Well... a funny thing happened.

I stole a Domain Controller.

Like... physically stole it. I have it here with me. It& #39;s... well. It& #39;s unencrypted. I can mount it like a hard drive.

Now to figure out how to get info, such as user lists, out of it...
I& #39;ve only interacted with DCs from domain connected computers using & #39;net& #39; commands and powershell...

I& #39;ve even remotely connected to DC& #39;s and interacted with Active Directory using Remote Desktop Protocol...

But I& #39;ve never physically stolen and mounted a DC before.
First thing, I might as well grab the NTDS.dit file and pull off hashes.
- That& #39;s found in: ...\Windows\NTDS\NTDS.dit

Need the system hive as well...
- That& #39;s found in: ...\Windows\System32\config\SYSTEM

Drag those over to my own host.
Impacket has a nice script to pull domain user accounts and hashes from local files. Thanks Impacket!!!

~/$ python http://secretsdump.py"> http://secretsdump.py  -ntds NTDS.dit -system SYSTEM LOCAL -outputfile lol.hash

Push those to my hashcracker....

https://github.com/SecureAuthCorp/impacket/blob/c328de825265df12ced44d14b36c688cd9973f5c/examples/secretsdump.py">https://github.com/SecureAut...
Alright. That gives me internal usernames and hashes. But I don& #39;t have the user information.

Normally I& #39;d do a:
C:\ net user <username> /domain

Or pull every user out via LDAP. Or something similar.

But how do I get the Active Directory user info from these files?!
Seriously... I have no idea.

Brb while I duckduckgo this shit.
Also, don& #39;t ask about how I got the physical server rack. They slide out of the cabinet just fine, thank you!

Also also, running with a 4U rack "under" your arm is ungainly. Shits heavy and bulky, yo.
Oooh... impacket has an & #39;esentutl& #39; python port...
Oh Lady Discordia... this NTDS.dit is huge....

What sort of out of the way, branch office, needs one this large?
Ok!!! I dumped everything!

I used impacket& #39;s & #39;esentutl& #39; python port & dumped all of NTDS.dit into a text file. Grepped for Employee Name, Email, Title, &c.

~/$ python http://esentutl.py"> http://esentutl.py  ~/Loot/NTDS.dit export -table datatable > allTheThings.txt https://github.com/SecureAuthCorp/impacket/blob/master/examples/esentutl.py">https://github.com/SecureAut...
Oh... Umm...

@UK_Daniel_Card reminded me to check GPP. So, I grepped SYSVOL (C:\Windows\SYSVOL\):

~/$ grep -r cpassword *

And found the cipher text for every workstations& #39; Local Admin password. Decrypted it with:

~/$ gpp-decrypt "<cpasswordcipher>"

I am now depressed.
You can follow @TinkerSec.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: