mirror of
https://github.com/MichaelGrafnetter/DSInternals
synced 2024-12-17 20:05:40 +00:00
33 KiB
33 KiB
Changelog
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog.
4.14 - 2024-04-13
Fixed
- Increased tolerance for malformed DPAPI CNG private keys.
- Improved parsing of conflicting secret object names, e.g.,
CN=BCKUPKEY_PREFERRED Secret\\0ACNF:26c8edbb-6b48-4f11-9e13-9ddbccedab5a,CN=System,DC=contoso,DC=com
.
4.13 - 2023-12-20
Fixed
- The Set-LsaPolicyInformation cmdlet now generates the UNICODE_STRING structure with the trailing null character, to improve compatibility with NETLOGON. This issue mainly affects the functionality of the New-ADDBRestoreFromMediaScript cmdlet. Thanks Christoffer Andersson for reporting this issue and sorry Microsoft support escalation engineers for the trouble this bug has caused.
4.12 - 2023-10-06
Added
- The Get-ADReplAccount cmdlet now works against Windows Server 2025 Insider Preview with the 32k database page size optional feature enabled.
- The Get-ADDBAccount cmdlet is now able to read databases originating from Windows Server 2025 Insider Preview with the 32k database page size optional feature enabled.
- Added support for parsing AES SHA2 Kerbers keys.
Fixed
- Improved KDS Root Key selection algorithm in the Get-ADDBServiceAccount cmdlet.
4.11 - 2023-10-01
Added
- Added the Get-ADDBServiceAccount cmdlet for offline managed password derivation.
- Implemented the Unlock-ADDBAccount cmdlet that can perform offline account unlock.
Fixed
- Fixed Kerberos PBKDF2 salt derivation for service accounts in the ConvertTo-KerberosKey cmdlet and the corresponding KerberosKeyDerivation class.
4.10 - 2023-09-16
Added
- The Test-PasswordQuality cmdlet now checks if a user's password is equal to their SamAccountName attribute, thanks to @BlueCurby.
- Replication cmdlets in the PowerShell module should now work on the ARM64 platform as well. Tests were performed using the Windows Dev Kit 2023, AKA Project Volterra.
Fixed
- Fixed a rare security descriptor parsing issue.
- Parallel reading of multiple databases is now supported.
4.9 - 2023-02-25
Changed
- Implemented FIPS compliance requirement check (issues #97, #111, and #152).
- Added a check that the module is running on Windows.
- The Set-ADDBBootKey cmdlet now also has the
-Force
parameter, as do all other cmdlets for offline DB modification.
Fixed
- The Get-BootKey cmdlet should now be able to read inconsistent/corrupted SYSTEM registry hives (issue #47).
4.8 - 2022-12-06
Changed
- Upgraded to the latest JSON.NET library to fix some security issues.
- Upgraded to the latest CBOR library to fix some security issues.
- Added pipeline input support to the
-SamAccountName
parameter of the Get-ADReplAccount cmdlet. - All PowerShell cmdlets that modify the
ntds.dit
file now have the-Force
parameter.
Fixed
- Fixed a regression error in
ntds.dit
file modification on Windows Server 2022 that was introduced in release 4.7.
4.7 - 2021-10-30
Added
- The Test-PasswordQuality cmdlet can now identify kerberoastable user accounts.
- The DSAccount class now exposes the msDs-supportedEncryptionTypes attribute in its
SupportedEncryptionTypes
property.
Changed
- DSInternals.Replication.Interop is targeting the latest Windows 10 SDK instead of a specific one.
Fixed
- Computer accounts are now skipped when searching for duplicate passwords.
- Improved exception handling when opening read-only database files.
4.6 - 2021-10-19
Added
- Windows Server 2022 ntds.dit file modification is now supported.
Changed
- Updated ManagedEsent to 1.9.4.1 and extracted customizations to partial classes.
Fixed
- ESE parameter set now better mimics the one used in AD.
4.5 - 2021-10-14
Fixed
- Added support for ntds.dit files with conflicting defunct attributes.
- Fixed the detection of default computer passwords.
- Improved parsing of roaming CNG private keys.
Changed
- Updated the target .NET Framework to 4.7.2.
4.4.1 - 2020-07-18
Fixed
- The
vcruntime140_1.dll
file is now part of the binary distribution. Its absence sometimes prevented theDSInternals.Replication.Interop.dll
file from being loaded.
4.4 - 2020-07-03
Added
- The new Set-AzureADUserEx cmdlet can be used to revoke FIDO2 and NGC keys in Azure Active Directory.
4.3 - 2020-04-02
Added
- New logo and package icons!
- The new Get-AzureADUserEx cmdlet can be used to retrieve FIDO and NGC keys from Azure Active Directory, as the first tool on the market.
- Both lastLogon and lastLogonTimestamp user account attributes are now exposed. The LastLogonDate PowerShell property returns whichever of these 2 values is available.
- The
-Server
parameter of the Get-ADSIAccount cmdlet now has the standard-ComputerName
alias.
Changed
- Major PowerShell module documentation improvements.
4.2 - 2020-03-18
Added
- The Test-PasswordQuality cmdlet now supports cross-domain and cross-forest duplicate password discovery.
- The Get-ADReplAccount, Get-ADReplBackupKey and Add-ADReplNgcKey cmdlets no longer require the
Domain
andNamingContext
parameters to be specified, as their proper values are automatically retrieved from the target DC.
Changed
- Updated license information in Nuget packages to resolve Warning NU5125.
Fixed
- Resolved a bug in the Get-ADDBBackupKey cmdlet that prevented it from working on global catalogs in multi-domain forests.
- Resolved a bug in DPAPI credential display.
4.1 - 2019-12-12
Added
- The Test-PasswordQuality cmdlet now contains a check for accounts that require smart card authentication and have a password at the same time.
Fixed
- The Save-DPAPIBlob cmdlet now saves roamed CNG keys in proper format.
- Fixed an issue with the Set-ADDBAccountPassword and Set-ADDBAccountPasswordHash cmdlets, which, under rare circumstances, could incorrectly modify replication metadata. Unfortunately, the documentation does not say that PROPERTY_META_DATA_EXT_VECTOR must be sorted.
4.0 - 2019-12-04
Added
- Added support for auditing (Azure) Active Directory NGC keys against the ROCA vulnerability.
- Added the Add-ADReplNgcKey cmdlet for NGC key injection through the MS-DRSR protocol.
- Added the
Moduli
custom PowerShell view to enable export of public keys stored in themsDS-KeyCredentialLink
attribute. - Added the
FIDO
custom PowerShell view to provide visibility into FIDO2 keys registered in themsDS-KeyCredentialLink
attribute. - Implemented FIDO2 token information parsing in the
KeyCredential
class. Tested with YubiKey, Feitian, eWBM and SoloKeys. Big thanks to @aseigler for major code contribution! - Implemented public key retrieval capability in the
KeyCredential
class.
Changed
- .NET Framework 4.7 is now required because of ECC support.
- The Get-ADReplAccount cmdlet can now search accounts by the
userPrincipalName
attribute. - NGC keys generated by the Get-ADKeyCredential cmdlet are now accepted in validated writes.
Fixed
- Eliminated a memory leak in
DRS_MSG_GETCHGREQ_V8
deallocation. - Fixed the output type of the Set-ADDBBootKey cmdlet.
3.6.1 - 2019-08-10
Fixed
- Resolved issue #91 (The boot key provided cannot be used to decrypt the database), which appeared during decryption of ntds.dit files originating from Windows Server 2016+ DCs that were promoted using IFM.
3.6 - 2019-06-28
Changed
- Renamed the
-DBPath
parameter of database cmdlets to-DatabasePath
. - Improved Get-Help documentation.
Fixed
- Resolved issue #88 (Test-PasswordQuality errors out with "Offset and length must refer to a position in the string").
3.5.1 - 2019-05-23
This is a Chocolatey-only release.
Fixed
- Temporarily removed the package dependency on PowerShell 3, which caused some issues. Will be resolved in a future release.
3.5 - 2019-05-10
Added
- Official Chocolatey Package
- New password hash export formats: JohnLMHistory, HashcatLMHistory, PWDumpHistory and LMHashHistory.
Changed
- The JohnNTHistory and HashcatNTHistory export formats now differentiate between current and historical password hashes.
Fixed
- Improved the JohnNT and JohnLM export formats.
- Scripts generated by the New-ADDBRestoreFromMediaScript cmdlet now correctly restore SYSVOL on Windows Server 2008 R2+.
- Scripts generated by the New-ADDBRestoreFromMediaScript cmdlet now supports SYSVOL FRS replication in addition to DFS-R.
- Scripts generated by the New-ADDBRestoreFromMediaScript cmdlet now do not require the ActiveDirectory module to be pre-installed.
3.4 - 2019-04-23
Added
- The Test-PasswordQuality cmdlet now has a parameter called
-WeakPasswordHashesSortedFile
. This parameter should be used with ordered hash files downloaded from HaveIBeenPwned as it has huge performance benefits over the older-WeakPasswordHashesFile
parameter due to the usage of binary search algorithm. - The Test-PasswordQuality cmdlet now has a proper documentation, including usage examples.
Fixed
- The PWDump export format is now more compatible with some 3rd party tools, e.g. ElcomSoft Distributed Password Recovery, although the ASCII encoding still must be enforced.
- The speed of processing the
-WeakPasswordHashesFile
and-WeakPasswordsFile
parameters of the Test-PasswordQuality cmdlet has significantly been increased. - Parsing of roamed credentials is now slightly faster.
- Documentation improvements!
3.3 - 2019-03-02
Changed
- Implemented a slightly more secure handling of GMSA passwords.
- The .NET Framework 4.5.1 requirement is now enforced.
Fixed
- Scripts generated by the New-ADDBRestoreFromMediaScript cmdlet will also fix SYSVOL references in the DFS-R subscription object if it is restored to a different path.
- A more explanatory exception is now thrown when opening databases that originate from different OS versions.
- A more explanatory exception is now thrown when the Universal C Runtime is missing from Windows.
- A more explanatory exception is now thrown when the assemblies are blocked.
- PEK list decryption exceptions now contain troubleshooting data.
- Minor improvement in C++ build speed.
3.2.1 - 2019-01-04
Fixed
- The implementation of database re-encryption now behaves more closely to Windows Server 2016.
3.2 - 2019-01-03
Added
- [Module] Added the Get-LsaBackupKey cmdlet for DPAPI domain backup key retrieval through LSARPC.
- [Framework] Added support for DPAPI domain backup key retrieval from LSA Policy.
Changed
- [Module] The Set-ADDBBootKey cmdlet now works with Windows Server 2000-2019 databases.
- [Module] The New-ADDBRestoreFromMediaScript cmdlet now uses shutdown.exe instead of Restart-Computer.
- [Framework] Updated package references.
Fixed
- [Framework] Fixed
DSInternals.Replication.Interop
assembly versioning.
3.1 - 2018-12-29
Added
- [Module] Added the New-ADDBRestoreFromMediaScript cmdlet to aid with file-level DC recovery process.
- [Module] Added the Get-LSAPolicyInformation and Set-LSAPolicyInformation cmdlets that can be used to retrieve and change domain-related LSA Policies.
- [Module] Extended the information returned by the Get-ADDBDomainController cmdlet.
- [Module] Added MAML documentation for
Get-Help
. - [Framework] Added support for LSA Policy retrieval and modification.
Changed
- [Framework] Implemented distinguished name (DN) caching in the database access layer.
Fixed
- [Module] Path to the DSInternals.psd1 file now does not need to be specified when loading the module from a non-default location.
3.0 - 2018-09-29
Added
- [Module] Added the Set-ADDBAccountPassword and Set-ADDBAccountPasswordHash cmdlets for offline password modification.
- [Module] The Test-PasswordQuality cmdlet now supports NTLM hash list from haveibeenpwned.com.
- [Module] Added the Get-ADKeyCredential cmdlet for linked credential generation (AKA Windows Hello for Business).
- [Module] The Get-ADDBAccount, Get-ADReplAccount and Get-ADSIAccount cmdlets now display linked credentials.
- [Module] Databases from Windows Server 2016 can now be read on non-DCs.
- [Module] Added the ConvertTo-KerberosKey cmdlet for key generation.
- [Module] The Save-DPAPIBlob now generates scripts for mimikatz.
- [Module] The Save-DPAPIBlob cmdlet now accepts pipeline input from both Get-ADDBBackupKey and ADDBAccount cmdlets.
- [Module] Added Views JohnNTHistory, HashcatNTHistory and NTHashHistory.
- [Module] The Get-ADDBDomainController now displays domain and forest functional levels.
- [Module] The Set-ADDBDomainController can now be used to modify backup expiration.
- [Module] The Get-ADDBAccount cmdlet now reports progress when retrieving multiple accounts.
- [Framework] Added support for offline password changes.
