Prepare for version 3.0

Changelog.txt

@@ -1,3 +1,22 @@
+Version 3.0
+- [Module] Added the Set-ADDBAccountPassword and Set-ADDBAccountPasswordHash for offline password modification.
+- [Module] The Test-PasswordQuality cmdlet now supports NTLM hash list from haveibeenpwned.com.
+- [Module] Added the Get-ADKeyCredential for linked credential generation (AKA Windows Hello for Business).
+- [Module] The Get-ADDBAccount, Get-ADReplAccount and Get-ADSIAccount cmdlets now display linked credentials.
+- [Module] Databases from Windows Server 2016 can now be read on non-DCs.
+- [Module] Added the ConvertTo-KerberosKey cmdlet for key generation.
+- [Module] The Save-DPAPIBlob now generates scripts for mimikatz.
+- [Module] The Save-DPAPIBlob cmdlet now accepts pipeline input from both Get-ADDBBackupKey and ADDBAccount cmdlets.
+- [Module] Added Views JohnNTHistory, HashcatNTHistory and NTHashHistory.
+- [Module] The Get-ADDBDomainController now displays domain and forest functional levels.
+- [Module] The Set-ADDBDomainController can now be used to modify backup expiration.
+- [Module] The Get-ADDBAccount cmdlet now reports progress when retrieving multiple accounts.
+- [Module] Removed the ConvertTo-NTHashDictionary cmdlet as its functionality had been integrated into Test-PasswordQuality.
+- [Framework] Added support for offline password changes.
+- [Framework] Added support for kerberos key derivation.
+- [Framework] Added support for WDigest hash calculation.
+- [Framework] Minor bug fixes.
+
 Version 2.23
 - [Module] The Test-PasswordQuality now supports accounts that require smart card authentication.
 - [Module] Fixed a bug in in the processing of the SkipDuplicatePasswordTest switch of the Test-PasswordQuality cmdlet.
@@ -178,4 +197,4 @@ Version 1.1
 - Added the ConvertFrom-GPPrefPassword cmdlet
 
 Version 1.0
-- Initial release
+- Initial release

Src/Configuration/CommonAssemblyInfo.h

@@ -1,4 +1,4 @@
 using namespace System::Reflection;
 
 [assembly:AssemblyProductAttribute(L"DSInternals PowerShell Module")];
-[assembly:AssemblyCopyrightAttribute(L"Copyright © 2015-2017 Michael Grafnetter. All rights reserved.")];
+[assembly:AssemblyCopyrightAttribute(L"Copyright © 2015-2018 Michael Grafnetter. All rights reserved.")];

Src/DSInternals.Common/DSInternals.Common.nuspec

@@ -12,8 +12,8 @@
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <description>This package is shared between all other DSInternals packages. It contains implementations of common hash functions used by Windows, including NT hash, LM hash and OrgId hash. It also contains methods for SysKey/BootKey retrieval.</description>
     <summary>This package is shared between all other DSInternals packages.</summary>
-    <releaseNotes>Fixed a bug in roamed credentials processing.</releaseNotes>
-    <copyright>Copyright (c) 2015-2017 Michael Grafnetter. All rights reserved.</copyright>
+    <releaseNotes>Added support for kerberos key derivation and WDigest hash calculation.</releaseNotes>
+    <copyright>Copyright (c) 2015-2018 Michael Grafnetter. All rights reserved.</copyright>
     <tags>ActiveDirectory Security</tags>
   </metadata>
 </package>

Src/DSInternals.Common/Properties/AssemblyInfo.cs

@@ -6,8 +6,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals Common Library")]
-[assembly: AssemblyVersion("2.21.2")]
-[assembly: AssemblyFileVersion("2.21.2")]
+[assembly: AssemblyVersion("3.0")]
+[assembly: AssemblyFileVersion("3.0")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]

Src/DSInternals.DataStore/DSInternals.DataStore.nuspec

@@ -12,8 +12,8 @@
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <description>DSInternals DataStore is an advanced framework for offline ntds.dit file manipulation. It can be used to extract password hashes from Active Directory backups or to modify the sIDHistory and primaryGroupId attributes.</description>
     <summary>DSInternals DataStore is an advanced framework for offline ntds.dit file manipulation.</summary>
-    <releaseNotes>Added the ability to enable and disable user accounts.</releaseNotes>
-    <copyright>Copyright (c) 2015-2017 Michael Grafnetter. All rights reserved.</copyright>
+    <releaseNotes>Added support for offline password modification.</releaseNotes>
+    <copyright>Copyright (c) 2015-2018 Michael Grafnetter. All rights reserved.</copyright>
     <tags>ActiveDirectory Security NTDS</tags>
     <references>
       <reference file="DSInternals.DataStore.dll" />

