PowerShell Module and Framework
Directory Services Internals
Introduction
The DSInternals project consists of these two parts:
- The DSInternals Framework exposes several internal features of Active Directory and can be used from any .NET application. The codebase has already been integrated into several 3rd party commercial products that use it in scenarios like Active Directory disaster recovery, identity management, cross-forest migrations and password strength auditing.
- The DSInternals PowerShell Module provides easy-to-use cmdlets that are built on top of the Framework. These are the main features:
- Azure Active Directory FIDO2 key auditing and retrieval of system information about all user-registered key credentials.
- Active Directory password auditing that discovers accounts sharing the same passwords or having passwords in a public database like HaveIBeenPwned or in a custom dictionary.
- Key credential auditing and generation, including support for NGC, FIDO2 and STK keys. Keys can also be tested against the ROCA vulnerability. New NGC keys can also be registered through the MS-DRSR protocol.
- Bare-metal recovery of domain controllers from just IFM backups (ntds.dit + SYSVOL).
- Offline ntds.dit file manipulation, including hash dumping, password resets, group membership changes, SID History injection and enabling/disabling accounts.
- Online password hash dumping through the Directory Replication Service (DRS) Remote Protocol (MS-DRSR). This feature is commonly called DCSync.
- Domain or local account password hash injection through the Security Account Manager (SAM) Remote Protocol (MS-SAMR) or directly into the database.
- LSA Policy modification through the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD / LSARPC).
- Extracting credential roaming data and DPAPI domain backup keys, either online through directory replication, LSARPC and offline from ntds.dit.
- Password hash calculation, including NT hash, LM hash and kerberos keys.
DISCLAIMER: Features exposed through these tools are not supported by Microsoft. Improper use might cause irreversible damage to domain controllers or negatively impact domain security.
Author
Michael Grafnetter
I have created these tools in my spare time and I am using them while performing AD security audits and also in my lectures to demonstrate how Active Directory works internally.
I would like to thank all people who have contributed to the project by sending their feedback or by submitting their code. In case you would also like to help with this project, please see the CONTRIBUTING document.
Downloads
PowerShell Gallery (PowerShell 5+)
Since PowerShell 5, you can install the DSInternals module directly from the official PowerShell Gallery by running the following command:
Install-Module DSInternals -Force
Additional steps might be required on some freshly installed computers before DSInternals can be downloaded:
# TLS 1.2 must be enabled on older versions of Windows.
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
# Download the NuGet package manager binary.
Install-PackageProvider -Name NuGet -Force
# Register the PowerShell Gallery as package repository if it is missing for any reason.
if($null -eq (Get-PSRepository -Name PSGallery -ErrorAction SilentlyContinue)) { Register-PSRepository -Default }
# Download the DSInternals PowerShell module.
Install-Module -Name DSInternals -Force
Chocolatey Package
The DSInternals PowerShell Module can also be installed using the official Chocolatey package by executing the following Chocolatey command:
choco install dsinternals-psmodule --confirm
This package is self-contained and it will also install all dependencies. Note that package versions prior to 3.5 were not official.
Offline Module Distribution (PowerShell 3+)
- Download the current release from GitHub.
- Unblock the ZIP file, using either the Properties dialog or the
Unblock-File
cmdlet. If you fail to do so, all the extracted DLLs will inherit this attribute and PowerShell will refuse to load them. - Extract the DSInternals directory to your PowerShell modules directory, e.g. C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals or C:\Users\John\Documents\WindowsPowerShell\Modules\DSInternals.
- (Optional) If you copied the module to a different directory than advised in the previous step, you have to manually import it using the
Import-Module
cmdlet.
Commando VM
The DSInternals PowerShell module is part of FireEye's Commando VM, the Windows-based alternative to Kali Linux.
NuGet Packages
The easiest way of integrating the DSInternals functionality into .NET applications is by using the DSInternals Framework NuGet packages:
Building from Source Code
You can of course download the source code, perform a review and compile the Module/Framework yourself. See the CONTRIBUTING guide for more info.
Documentation
Get-Help
The online version of PowerShell Get-Help documentation contains the list of all cmdlets and some usage examples.
Blog Posts
I have also published a series of articles about the DSInternals module on my blog. Here are a few of them:
- CQLabs β Extracting Roamed Private Keys from Active Directory
- CQLabs β Offline Attacks on Active Directory
- Auditing Active Directory Password Quality
- Dumping ntds.dit files
- Retrieving Active Directory Passwords Remotely
- Retrieving DPAPI Backup Keys from Active Directory
- Retrieving Cleartext GMSA Passwords from Active Directory
- Peeking into the Active Directory Database
- Dumping and modifying Active Directory database using a bootable flash drive
- Impersonating Office 365 Users With Mimikatz
Slide Decks
- Black Hat Europe 2019: DSInternals PowerShell Module
- Black Hat Europe 2019: Exploiting Windows Hello for Business
- HipConf New York 2018: Offline Attacks on Active Directory
Acknowledgements
This project utilizes the following 3rd party copyrighted material:
- ManagedEsent - Provides managed access to esent.dll, the embeddable database engine native to Windows.
- AutoMapper - A convention-based object-object mapper in .NET.
- NDceRpc - Integration of WCF and .NET with MS-RPC and binary serialization.
- PBKDF2.NET - Provides PBKDF2 for .NET Framework.
- Bouncy Castle - A lightweight cryptography API for Java and C#.
- Json.NET - Popular high-performance JSON framework for .NET.
- Peter O. CBOR - A C# implementation of Concise Binary Object Representation (RFC 7049).
Related Projects
- Mimikatz - The No.1 tool for pass-the-hash attacks. Can use the credentials extracted by the DSInternals module to do some nasty stuff.
- NTDSXtract - A framework for ntds.dit parsing written in Python.
- Impacket - Various MSRPC-based protocols implemented in Python.
- DIT Snapshot Viewer - A graphical inspection tool for Active Directory databases.
- Esent Workbench - Great tool for displaying the structure of ntds.dit files.