- [Framework] Added support for kerberos key derivation.
- [Framework] Added support for WDigest hash calculation.
Fixed
- [Framework] Minor bug fixes.
Removed
- [Module] Removed the
ConvertTo-NTHashDictionary
cmdlet as its functionality had been integrated into the Test-PasswordQuality cmdlet. - [Module] Removed the
-ShowPlainTextPasswords
parameter of the Test-PasswordQualiy cmdlet. It might be re-added in the future.
2.23 - 2018-07-07
Changed
- [Module] The Test-PasswordQuality now supports accounts that require smart card authentication.
Fixed
- [Module] Fixed a bug in in the processing of the
-SkipDuplicatePasswordTest
switch of the Test-PasswordQuality cmdlet.
2.22 - 2017-04-29
Added
- [Framework] Added the Enable-ADDBAccount and Disable-ADDBAccount cmdlets.
- [Module] Added the ability to enable or disable accounts in offline databases.
2.21.2 - 2017-04-19
Fixed
- [Framework] Fixed a bug in roamed credentials processing.
- [Module] Fixed a bug in hexadecimal parameter parsing.
2.21.1 - 2017-04-14
Fixed
- Fixed a bug in linked value replication.
2.21 - 2017-03-25
- [Module] The replication cmdlets now use Kerberos authentication by default.
- [Module] Added support for roamed credentials.
- [Module] Cmdlets now accept hashes in both byte array and hexadecimal string forms.
- [Framework] Added support for linked value retrieval.
- [Framework] Updated referenced packages.
- [Framework] Added the SamEnumerateDomainsInSamServer call.
2.20 - 2016-11-15
- Added the Get-ADPasswordPolicy cmdlet.
2.19 - 2016-10-21
- Added support for the ServicePrincipalName attribute.
2.18 - 2016-10-02
- [Module] Added the Get-ADDBKdsRootKey cmdlet to aid DPAPI-NG decryption, e.g. SID-protected PFX files.
- [Module] The Get-ADReplAccount cmdlet now correctly reports the access denied error.
- [Module] Fixed a bug in progress reporting of the Get-ADReplAccount cmdlet.
- [Framework] Added support for KDS Root Key retrieval.
- [Framework] Replication errors are now reported using more suitable exception types.
2.17 - 2016-09-16
- [Module] The
Get-ADReplAccount -All
command now reports replication progress. - [Framework] Added the ability to retrieve the replication cursor.
- [Framework] The
ReplicationCookie
class is now immutable and replication progress is reported using a delegate. - [Framework] Win32 exceptions are now translated to more specific .NET exceptions by the
Validator
class.
2.16.1 - 2016-08-08
- [Module] Added the
-ShowPlainTextPasswords
parameter to the Test-PasswordQuality cmdlet. Cracked and cleartext passwords now do not get displayed by default.
2.16 - 2016-08-07
- [Module] Added the Test-PasswordQuality and
ConvertTo-NTHashDictionary
cmdlets. - [Module] Added support for the the UserAccountControl attribute of user accounts.
- [Framework] Added the ability to replicate user accounts by specifying their UPN.
- [Framework] Added the ability to calculate a NT hash from both String and SecureString.
- [Framework] Added the
HashEqualityComparer
, which allows the hashes to be stored in the built-in generic collections.
2.15 - 2016-06-18
- Removed dependency on ADSI.
- Added support for the PAM optional feature.
- Added the PWDump custom view.
- Added the NTHash custom view.
- Added the LMHash custom view.
2.14 - 2016-04-30
- Added support for Windows Server 2016 ntds.dit encryption.
- Added support for replication with renamed domains.
- Added support for reading security descriptors (ACLs) from both ntds.dit files and DRS-R.
- Added support for the AdminCount attribute.
- Updated the forked ManagedEsent source codes to version 1.9.3.3.
2.13.1 - 2016-02-25
- Fixed a bug regarding incorrect OS version detection.
2.13 - 2016-02-21
- Fixed a rare bug which caused the database cmdlets to hang while loading indices.
- Meaningful error messages are now displayed when a dirty or downlevel ntds.dit file is encountered.
- The
DSInternals.Replication
library now supports incremental replication (not exposed through PowerShell).
2.12 - 2016-02-07
- Commandlets for ntds.dit manipulation now work on Windows 7 / Windows Server 2008 R2.
- The module now requires .NET Framework 4.5.1 instead of 4.5.
- Both Visual Studio 2013 and 2015 are now supported platforms.
2.11.1 - 2016-02-03
- Added support for Windows Server 2003 R2.
- The replication now works on x86, again.
- Fixed a bug in temporary index loading.
2.10 - 2016-01-14
- Added support for the NTLM-Strong-NTOWF package in Supplemental Credentials (new in Windows Server 2016 TP4)
- Added support for initial databases
- Added partial support for ADAM/LDS databases
- The Get-ADDBSchemaAttribute now shows attribute OIDs
- Fixed a bug in Exchange schema loading
2.9 - 2015-12-27
- The Get-BootKey cmdlet now supports online boot key retrieval
- The PBKDF2.NET library has been replaced by CryptSharp
- The Get-ADDBDomainController cmdlet now extracts some more data from the DB
- The project has been open-sourced
2.8 - 2015-10-20
- Added the ConvertFrom-ADManagedPasswordBlob cmdlet
- Added the Get-ADDBBackupKey cmdlet
- Added the Get-ADReplBackupKey cmdlet
- Added the Save-DPAPIBlob cmdlet
- Added the HashcatLM view
2.7 - 2015-09-30
- Added the
about_DSInternals
help page (work in progress) - Fixed a bug in the Set-ADDBPrimaryGroup cmdlet
2.6 - 2015-09-21
- Implemented CRC checks in the Get-ADReplAccount cmdlet
- The Get-ADReplAccount cmdlet now displays meaningful error messages on 64-bit systems
- The
-Server
parameter of the Get-ADReplAccount is now compulsory instead of localhost being default - The Get-ADReplAccount and Set-SamAccountPasswordHash cmdlets now display a warning in case they are supplied with a DNS domain name instead of a NetBIOS one.
- Fixed a bug in SupplementalCredentials parsing
2.5 - 2015-09-14
- Both x86 and x64 platforms are now supported.
- A few parameters have been changed and new aliases added.
- Fixed a bug in the Add-ADDBSidHistory cmdlet.
2.4 - 2015-09-05
- Fixed a bug regarding distinguished name parsing in the Get-ADDBAccount cmdlet
- Removed a big memory leak in the Get-ADReplAccount cmdlet
- Added the
Get-ADReplicationAccount
alias for Get-ADReplAccount - Updated AutoMapper to the latest version
- Switched to the official build of Microsoft's Managed Esent libraries
- The module has been published in PowerShell Gallery.
2.3
- Parameter
-SystemHiveFilePath
of the Get-BootKey cmdlet is now positional - Added the Readme.txt file with system requirements
- Fixed a bug in distinguished name parsing that caused the Get-ADReplAccount cmdlet to fail under some circumstances
2.2
Changed
- Added a few parameter validations
Fixed
- Fixed a bug in SupplementalCredentials parsing
2.1
- The Get-ADReplAccount cmdlet can now retrieve all accounts from AD or just a sigle one
- Added Microsoft Visual C++ 2013 Runtime libraries to the distribution
- The module is now 64-bit only
- Minor bug fixes
2.0 - 2015-07-14
- Added the Get-ADDBAccount cmdlet
- Added the Get-BootKey cmdlet
- Added the Get-ADReplAccount cmdlet
- Added the Remove-ADDBObject cmdlet
- Added the ConvertTo-Hex cmdlet
- Merged the
DSInternals.Cryptography
assembly intoDSInternals.Common
- Minor bug fixes
1.6
Added
- Added the Set-ADDBDomainController cmdlet
- Added the Get-ADDBSchemaAttribute cmdlet
1.5
Added
- Added the Get-ADDBDomainController cmdlet
1.4 - 2015-05-31
Added
- Added the Set-ADDBPrimaryGroup cmdlet
Fixed
- The Add-ADDBSidHistory cmdlet now supports relative file paths
1.3.1
Fixed
- Fixed a bug in the Microsoft.Isam.Esent.Interop library, that prevented the Add-ADDBSidHistory cmdlet to run on Windows Server 2008 R2
1.3 - 2015-05-24
Added
- Added the Add-ADDBSidHistory cmdlet
1.2
Added
- Added the ConvertTo-GPPrefPassword cmdlet
1.1
Added
- Added the ConvertTo-OrgIdHash cmdlet
- Added the ConvertFrom-GPPrefPassword cmdlet
1.0 - 2015-01-20
Initial release!