example code here }} + -------------------------- Example 2 -------------------------- + PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.contoso.com' +<# Sample Output: + +FilePath : ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key +KiwiCommand : +Type : LegacyKey +DistinguishedName : CN=BCKUPKEY_b116cbfa-b881-43e6-ba85-ef3efa64ba22 + Secret,CN=System,DC=contoso,DC=com +KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22 +Data : {1, 0, 0, 0...} + +FilePath : +KiwiCommand : +Type : PreferredLegacyKeyPointer +DistinguishedName : CN=BCKUPKEY_P Secret,CN=System,DC=contoso,DC=com +KeyId : b116cbfa-b881-43e6-ba85-ef3efa64ba22 +Data : {250, 203, 22, 177...} + +FilePath : ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk +KiwiCommand : REM Add this parameter to at least the first dpapi::masterkey + command: /pvk:"ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk" +Type : RSAKey +DistinguishedName : CN=BCKUPKEY_290914ed-b1a8-482e-a89f-7caa217bf3c3 + Secret,CN=System,DC=contoso,DC=com +KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3 +Data : {2, 0, 0, 0...} + +FilePath : +KiwiCommand : +Type : PreferredRSAKeyPointer +DistinguishedName : CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=contoso,DC=com +KeyId : 290914ed-b1a8-482e-a89f-7caa217bf3c3 +Data : {237, 20, 9, 41...} +#> - {{ Add example description here }} + Replicates all DPAPI backup keys from the target Active Directory domain controller. + + + + -------------------------- Example 2 -------------------------- + PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ChildItem -Path '.\Output' | Select-Object -ExpandProperty Name +<# Sample Output: +kiwiscript.txt +ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key +ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pfx +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk +#> + + Replicates all DPAPI backup keys from the target Active Directory domain controller and saves them to the Output directory. @@ -5182,7 +5491,7 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ - {{Fill in the Description}} + Gets all Active Directory user accounts from a given domain controller using ADSI/LDAP. Typically used for Credential Roaming data retrieval and NGC key auditing. @@ -5190,7 +5499,7 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ Credential - {{Fill Credential Description}} + Specifies a user account to use when connecting to the target domain controller. The default is the current user. PSCredential @@ -5199,7 +5508,7 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ None - + Server Specifies the target computer for the operation. Enter a fully qualified domain name (FQDN), a NetBIOS name, or an IP address. When the remote computer is in a different domain than the local computer, the fully qualified domain name is required. @@ -5217,7 +5526,7 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ Credential - {{Fill Credential Description}} + Specifies a user account to use when connecting to the target domain controller. The default is the current user. PSCredential @@ -5226,7 +5535,7 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ None - + Server Specifies the target computer for the operation. Enter a fully qualified domain name (FQDN), a NetBIOS name, or an IP address. When the remote computer is in a different domain than the local computer, the fully qualified domain name is required. @@ -5267,9 +5576,27 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ -------------------------- Example 1 -------------------------- - PS C:\> {{ Add example code here }} + PS C:\> Get-LsaBackupKey -ComputerName 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADSIAccount -Server 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output' - {{ Add example description here }} + Retrieves DPAPI backup keys from the target domain controller through the MS-LSAD protocol. Also retrieves roamed credentials (certificates, private keys, and DPAPI master keys) from this domain controller through LDAP and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. + + + + -------------------------- Example 2 -------------------------- + PS C:\> Get-ADSIAccount -Server 'lon-dc1.contoso.com' | + Select-Object -ExpandProperty KeyCredentials | + Where-Object Usage -eq NGC | + Format-Table -View ROCA +<# Sample Output: + +Usage IsWeak Source DeviceId Created HolderDN +----- ------ ------ -------- ------- -------- +NGC True AzureAD fd591087-245c-4ff5-a5ea-c14de5e2b32d 2017-07-19 CN=John Doe,CN=Users,DC=contoso,DC=com +NGC False AD 1966d4da-14da-4581-a7a7-5e8e07e93ad9 2019-08-01 CN=Jane Doe,CN=Users,DC=contoso,DC=com +#> + + Lists weak public keys registered in Active Directory that were generated on ROCA-vulnerable TPMs. @@ -5287,11 +5614,11 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ - Test-PasswordQuality + Save-DPAPIBlob - Save-DPAPIBlob + Get-ADKeyCredential @@ -5394,7 +5721,8 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ -------------------------- Example 1 -------------------------- - PS C:\> Get-BootKey -Online + PS C:\> Get-BootKey -Online +0be7a2afe1713642182e9b96f73a75da Retrieves the BootKey from the currently running OS. @@ -5402,7 +5730,7 @@ PS C:\> Set-ADComputer -Identity 'PC01$' -Clear msDS-KeyCredentialLink -Add @ -------------------------- Example 2 -------------------------- PS C:\> reg.exe SAVE HKLM\SYSTEM C:\RegBackup\SYSTEM.hiv -PS C:\> Get-BootKey -SystemHiveFilePath C:\RegBackup\SYSTEM.hiv +PS C:\> $key = Get-BootKey -SystemHiveFilePath C:\RegBackup\SYSTEM.hiv Creates a backup of the SYSTEM registry hive and then retrieves the BootKey from this backup. @@ -5445,7 +5773,8 @@ PS C:\> Get-BootKey -SystemHiveFilePath C:\RegBackup\SYSTEM.hiv - The Data Protection API (DPAPI) is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key. + Reads the Data Protection API (DPAPI) backup keys from an Active Directory domain controller through the MS-LSAD (AKA LSARPC) protocol. The output can be saved to the file system using the Save-DPAPIBlob cmdlet. + DPAPI is used by several components of Windows to securely store passwords, encryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy of user's master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain controllers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair. If the user password is reset and the original master key is rendered inaccessible to the user, the user's access to the master key is automatically restored using the backup key. @@ -5509,6 +5838,7 @@ PS C:\> Get-BootKey -SystemHiveFilePath C:\RegBackup\SYSTEM.hiv -------------------------- Example 1 -------------------------- PS C:\> Get-LsaBackupKey -ComputerName LON-DC1 +<# Sample Output: FilePath : ntds_capi_b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d.pvk KiwiCommand : REM Add this parameter to at least the first dpapi::masterkey command: @@ -5523,16 +5853,25 @@ KiwiCommand : Type : LegacyKey DistinguishedName : KeyId : 7882b20e-96ef-4ce5-a2b9-3efdccbbce28 -Data : {1, 0, 0, 0...} +Data : {1, 0, 0, 0...} +#> Displays the DPAPI domain backup keys. -------------------------- Example 2 -------------------------- - PS C:\> Get-LsaBackupKey -ComputerName LON-DC1 | Save-DPAPIBlob -DirectoryPath .\ + PS C:\> Get-LsaBackupKey -ComputerName LON-DC1 | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ChildItem -Path '.\Output' | Select-Object -ExpandProperty Name +<# Sample Output: +kiwiscript.txt +ntds_legacy_b116cbfa-b881-43e6-ba85-ef3efa64ba22.key +ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pfx +ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk +#> - Saves the DPAPI domain backup keys to the working directory. + Saves the DPAPI domain backup keys to the Output directory. @@ -5630,12 +5969,13 @@ Data : {1, 0, 0, 0...} -------------------------- Example 1 -------------------------- PS C:\> Get-LSAPolicyInformation - +<# Sample Output: Domain/Workgroup Name : WORKGROUP Account Domain Name : MYPC Account Domain SID : S-1-5-21-2814909047-1086830290-2660982408 Local Domain Name : MYPC -Local Domain SID : S-1-5-21-2814909047-1086830290-2660982408 +Local Domain SID : S-1-5-21-2814909047-1086830290-2660982408 +#> Retrieves LSA Policy from the local computer. @@ -5643,7 +5983,7 @@ Local Domain SID : S-1-5-21-2814909047-1086830290-2660982408 -------------------------- Example 2 -------------------------- PS C:\> Get-LSAPolicyInformation -ComputerName LON-DC1 - +<# Sample Output: Domain/Workgroup Name : ADATUM Forest DNS Name : Adatum.com Domain DNS Name : Adatum.com @@ -5652,7 +5992,8 @@ Domain SID : S-1-5-21-3180365339-800773672-3767752645 Account Domain Name : ADATUM Account Domain SID : S-1-5-21-3180365339-800773672-3767752645 Local Domain Name : LON-DC1 -Local Domain SID : S-1-5-21-2929860833-2984454239-2848460202 +Local Domain SID : S-1-5-21-2929860833-2984454239-2848460202 +#> Retrieves LSA Policy from a remote computer called LON-DC1. @@ -5799,13 +6140,14 @@ Local Domain SID : S-1-5-21-2929860833-2984454239-2848460202 -------------------------- Example 1 -------------------------- PS C:\> Get-SamPasswordPolicy -Domain CONTOSO -Server LON-DC1 - +<# Sample Output: MinPasswordLength : 8 ComplexityEnabled : True ReversibleEncryptionEnabled : False MaxPasswordAge : 90.00:00:00.0 MinPasswordAge : 01:00:00 -PasswordHistoryCount : 10 +PasswordHistoryCount : 10 +#> Queries the LON-DC1 domain controller for default domain password policy. @@ -5813,13 +6155,14 @@ PasswordHistoryCount : 10 -------------------------- Example 2 -------------------------- PS C:\> Get-SamPasswordPolicy -Domain Builtin - +<# Sample Output: MinPasswordLength : 0 ComplexityEnabled : False ReversibleEncryptionEnabled : False MaxPasswordAge : 42.22:47:31.7437440 MinPasswordAge : 00:00:00 -PasswordHistoryCount : 0 +PasswordHistoryCount : 0 +#> Queries the local computer for its current password policy. @@ -6529,11 +6872,11 @@ $initTask.RunAsTask() Save DPAPIBlob - Saves DPAPI and Credential Roaming data returned by the Get-ADReplBackupKey, Get-ADDBBackupKey, Get-ADReplAccount, Get-ADDBAccount and Get-ADSIAccount cmdlets to files for further processing. + Saves DPAPI and Credential Roaming data retrieved from Active Directory to the filesystem for further processing. - + This cmdlet saves DPAPI-related data retrieved from Active Directory to a selected directory. It also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys and to decode the certificates. Supports DPAPI backup keys returned by the Get-ADReplBackupKey, Get-ADDBBackupKey, and Get-LsaBackupKey cmdlets and roamed credentials (certificates, private keys, and DPAPI master keys) returned by the Get-ADReplAccount, Get-ADDBAccount, and Get-ADSIAccount cmdlets. @@ -6667,13 +7010,87 @@ $initTask.RunAsTask() -------------------------- Example 1 -------------------------- PS C:\> Get-ADDBBackupKey -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` -BootKey 0be7a2afe1713642182e9b96f73a75da | - Save-DPAPIBlob -DirectoryPath .\Output -PS C:\> Get-ADDBAccount -All ` - -DatabasePath '.\ADBackup\Active Directory\ntds.dit' ` - -BootKey 0be7a2afe1713642182e9b96f73a75da | - Save-DPAPIBlob -DirectoryPath .\Output + Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADDBAccount -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit' | + Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ChildItem -Path '.\Output' -Recurse -File | + Foreach-Object { $PSItem.FullName.Replace((Resolve-Path -Path '.\Output'), '') } +<# Sample Output: +\kiwiscript.txt +\ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.cer +\ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.pfx +\ntds_capi_4cee80c0-b6c6-406c-a68b-c0e5818bc436.pvk +\ntds_legacy_d78736ad-5206-4eda-bfd4-cd10cc49d163.key +\Abbi\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1304\99c6f954ca07d75267f9a369a0bf5cd3_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Abbi\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1304\ba7577742c7900c29f8e7f8193ca5f6d_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Abbi\Protect\S-1-5-21-4534338-1127018997-2609994386-1304\eadae2b5-3933-434a-9bcf-804175877104 +\Abbi\SystemCertificates\My\Certificates\366004B5FA21294B80B22DA1385F414C70DF611B +\Abbi\SystemCertificates\My\Certificates\6441367E7BF2D4C7DAA1CF27C72D6552F4A48B48 +\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\0b0c01d1f2bb6db4cd9496cd5e1214d6_f8b7bbef-d227-4ac7-badd-3a238a7f741e +\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\2907acacb201238bd89fe63b20c6d23b_f8b7bbef-d227-4ac7-badd-3a238a7f741e +\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\701577141985b6923998dcca035c007a_f8b7bbef-d227-4ac7-badd-3a238a7f741e +\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\d881dc8bbed7c3a08f03b01de4b9f45f_f8b7bbef-d227-4ac7-badd-3a238a7f741e +\Administrator\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-500\e1b4cc613d831f27c664af17b8f98021_f8b7bbef-d227-4ac7-badd-3a238a7f741e +\Administrator\Protect\S-1-5-21-4534338-1127018997-2609994386-500\47070660-c259-4d90-8bc9-187605323450 +\Administrator\Protect\S-1-5-21-4534338-1127018997-2609994386-500\e13655bb-9519-45aa-abf8-a50a7b01317a +\Administrator\SystemCertificates\My\Certificates\01ADA5237C2D2D1F1571247A239CA66B31885389 +\Administrator\SystemCertificates\My\Certificates\5479CDDE0747E2CB5DF64F28A9E4AD3266AB27AF +\Administrator\SystemCertificates\My\Certificates\574E4687133998544C0095C7B348C52CD398182E +\Administrator\SystemCertificates\My\Certificates\B422F98237039C9836D24E22E5A92FCEC507EF89 +\Administrator\SystemCertificates\My\Certificates\DBE2B5417D56BC061B05B7265A47D3595EEC6A32 +\Administrator\SystemCertificates\Request\Certificates\AE1EBACC333E48E80C5DED7D0C644D80417CB6EC +\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\1eceade740dd71b94c3a7333522b9859_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\2995fb4c62c9211bc265c89fe1c85061_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\3183cd1aef41afc9af73e231607b5266_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Lara\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1359\4f8bd0d10c208c8d57d2a1babd288a83_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Lara\Protect\S-1-5-21-4534338-1127018997-2609994386-1359\5f6d65d9-c363-4c78-af8d-034fb80efc5a +\Lara\SystemCertificates\My\Certificates\1307CE05C8247AA08508302431B6A99647FF600E +\Lara\SystemCertificates\My\Certificates\7B0928AF99A3244E73F7F17957ABD5A80818B210 +\Lara\SystemCertificates\My\Certificates\90E1D7F90AD73F66F2C8F60120C256D038FD1F2C +\Lara\SystemCertificates\My\Certificates\DB690E9D99D094D3E9746DE484D3050951516E29 +\Logan\Crypto\RSA\S-1-5-21-4534338-1127018997-2609994386-1272\fd56f510920bd55b31ff5207eafda8c8_9e75a609-18c7-4c98-8cd0-c34c3aeae423 +\Logan\Protect\S-1-5-21-4534338-1127018997-2609994386-1272\9c6cc9e0-b5f8-48f4-a478-305ad77fceab +\Logan\SystemCertificates\My\Certificates\5D7A3A4FE8ADF5A61C5079EB7FDD1507B2753682 +#> + +PS C:\> Get-Content -Path '.\Output\kiwiscript.txt' +<# Sample Output: +REM Add this parameter to at least the first dpapi::masterkey command: /pvk:"ntds_capi_290914ed-b1a8-482e-a89f-7caa217bf3c3.pvk" +dpapi::masterkey /in:"Install\Protect\S-1-5-21-1236425271-2880748467-2592687428-1000\0f2ca69c-c144-4d80-905f-a6bcdfb0d659" /sid:S-1-5-21-1236425271-2880748467-2592687428-1000 +dpapi::masterkey /in:"Install\Protect\S-1-5-21-1236425271-2880748467-2592687428-1000\acdad60e-bcc0-48fb-9ceb-7514ca5aa558" /sid:S-1-5-21-1236425271-2880748467-2592687428-1000 +dpapi::cng /in:"Install\Crypto\Keys\002F8F86566CEFBC8694EE7F5BB24A5FF2BA2C18" +dpapi::cng /in:"Install\Crypto\Keys\476D927F1B009662D46D785BA58BD8E9DB42F687" +crypto::system /file:"Install\SystemCertificates\My\Certificates\EA4AD6192A82AB059BFA5E774515FDE0DA604160" /export +crypto::system /file:"Install\SystemCertificates\My\Certificates\D6F23BB7BD8C0099DF5F1324507EA0CA3DE7DEAB" /export +dpapi::masterkey /in:"john\Protect\S-1-5-21-1236425271-2880748467-2592687428-1109\bfefb3a6-5cdc-44f9-8521-a31feb3acdb1" /sid:S-1-5-21-1236425271-2880748467-2592687428-1109 +dpapi::masterkey /in:"john\Protect\S-1-5-21-1236425271-2880748467-2592687428-1109\c14e7f69-3bf5-4c49-92d8-78d759d74ece" /sid:S-1-5-21-1236425271-2880748467-2592687428-1109 +crypto::system /file:"john\SystemCertificates\My\Certificates\AF839B040D1257997A8D83EE71F96918F4C3EA01" /export +dpapi::cng /in:"john\Crypto\Keys\9F95F8E4F381BFFFD22B5EFAA013E53268451310" +dpapi::cng /in:"john\Crypto\Keys\C9ABDF8DC38EA2BA2E20AEC770D91210FF919F87" +crypto::system /file:"john\SystemCertificates\My\Certificates\DEFFADB62EE547CB88973DF664C4DC958E8E64D8" /export +crypto::system /file:"john\SystemCertificates\My\Certificates\49FD324E5CC4A6020AC9D12D4311C7B33393A1C4" /export +crypto::system /file:"john\SystemCertificates\My\Certificates\4E951C29567A261B2E90C94BCCEFAE1FA878A2CB" /export +dpapi::capi /in:"john\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1109\0581f4e6088649266038726d9f8786a9_edc46440-65c9-41ce-aaeb-73754e0e38c8" +dpapi::capi /in:"john\Crypto\RSA\S-1-5-21-1236425271-2880748467-2592687428-1109\4771dfabcc8ad1ec2c84c489df041fad_edc46440-65c9-41ce-aaeb-73754e0e38c8" +#> - Extracts DPAPI backup keys and roamed credentials (certificates, private keys and DPAPI master keys) to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. + Extracts DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from an Active Directory database file and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. + + + + -------------------------- Example 2 -------------------------- + PS C:\> Get-ADReplBackupKey -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADReplAccount -All -Server 'lon-dc1.adatum.com' | Save-DPAPIBlob -DirectoryPath '.\Output' + + Replicates all DPAPI backup keys and roamed credentials (certificates, private keys, and DPAPI master keys) from the target Active Directory domain controller and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. + + + + -------------------------- Example 3 -------------------------- + PS C:\> Get-LsaBackupKey -ComputerName 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output' +PS C:\> Get-ADSIAccount -Server 'lon-dc1.contoso.com' | Save-DPAPIBlob -DirectoryPath '.\Output' + + Retrieves DPAPI backup keys from the target domain controller through the MS-LSAD protocol. Also retrieves roamed credentials (certificates, private keys, and DPAPI master keys) from this domain controller through LDAP and saves them to the Output directory. Also creates a file called kiwiscript.txt that contains mimikatz commands needed to decrypt the private keys. @@ -6702,6 +7119,10 @@ PS C:\> Get-ADDBAccount -All ` Get-ADDBAccount + + Get-ADSIAccount + + @@ -8657,7 +9078,9 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc -------------------------- Example 1 -------------------------- - PS C:\> Set-ADDBPrimaryGroup -SamAccountName John -PrimaryGroupId 512 -DatabasePath 'D:\Windows\NTDS\ntds.dit' + PS C:\> Set-ADDBPrimaryGroup -SamAccountName John ` + -PrimaryGroupId 512 ` + -DatabasePath 'D:\Windows\NTDS\ntds.dit' Moves the account John from the default Domain Users group to Domain Admins . @@ -8688,7 +9111,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc - {{Fill in the Description}} + Configures AD-related Local Security Authority (LSA) Policies of the local or a remote computer. This functionality is helpful when restoring Active Directory domain controllers (DC) from IFM backups. Note that running this command against a DC with parameters that do not match the information stored in its local AD database might prevent the target DC from booting ever again. @@ -8871,7 +9294,11 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc -------------------------- Example 1 -------------------------- - PS C:\> Set-LsaPolicyInformation -DomainName 'ADATUM' -DnsDomainName 'Adatum.com' -DnsForestName 'Adatum.com' -DomainGuid 279b615e-ae79-4c86-a61a-50f687b9f7b8 -DomainSid S-1-5-21-1817670852-3242289776-1304069626 + PS C:\> Set-LsaPolicyInformation -DomainName 'ADATUM' ` + -DnsDomainName 'Adatum.com' ` + -DnsForestName 'Adatum.com' ` + -DomainGuid 279b615e-ae79-4c86-a61a-50f687b9f7b8 ` + -DomainSid S-1-5-21-1817670852-3242289776-1304069626 Configures AD-related LSA Policy Information of the local computer. @@ -8882,6 +9309,10 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc Online Version: https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Set-LsaPolicyInformation.md + + New-ADDBRestoreFromMediaScript + + @@ -8894,7 +9325,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc - {{Fill in the Description}} + Sets NT and LM password hashes of a user account in a local or remote Security Account Manager (SAM) or Active Directory (AD) database through the SAM Remote Protocol (MS-SAMR). Note that kerberos AES and DES ekeys of the target account are cleared by this command. @@ -8902,7 +9333,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc Credential - Specify the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user. + Specifies the user account credentials to be used to perform this task. The default credentials are the credentials of the currently logged on user. PSCredential @@ -8914,7 +9345,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc Domain - Specify the user's domain. + Specifies the target NetBIOS domain name the target account belongs to. String @@ -8926,7 +9357,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc LMHash - Specify a new LM password hash value in hexadecimal format. + Specifies a new LM password hash value in hexadecimal format. Byte[] @@ -8938,7 +9369,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc NTHash - Specify a new NT password hash value in hexadecimal format. + Specifies a new NT password hash value in hexadecimal format. Byte[] @@ -8950,7 +9381,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc SamAccountName - Specify user's login. + Specifies user's login. String @@ -8977,7 +9408,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc Credential - Specify the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user. + Specifies the user account credentials to be used to perform this task. The default credentials are the credentials of the currently logged on user. PSCredential @@ -8989,7 +9420,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc LMHash - Specify a new LM password hash value in hexadecimal format. + Specifies a new LM password hash value in hexadecimal format. Byte[] @@ -9001,7 +9432,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc NTHash - Specify a new NT password hash value in hexadecimal format. + Specifies a new NT password hash value in hexadecimal format. Byte[] @@ -9025,7 +9456,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc Sid - Specify user SID. + Specifies user SID. SecurityIdentifier @@ -9040,7 +9471,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc Credential - Specify the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user. + Specifies the user account credentials to be used to perform this task. The default credentials are the credentials of the currently logged on user. PSCredential @@ -9052,7 +9483,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc Domain - Specify the user's domain. + Specifies the target NetBIOS domain name the target account belongs to. String @@ -9064,7 +9495,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc LMHash - Specify a new LM password hash value in hexadecimal format. + Specifies a new LM password hash value in hexadecimal format. Byte[] @@ -9076,7 +9507,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc NTHash - Specify a new NT password hash value in hexadecimal format. + Specifies a new NT password hash value in hexadecimal format. Byte[] @@ -9088,7 +9519,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc SamAccountName - Specify user's login. + Specifies user's login. String @@ -9112,7 +9543,7 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc Sid - Specify user SID. + Specifies user SID. SecurityIdentifier @@ -9166,9 +9597,12 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc -------------------------- Example 1 -------------------------- - PS C:\> {{ Add example code here }} + PS C:\> Set-SamAccountPasswordHash -SamAccountName 'john' ` + -Domain CONTOSO ` + -NTHash ac5d3227c79791b451eb28fcd9efbfb2 ` + -Server 'lon-dc1.contoso.com' - {{ Add example description here }} + Resets the NT password hash of the target Active Directory account through the MS-SAMR protocol. @@ -9177,6 +9611,18 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc Online Version: https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Set-SamAccountPasswordHash.md + + Get-ADDBAccount + + + + Get-ADReplAccount + + + + Set-ADDBAccountPasswordHash + + @@ -9395,8 +9841,8 @@ PS C:\> Set-ADDBDomainController -DatabasePath .\ntds.dit -Epoch $currentEpoc -------------------------- Example 1 -------------------------- PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey acdba64a3929261b04e5270c3ef973cf | - Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt -<# Sample Output + Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt +<# Sample Output: Active Directory Password Quality Report ---------------------------------------- @@ -9457,7 +9903,8 @@ These accounts that require smart card authentication have a password: -------------------------- Example 2 -------------------------- PS C:\> $results = Get-ADReplAccount -All -Server LON-DC1 | - Test-PasswordQuality -WeakPasswords 'Pa$$w0rd','April2019' -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt + Test-PasswordQuality -WeakPasswords 'Pa$$w0rd','April2019' ` + -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt Performs an online credential hygiene audit of AD against HIBP + a custom wordlist. @@ -9475,7 +9922,7 @@ These accounts that require smart card authentication have a password: -------------------------- Example 4 -------------------------- PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key | where DistinguishedName -like '*OU=Employees,DC=contoso,DC=com' | - Test-PasswordQuality -IncludeDisabledAccounts -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v4.txt + Test-PasswordQuality -IncludeDisabledAccounts -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v5.txt Performs an offline credential hygiene audit of a selected OU from AD database against HIBP. @@ -9485,7 +9932,7 @@ These accounts that require smart card authentication have a password: PS C:\> $contosoAccounts = Get-ADReplAccount -All -Server LON-DC1.contoso.com PS C:\> $adatumAccounts = Get-ADReplAccount -All -Server NYC-DC1.adatum.com -Credential (Get-Credential) PS C:\> $contosoAccounts + $adatumAccounts | Test-PasswordQuality -<# Sample Output (Partial) +<# Sample Output (Partial): These groups of accounts have the same passwords: Group 1: