Saturday, April 23, 2016

Windows Password Audit – Copy ntds.dit


 Company should do the password audit annually.

The process normally is:

  1. Login to domain controller, export ntds.dit, SAM and SYSTEM using shadow copy.
  2. Extract Hashes from above files. (use tool NTDSXtract - http://www.ntdsxtract.com/ or SANS Investigative Forensic Toolkit (SIFT) - http://digital-forensics.sans.org/community/downloads)
  3. Use offline cracking tool to crack the hashes: Cain, ophcrack etc.
The weak password can be defined as below:

  1.  All LM hashes are considered as weak.
  2. The password is considered as short and weak if its length is less than 8.
  3. Repeatable sequence of a character. eg. ‘111111’, ‘aaaaaa’, are considered as weak.
  4. Simple patterns, eg. ‘123456’, ‘abcdefgh’, are considered as weak.
  5. Keyboard combinations patterns. Based on all possible keyboard combinations like ‘qwerty’, ‘qazwsx’, etc.
  6. National keyboard combinations patterns. The same as previous but uses national keyboard layout.
  7. User name mutations patterns. For passwords based on user name.
  8. “Freaked” passwords, eg. ‘pa$$w0rd”, ‘@pp1e’ etc.
  9. Dictionary attack against well-known passwords, eg. ‘leaking facebook, LinkedIn, eHarmony passwords’, which can be downloaded from Internet.

Step 1:  Create shadow copy for copying password files

  1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
  2. Click Start, right-click Command Prompt, and then click Run as administrator
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  1. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil
  1. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot
  1. At the snapshot prompt, type the following command, and then press ENTER:
activate instance ntds
  1. At the snapshot prompt, type the following command, and then press ENTER:
create
The command returns the following output:
Snapshot set {GUID} generated successfully.
Where GUID is the globally unique identifier (GUID) for the snapshot.
  1. At the snapshot prompt, type the following command, and then press ENTER:
mount { GUID }
  1. As an option, to see a list of all mounted snapshots, you can type the following command, and then press ENTER:
list mounted
The output lists each mounted snapshot and a corresponding index number. You can use the index number instead of the GUID to subsequently mount, unmount, or delete the snapshot.

  1. Open another command line windows with Administrator.
  2. Run below commands:

E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\Windows\ntds\ntds.dit
       1 file(s) copied.
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\windows\system32\config\SYSTEM
        1 file(s) copied.
E:\temp>copy c:\$SNAP_201603102306_VOLUMEC$\windows\system32\config\SAM
        1 file(s) copied.
E:\temp>reg SAVE HKLM\SYSTEM .\sys

  1. Copy these 4 files to a USB drive.
  2. To unmount the snapshot after you have finished viewing the data, type either of the following commands, and then press ENTER:
unmount index #
-or-
unmount { GUID }
  1. Delete old snapshots that you are no longer using because they consume disk space. To delete a snapshot, type either of the following commands, and then press ENTER:
delete index #
-or-
delete { GUID }
  1. After you are done with snapshot operations, type quit to return to the ntdsutil menu, and then type quit again to return to the command prompt.

Reference: https://technet.microsoft.com/en-us/library/cc753609(WS.10).aspx

No comments:

Post a Comment