DSInternals/Documentation/PowerShell
2025-01-04 19:54:55 +01:00
..
about_DSInternals.md Improved directory structure and help (#74) 2019-01-12 19:58:56 +01:00
Add-ADDBSidHistory.md Added the -Force parameter to cmdlets modifying ntds.dit. 2022-12-06 10:40:07 +01:00
Add-ADReplNgcKey.md Added the -Force parameter to cmdlets modifying ntds.dit. 2022-12-06 10:40:07 +01:00
ConvertFrom-ADManagedPasswordBlob.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
ConvertFrom-GPPrefPassword.md Updated PS help 2019-08-24 21:14:32 +02:00
ConvertFrom-UnicodePassword.md Updated PS help 2019-08-24 21:14:32 +02:00
ConvertTo-GPPrefPassword.md Updated PS help 2019-08-24 21:14:32 +02:00
ConvertTo-Hex.md Updated cmdlet documentation 2019-09-08 00:58:45 +02:00
ConvertTo-KerberosKey.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
ConvertTo-LMHash.md Updated cmdlet documentation 2019-09-08 00:58:45 +02:00
ConvertTo-NTHash.md Updated cmdlet documentation 2019-09-08 00:58:45 +02:00
ConvertTo-OrgIdHash.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
ConvertTo-UnicodePassword.md Updated PS help 2019-08-24 21:14:32 +02:00
Disable-ADDBAccount.md Implemented #163: Offline account unlock 2023-09-25 08:52:14 +02:00
Enable-ADDBAccount.md Implemented #163: Offline account unlock 2023-09-25 08:52:14 +02:00
Get-ADDBAccount.md Implemented managed password derivation 2023-09-30 18:45:35 +02:00
Get-ADDBBackupKey.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
Get-ADDBDomainController.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
Get-ADDBKdsRootKey.md Implemented managed password derivation 2023-09-30 18:45:35 +02:00
Get-ADDBSchemaAttribute.md Updated PS help 2019-08-24 21:14:32 +02:00
Get-ADDBServiceAccount.md Implemented managed password derivation 2023-09-30 18:45:35 +02:00
Get-ADKeyCredential.md Fixed a few typos on Get-ADKeyCredential doc 2020-04-05 10:31:09 +02:00
Get-ADReplAccount.md Added the -Force parameter to cmdlets modifying ntds.dit. 2022-12-06 10:40:07 +01:00
Get-ADReplBackupKey.md fix a typo 2021-02-03 10:37:48 +01:00
Get-ADSIAccount.md Imroved AAD key credential auditing 2020-04-01 13:06:00 +02:00
Get-AzureADUserEx.md Finished implementing searchableDeviceKey modification in AAD. 2020-07-03 21:43:04 +02:00
Get-BootKey.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
Get-LsaBackupKey.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
Get-LsaPolicyInformation.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
Get-SamPasswordPolicy.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
New-ADDBRestoreFromMediaScript.md Fix RFM service parameters 2025-01-04 19:54:55 +01:00
Readme.md GitHub Dark Theme Support 2023-11-12 09:32:49 +01:00
Remove-ADDBObject.md Updated PS help 2019-08-24 21:14:32 +02:00
Save-DPAPIBlob.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
Set-ADDBAccountPassword.md Implemented #163: Offline account unlock 2023-09-25 08:52:14 +02:00
Set-ADDBAccountPasswordHash.md Implemented #163: Offline account unlock 2023-09-25 08:52:14 +02:00
Set-ADDBBootKey.md Added Force parameter to the Set-ADDBBootKey cmdlet 2023-02-25 08:05:38 +01:00
Set-ADDBDomainController.md Updated cmdlet documentation 2019-09-08 00:58:45 +02:00
Set-ADDBPrimaryGroup.md Added the -Force parameter to cmdlets modifying ntds.dit. 2022-12-06 10:40:07 +01:00
Set-AzureADUserEx.md Prepare for release 4.4.1 2020-07-18 18:27:45 +02:00
Set-LsaPolicyInformation.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
Set-SamAccountPasswordHash.md Resolved #104: Major documentation update 2020-03-27 21:13:43 +01:00
Test-PasswordQuality.md Add parameter sets for WeakPasswordHashesSortedFile/WeakPasswordHashesSortedFilePath, update documentation 2024-12-23 09:51:18 +01:00
Unlock-ADDBAccount.md Implemented #163: Offline account unlock 2023-09-25 08:52:14 +02:00

Module Name Module Guid Download Help Link Help Version Locale
DSInternals 766b3ad8-eb78-48e6-84bd-61b31d96b53e 1.0 en-US

DSInternals Logo DSInternals Logo

Directory Services Internals PowerShell Module

Description

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Azure Active Directory Cmdlets

These cmdlets utilize an undocumented API endpoint that exposes information not available through the Microsoft Graph API nor Azure AD Graph API.

Get-AzureADUserEx

Gets a user from Azure AD, including the associated FIDO and NGC keys.

Set-AzureADUserEx

Registers new or revokes existing FIDO and NGC keys in Azure Active Directory.

Cmdlets for Offline Active Directory Operations

Get-ADDBAccount

Reads one or more accounts from a ntds.dit file, including secret attributes.

Enable-ADDBAccount

Enables an Active Directory account in an offline ntds.dit file.

Disable-ADDBAccount

Disables an Active Directory account in an offline ntds.dit file.

Unlock-ADDBAccount

Unlocks an Active Directory account in an offline ntds.dit file.

Add-ADDBSidHistory

Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.

Set-ADDBAccountPassword

Sets the password for a user, computer, or service account stored in a ntds.dit file.

Set-ADDBAccountPasswordHash

Sets the password hash for a user, computer, or service account stored in a ntds.dit file.

Set-ADDBPrimaryGroup

Modifies the primaryGroupId attribute of an object in a ntds.dit file.

Get-ADDBBackupKey

Reads the DPAPI backup keys from a ntds.dit file.

Get-ADDBKdsRootKey

Reads KDS Root Keys from a ntds.dit. file. Can be used to aid DPAPI-NG decryption, e.g. SID-protected PFX files.

Get-ADDBServiceAccount

Reads all Group Managed Service Accounts (gMSAs) from a ntds.dit file, while deriving their current passwords from KDS root keys.

Get-ADDBDomainController

Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name and DC site.

Set-ADDBDomainController

Writes information about the DC to a ntds.dit file, including the highest committed USN and database epoch.

Get-ADDBSchemaAttribute

Reads AD schema from a ntds.dit file, including datatable column names.

Get-BootKey

Reads the Boot Key (AKA SysKey or System Key) from an online or offline SYSTEM registry hive.

Set-ADDBBootKey

Re-encrypts a ntds.dit file with a new BootKey/SysKey.

Remove-ADDBObject

Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!

Cmdlets for Online Active Directory Operations

Get-ADReplAccount

Reads one or more accounts through the MS-DRSR protocol, including secret attributes.

Get-ADReplBackupKey

Reads the DPAPI backup keys from a domain controller through the MS-DRSR protocol.

Add-ADReplNgcKey

Composes and updates the msDS-KeyCredentialLink value on an object through the MS-DRSR protocol.

Get-SamPasswordPolicy

Queries Active Directory for the default password policy.

Set-SamAccountPasswordHash

Sets NT and LM hashes of an Active Directory or local account through the MS-SAMR protocol.

Get-ADSIAccount

Gets all Active Directory user accounts from a given domain controller using ADSI. Typically used for Credential Roaming data retrieval through LDAP.

Get-LsaBackupKey

Reads the DPAPI backup keys from a domain controller through the LSARPC protocol.

Get-LsaPolicyInformation

Retrieves AD-related information from the Local Security Authority Policy of the local computer or a remote one.

Set-LsaPolicyInformation

Configures AD-related Local Security Authority Policies of the local computer or a remote one.

Password Hash Export Formats

The output of the Get-ADDBAccount and Get-ADReplAccount cmdlets can be formatted using the following custom Views to support different password cracking tools. ASCII file encoding is strongly recommended.

Hashcat

  • HashcatNT - NT hashes in Hashcat's format.
  • HashcatLM - LM hashes in Hashcat's format.
  • HashcatNTHistory - NT hashes, including historical ones, in Hashcat's format.
  • HashcatLMHistory - LM hashes, including historical ones, in Hashcat's format.

John the Ripper

  • JohnNT - NT hashes in the format supported by John the Ripper.
  • JohnLM - LM hashes in the format supported by John the Ripper.
  • JohnNTHistory - NT hashes, including historical ones, in the format supported by John the Ripper.
  • JohnLMHistory - LM hashes, including historical ones, in the format supported by John the Ripper.

Ophcrack

  • Ophcrack - NT and LM hashes in Ophcrack's format.

Other Formats

  • PWDump - NT and LM hashes in the pwdump format that is supported various password cracking tools, e.g. ElcomSoft Distributed Password Recovery, rcracki-mt or John the Ripper.
  • PWDumpHistory - NT and LM hashes, including historical ones, in the pwdump format.
  • NTHash - NT hashes only, without account names.
  • LMHash - LM hashes only, without account names.
  • NTHashHistory - NT hashes, including historical ones, without account names.
  • LMHashHistory - LM hashes, including historical ones, without account names.

Example 1

PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key |
            Format-Custom -View PwDump |
            Out-File -FilePath users.pwdump -Encoding ascii

Exports NT and LM password hashes from an Active Directory database to a pwdump file.

Example 2

PS C:\> Get-ADReplAccount -All -Server LON-DC1 |
            Format-Custom -View JohnNT |
            Out-File -FilePath users.txt -Encoding ascii

Replicates all Active Directory accounts from the target domain controller and exports their NT password hashes to a file format that is supported by John the Ripper.

Cmdlets for Password Hash Calculation

ConvertTo-KerberosKey

Computes Kerberos keys from a given password using Kerberos version 5 Key Derivation Functions.

ConvertTo-NTHash

Calculates NT hash of a given password.

ConvertTo-LMHash

Calculates LM hash of a given password.

ConvertTo-OrgIdHash

Calculates OrgId hash of a given password. Used by Azure Active Directory Connect.

Cmdlets for Credential Decryption

Save-DPAPIBlob

Saves DPAPI and Credential Roaming data retrieved from Active Directory to the filesystem for further processing.

ConvertFrom-ADManagedPasswordBlob

Decodes the value of the msDS-ManagedPassword attribute of a Group Managed Service Account.

Get-ADKeyCredential

Creates an object representing Windows Hello for Business or FIDO credentials from its binary representation or an X.509 certificate.

ConvertFrom-GPPrefPassword

Decodes a password from the format used by Group Policy Preferences.

ConvertTo-GPPrefPassword

Converts a password to the format used by Group Policy Preferences.

ConvertFrom-UnicodePassword

Decodes a password from the format used in unattend.xml files.

ConvertTo-UnicodePassword

Converts a password to the format used in unattend.xml or *.ldif files.

Miscellaneous Cmdlets

New-ADDBRestoreFromMediaScript

Generates a PowerShell script that can be used to restore a domain controller from an IFM-equivalent backup (i.e. ntds.dit + SYSVOL).

Test-PasswordQuality

Performs AD audit, including checks for weak, duplicate, default and empty passwords. Accepts input from the Get-ADReplAccount and Get-ADDBAccount cmdlets.

ConvertTo-Hex

Helper cmdlet that converts binary input to a hexadecimal string.