Src/DSInternals.DataStore/Properties/AssemblyInfo.cs

@@ -1,13 +1,12 @@
 using System.Reflection;
-using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
 // General Information about an assembly is controlled through the following 
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals DataStore Library")]
-[assembly: AssemblyVersion("2.22")]
-[assembly: AssemblyFileVersion("2.22")]
+[assembly: AssemblyVersion("3.0")]
+[assembly: AssemblyFileVersion("3.0")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]

Src/DSInternals.PowerShell/Commands/Datastore/GetADDBAccountCommand.cs

@@ -9,17 +9,16 @@ using System.Management.Automation;
 namespace DSInternals.PowerShell.Commands
 {
     [Cmdlet(VerbsCommon.Get, "ADDBAccount")]
-    // TODO: output type
-    // TODO: Accept *
     [OutputType(typeof(DSAccount))]
     public class GetADDBAccountCommand : ADDBPrincipalCommandBase
     {
-        protected const string parameterSetAll = "All";
+        private const int ProgressReportingInterval = 25;
+        protected const string ParameterSetAll = "All";
 
         [Parameter(
             Mandatory = true,
             HelpMessage = "TODO",
-            ParameterSetName = parameterSetAll
+            ParameterSetName = ParameterSetAll
         )]
         [Alias("AllAccounts", "ReturnAllAccounts")]
         public SwitchParameter All
@@ -46,7 +45,7 @@ namespace DSInternals.PowerShell.Commands
         {
             // TODO: Exception handling: Object not found, malformed DN, ...
             // TODO: Map DSAccount to transfer object
-            if(this.ParameterSetName == parameterSetAll)
+            if(this.ParameterSetName == ParameterSetAll)
             {
                 this.ReturnAllAccounts(this.BootKey);
             }
@@ -72,7 +71,7 @@ namespace DSInternals.PowerShell.Commands
                 accountCount++;
 
                 // Update progress
-                if(accountCount % 10 == 0)
+                if(accountCount % ProgressReportingInterval == 1)
                 {
                     // We do not want to change the progress too often, for performance reasons.
                     progress.StatusDescription = String.Format("{0}+ accounts", accountCount);

Src/DSInternals.PowerShell/Commands/Hash/ConvertToNTHashDictionaryCommand.cs

@@ -1,86 +0,0 @@
-namespace DSInternals.PowerShell.Commands
-{
-    using DSInternals.Common.Cryptography;
-    using DSInternals.Common.Interop;
-    using System;
-    using System.Collections.Generic;
-    using System.ComponentModel;
-    using System.Management.Automation;
-
-    [Cmdlet(VerbsData.ConvertTo, "NTHashDictionary")]
-    [OutputType(new Type[] { typeof(IDictionary<byte[], string>) })]
-    public class ConvertToNTHashDictionaryCommand : PSCmdlet
-    {
-        #region Parameters
-
-        // HACK: This parameter is not called assword to pass the PSScriptAnalyzer tests. The purpose of this command is to calculate the hashes of password lists stored in text files, so there is no need to protect them by SecureStrings.
-        [Parameter(
-            Mandatory = true,
-            ValueFromPipeline = true,
-            Position = 0
-        )]
-        [Alias("Password")]
-        [ValidateNotNullOrEmpty]
-        public string[] Input
-        {
-            get;
-            set;
-        }
-
-        #endregion Parameters
-
-        #region Fields
-
-        private IDictionary<byte[], string> hashDictionary;
-        
-        #endregion Fields
-
-        #region Cmdlet Overrides
-        protected override void BeginProcessing()
-        {
-            this.hashDictionary = new Dictionary<byte[], string>(HashEqualityComparer.GetInstance());
-        }
-
-        protected override void ProcessRecord()
-        {
-            foreach(string password in this.Input)
-            {
-                if(string.IsNullOrEmpty(password))
-                {
-                    // Skip empty lines from the input.
-                    continue;
-                }
-                try
-                {
-                    byte[] hash = NTHash.ComputeHash(password);
-                    if(!this.hashDictionary.ContainsKey(hash))
-                    {
-                        // Do not try to add duplicate hashes, because the Add method would throw an ArgumentException.
-                        this.hashDictionary.Add(hash, password);
-                    }
-                }
-                catch (ArgumentException ex)
-                {
-                    ErrorRecord error = new ErrorRecord(ex, "Error1", ErrorCategory.InvalidArgument, password);
-                    this.WriteError(error);
-                }
-                catch (Win32Exception ex)
-                {
-                    ErrorCategory category = ((Win32ErrorCode)ex.NativeErrorCode).ToPSCategory();
-                    ErrorRecord error = new ErrorRecord(ex, "Error2", category, password);
-                    this.WriteError(error);
-                }
-                catch (Exception ex)
-                {
-                    ErrorRecord error = new ErrorRecord(ex, "Error3", ErrorCategory.NotSpecified, password);
-                    this.WriteError(error);
-                }
-            }
-        }
-        protected override void EndProcessing()
-        {
-            this.WriteObject(this.hashDictionary, false);
-        }
-        #endregion Cmdlet Overrides
-    }
-}

Src/DSInternals.PowerShell/Commands/Misc/TestPasswordQualityCommand.cs

@@ -208,8 +208,7 @@
             // Process duplicate passwords
             if (!this.SkipDuplicatePasswordTest.IsPresent)
             {
-
-                this.result.DuplicatePasswordGroups = this.hashToAccountMap.Values.Where(list => list.Count > 1).ToList();
+                this.result.DuplicatePasswordGroups = this.hashToAccountMap.Values.Where(set => set.Count > 1).ToList();
             }
 
             // Process Weak Passwords

Src/DSInternals.PowerShell/DSInternals.PowerShell.csproj

@@ -61,7 +61,6 @@
     <Compile Include="Commands\Hash\ConvertToKerberosKeyCommand.cs" />
     <Compile Include="Commands\Datastore\SetADDBAccountPasswordHashCommand.cs" />
     <Compile Include="Commands\Datastore\SetADDBAccountPasswordCommand.cs" />
-    <Compile Include="Commands\Hash\ConvertToNTHashDictionaryCommand.cs" />
     <Compile Include="Commands\Misc\ConvertFromADManagedPasswordBlobCommand.cs" />
     <Compile Include="Commands\Misc\GetADKeyCredential.cs" />
     <Compile Include="Commands\Misc\GetSamPasswordPolicyCommand.cs" />

Src/DSInternals.PowerShell/DSInternals.psd1

@@ -8,7 +8,7 @@
 RootModule = 'DSInternals.psm1'
 
 # Version number of this module.
-ModuleVersion = '2.23'
+ModuleVersion = '3.0'
 
 # ID used to uniquely identify this module
 GUID = '766b3ad8-eb78-48e6-84bd-61b31d96b53e'
@@ -87,7 +87,7 @@ CmdletsToExport = 'ConvertTo-NTHash', 'ConvertTo-LMHash', 'Set-SamAccountPasswor
                'Get-ADReplAccount', 'ConvertTo-Hex', 'ConvertTo-KerberosKey',
                'ConvertFrom-ADManagedPasswordBlob',
                'Get-ADDBBackupKey', 'Get-ADReplBackupKey', 'Save-DPAPIBlob',
-               'Set-ADDBBootKey','ConvertTo-NTHashDictionary', 'Test-PasswordQuality',
+               'Set-ADDBBootKey', 'Test-PasswordQuality',
                'Get-ADDBKdsRootKey', 'Get-SamPasswordPolicy', 'Get-ADSIAccount',
                'Enable-ADDBAccount', 'Disable-ADDBAccount', 'Get-ADKeyCredential',
                'Set-ADDBAccountPassword', 'Set-ADDBAccountPasswordHash'
@@ -133,7 +133,18 @@ PrivateData = @{
 
         # ReleaseNotes of this module
         ReleaseNotes = @"
-- Fixed 2 minor bugs in the Test-PasswordQuality cmdlet.
+- Added the Set-ADDBAccountPassword and Set-ADDBAccountPasswordHash for offline password modification.
+- The Test-PasswordQuality cmdlet now supports NTLM hash list from haveibeenpwned.com.
+- Added the Get-ADKeyCredential for linked credential generation (AKA Windows Hello for Business).
+- The Get-ADDBAccount, Get-ADReplAccount and Get-ADSIAccount cmdlets now display linked credentials.
+- Databases from Windows Server 2016 can now be read on non-DCs.
+- Added the ConvertTo-KerberosKey cmdlet for key generation.
+- The Save-DPAPIBlob now generates scripts for mimikatz.
+- The Save-DPAPIBlob cmdlet now accepts pipeline input from both Get-ADDBBackupKey and ADDBAccount cmdlets.
+- Added Views JohnNTHistory, HashcatNTHistory and NTHashHistory.
+- The Get-ADDBDomainController cmdlet now displays domain and forest functional levels.
+- The Set-ADDBDomainController cmdlet can now be used to modify backup expiration.
+- The Get-ADDBAccount cmdlet now reports progress when retrieving multiple accounts.
 "@
     } # End of PSData hashtable
 

Src/DSInternals.PowerShell/DSInternals.psm1

@@ -42,7 +42,6 @@ New-Alias -Name Get-ADReplicationAccount         -Value Get-ADReplAccount
 New-Alias -Name ConvertFrom-ManagedPasswordBlob  -Value ConvertFrom-ADManagedPasswordBlob
 New-Alias -Name Get-SysKey                       -Value Get-BootKey
 New-Alias -Name Set-ADDBSysKey                   -Value Set-ADDBBootKey
-New-Alias -Name New-NTHashDictionary             -Value ConvertTo-NTHashDictionary
 New-Alias -Name Test-ADPasswordQuality           -Value Test-PasswordQuality
 New-Alias -Name Test-ADDBPasswordQuality         -Value Test-PasswordQuality
 New-Alias -Name Test-ADReplPasswordQuality       -Value Test-PasswordQuality

Src/DSInternals.PowerShell/Properties/AssemblyInfo.cs

@@ -5,8 +5,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals PowerShell Commands")]
-[assembly: AssemblyVersion("2.23")]
-[assembly: AssemblyFileVersion("2.23")]
+[assembly: AssemblyVersion("3.0")]
+[assembly: AssemblyFileVersion("3.0")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]

Src/DSInternals.Replication.Interop/AssemblyInfo.cpp

@@ -14,7 +14,7 @@ using namespace System::Security::Permissions;
 //
 [assembly:AssemblyTitleAttribute(L"DSInternals Replication Interop Library")];
 // Note: Do not forget to change the version in version.rc files.
-[assembly:AssemblyVersionAttribute("2.21.2")];
+[assembly:AssemblyVersionAttribute("3.0")];
 [assembly:AssemblyDescriptionAttribute(L"")];
 [assembly:AssemblyConfigurationAttribute(L"")];
 [assembly:AssemblyCompanyAttribute(L"")];

Src/DSInternals.Replication.Model/Properties/AssemblyInfo.cs

@@ -6,8 +6,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals Replication Data Model")]
-[assembly: AssemblyVersion("2.21.2")]
-[assembly: AssemblyFileVersion("2.21.2")]
+[assembly: AssemblyVersion("3.0")]
+[assembly: AssemblyFileVersion("3.0")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]

Src/DSInternals.Replication/DSInternals.Replication.nuspec

@@ -12,8 +12,8 @@
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <description>DSInternals Replication implements a client for the Active Directory Replication Service Remote Protocol (DRS-R). It can be used to remotely extract password hashes from domain controllers.</description>
     <summary>DSInternals Replication implements a client for the Active Directory Replication Service Remote Protocol (DRS-R).</summary>
-    <releaseNotes>Fixed a bug in roamed credentials processing.</releaseNotes>
-    <copyright>Copyright (c) 2015-2017 Michael Grafnetter. All rights reserved.</copyright>
+    <releaseNotes>Updated package references.</releaseNotes>
+    <copyright>Copyright (c) 2015-2018 Michael Grafnetter. All rights reserved.</copyright>
     <tags>ActiveDirectory Security RPC DRSR</tags>
     <references>
       <reference file="DSInternals.Replication.dll" />

Src/DSInternals.Replication/Properties/AssemblyInfo.cs

@@ -6,8 +6,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals Replication Library")]
-[assembly: AssemblyVersion("2.21.2")]
-[assembly: AssemblyFileVersion("2.21.2")]
+[assembly: AssemblyVersion("3.0")]
+[assembly: AssemblyFileVersion("3.0")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]

Src/DSInternals.SAM/DSInternals.SAM.nuspec

@@ -13,7 +13,7 @@
     <description>DSInternals SAM implements a client for the Security Accounts Manager Remote Protocol (SAM-R). It can be used to import password hashes into Active Directory.</description>
     <summary>DSInternals SAM implements a client for the Security Accounts Manager Remote Protocol (SAM-R).</summary>
     <releaseNotes>Updated package references.</releaseNotes>
-    <copyright>Copyright (c) 2015-2017 Michael Grafnetter. All rights reserved.</copyright>
+    <copyright>Copyright (c) 2015-2018 Michael Grafnetter. All rights reserved.</copyright>
     <tags>ActiveDirectory Security RPC SAMR</tags>
     <references>
       <reference file="DSInternals.SAM.dll" />

Src/DSInternals.SAM/Properties/AssemblyInfo.cs

@@ -6,8 +6,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals SAM Library")]
-[assembly: AssemblyVersion("2.21.2")]
-[assembly: AssemblyFileVersion("2.21.2")]
+[assembly: AssemblyVersion("3.0")]
+[assembly: AssemblyFileVersion("3.0")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]