7.2 KiB
| Module Name | Module Guid | Download Help Link | Help Version | Locale |
|---|---|---|---|---|
| DSInternals | 766b3ad8-eb78-48e6-84bd-61b31d96b53e | 1.0 | en-US |
DSInternals PowerShell Module
Description
The DSInternals PowerShell Module exposes several internal features of Active Directory. These include offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Cmdlets for Offline Active Directory Operations
Get-ADDBAccount
Reads one or more accounts from a ntds.dit file, including secret attributes.
Enable-ADDBAccount
Enables an Active Directory account in an offline ntds.dit file.
Disable-ADDBAccount
Disables an Active Directory account in an offline ntds.dit file.
Add-ADDBSidHistory
Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
Set-ADDBAccountPassword
Sets the password for a user, computer, or service account stored in a ntds.dit file.
Set-ADDBAccountPasswordHash
Sets the password hash for a user, computer, or service account stored in a ntds.dit file.
Set-ADDBPrimaryGroup
Modifies the primaryGroupId attribute of an object in a ntds.dit file.
Get-ADDBBackupKey
Reads the DPAPI backup keys from a ntds.dit file.
Get-ADDBKdsRootKey
Reads KDS Root Keys from a ntds.dit. file. Can be used to aid DPAPI-NG decryption, e.g. SID-protected PFX files.
Get-ADDBDomainController
Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name and DC site.
Set-ADDBDomainController
Writes information about the DC to a ntds.dit file, including the highest committed USN and database epoch.
Get-ADDBSchemaAttribute
Reads AD schema from a ntds.dit file, including datatable column names.
Get-BootKey
Reads the Boot Key (AKA SysKey or System Key) from an online or offline SYSTEM registry hive.
Set-ADDBBootKey
Re-encrypts a ntds.dit file with a new BootKey/SysKey. Highly experimental!
Remove-ADDBObject
Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!
Cmdlets for Online Active Directory Operations
Get-ADReplAccount
Reads one or more accounts through the MS-DRSR protocol, including secret attributes.
Get-ADReplBackupKey
Reads the DPAPI backup keys through the MS-DRSR protocol.
Get-SamPasswordPolicy
Queries Active Directory for the default password policy.
Set-SamAccountPasswordHash
Sets NT and LM hashes of an Active Directory or local account through the MS-SAMR protocol.
Get-ADSIAccount
Gets all Active Directory user accounts from a given domain controller using ADSI. Typically used for Credential Roaming data retrieval through LDAP.
Get-LsaBackupKey
Reads the DPAPI backup keys from a domain controller through the LSARPC protocol.
Get-LsaPolicyInformation
Retrieves AD-related information from the Local Security Authority Policy of the local computer or a remote one.
Set-LsaPolicyInformation
Configures AD-related Local Security Authority Policies of the local computer or a remote one.
Password Hash Export Formats
The output of the Get-ADDBAccount and Get-ADReplAccount cmdlets can be formatted using the following custom Views to support different password cracking tools. ASCII file encoding is strongly recommended.
Hashcat
- HashcatNT <20> NT hashes in Hashcat's format.
- HashcatLM <20> LM hashes in Hashcat's format.
- HashcatNTHistory <20> NT hashes, including historical ones, in Hashcat's format.
John the Ripper
- JohnNT <20> NT hashes in the format supported by John the Ripper.
- JohnLM <20> LM hashes in the format supported by John the Ripper.
- JohnNTHistory <20> NT hashes, including historical ones, in the format supported by John the Ripper.
Ophcrack
- Ophcrack <20> NT and LM hashes in Ophcrack's format.
Other Formats
- PWDump - NT and LM hashes in the pwdump format that is supported various password cracking tools, e.g. ElcomSoft Distributed Password Recovery, rcracki-mt or John the Ripper.
- NTHash - NT hashes only, without account names.
- LMHash - LM hashes only, without account names.
- NTHashHistory - NT hashes, including historical ones, without account names.
Cmdlets for Password Hash Calculation
ConvertTo-KerberosKey
Computes Kerberos keys from a given password using Kerberos version 5 Key Derivation Functions.
ConvertTo-NTHash
Calculates NT hash of a given password.
ConvertTo-LMHash
Calculates LM hash of a given password.
ConvertTo-OrgIdHash
Calculates OrgId hash of a given password. Used by Azure Active Directory Connect.
Cmdlets for Credential Decryption
Save-DPAPIBlob
Saves DPAPI and Credential Roaming data returned by the Get-ADReplBackupKey, Get-ADDBBackupKey, Get-ADReplAccount, Get-ADDBAccount and Get-ADSIAccount cmdlets to files for further processing.
ConvertFrom-ADManagedPasswordBlob
Decodes the value of the msDS-ManagedPassword attribute of a Group Managed Service Account.
Get-ADKeyCredential
Creates an object representing Windows Hello for Business credentials from its binary representation or an X.509 certificate.
ConvertFrom-GPPrefPassword
Decodes a password from the format used by Group Policy Preferences.
ConvertTo-GPPrefPassword
Converts a password to the format used by Group Policy Preferences.
ConvertFrom-UnicodePassword
Decodes a password from the format used in unattend.xml files.
ConvertTo-UnicodePassword
Converts a password to the format used in unattend.xml or *.ldif files.
Miscellaneous Cmdlets
New-ADDBRestoreFromMediaScript
Generates a PowerShell script that can be used to restore a domain controller from an IFM-equivalent backup (i.e. ntds.dit + SYSVOL).
Test-PasswordQuality
Performs AD audit, including checks for weak, duplicate, default and empty passwords. Accepts input from the Get-ADReplAccount and Get-ADDBAccount cmdlets.
ConvertTo-Hex
Helper cmdlet that converts binary input to a hexadecimal string.