dionach/NtdsAudit dionach/NtdsAudit

  • Stars
    star
    398
  • Rank 107,801 (Top 3 %)
  • Language
    C#
  • License
    MIT License
  • Created about 7 years ago
  • Updated 8 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
dionach/NtdsAudit
github

dionach

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An Active Directory audit utility

NtdsAudit is an application to assist in auditing Active Directory databases.

It provides some useful statistics relating to accounts and passwords, as shown in the following example. It can also be used to dump password hashes for later cracking.

Account stats for: domain.local
  Disabled users _____________________________________________________   418 of  5164 (8%)
  Expired users ______________________________________________________    67 of  5164 (1%)
  Active users unused in 1 year ______________________________________   787 of  4679 (17%)
  Active users unused in 90 days _____________________________________  1240 of  4679 (27%)
  Active users which do not require a password _______________________   156 of  4679 (3%)
  Active users with non-expiring passwords ___________________________  3907 of  4679 (84%)
  Active users with password unchanged in 1 year _____________________  1006 of  4679 (22%)
  Active users with password unchanged in 90 days ____________________  1400 of  4679 (30%)
  Active users with Administrator rights _____________________________    63 of  4679 (1%)
  Active users with Domain Admin rights ______________________________    54 of  4679 (1%)
  Active users with Enterprise Admin rights __________________________     0 of  4679 (0%)

  Disabled computer accounts _________________________________________    86 of  1414 (6%)

Password stats for: domain.local
  Active users using LM hashing ______________________________________    40 of  4679 (1%)
  Active users with duplicate passwords ______________________________  2312 of  4679 (49%)
  Active users with password stored using reversible encryption ______  4666 of  4679 (100%)

Usage

NtdsAudit requires version 4.6 or newer of the .NET framework.

Usage:  [arguments] [options]

Arguments:
  NTDS file  The path of the NTDS.dit database to be audited, required.

Options:
  -v | --version               Show version information
  -h | --help                  Show help information
  -s | --system <file>         The path of the associated SYSTEM hive, required when using the pwdump option.
  -p | --pwdump <file>         The path to output hashes in pwdump format.
  -u | --users-csv <file>      The path to output user details in CSV format.
  -c | --computers-csv <file>  The path to output computer details in CSV format.
  --history-hashes             Include history hashes in the pdwump output.
  --dump-reversible <file>     The path to output clear text passwords, if reversible encryption is enabled.
  --wordlist                   The path to a wordlist of weak passwords for basic hash cracking. Warning, using this option is slow, the use of a dedicated password cracker, such as 'john', is recommended instead.
  --ou-filter-file <file>      The path to file containing a line separated list of OUs to which to limit user and computer results.
  --base-date <yyyyMMdd>       Specifies a custom date to be used as the base date in statistics. The last modified date of the NTDS file is used by default.
  --debug                      Show debug output.

WARNING: Use of the --pwdump option will result in decryption of password hashes using the System Key.
Sensitive information will be stored in memory and on disk. Ensure the pwdump file is handled appropriately

For example, the following command will display statistics, output a file pwdump.txt containing password hashes, and output a file users.csv containing details for each user account.

ntdsaudit ntds.dit -s SYSTEM -p pwdump.txt -u users.csv

Obtaining the required files

NtdsAudit requires the ntds.dit Active Directory database, and optionally the SYSTEM registry hive if dumping password hashes. These files are locked by a domain controller and as such cannot be simply copy and pasted. The recommended method of obtaining these files from a domain controller is using the builtin ntdsutil utility.

  • Open a command prompt (cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested) and confirm that the action it displays is what you want, and then click Continue.

  • At the command prompt, type the following command, and then press ENTER:

ntdsutil
  • At the ntdsutil prompt, type the following command, and then press ENTER:
activate instance ntds
  • At the ntdsutil prompt, type the following command, and then press ENTER:
ifm
  • At the ifm prompt, type the following command, and then press ENTER:
create full <Drive>:\<Folder>

Where <Drive>:\<Folder> is the path to the folder where you want the files to be created.

More Repositories

1

CMSmap

CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
Python
1,011
star
2

PhEmail

PhEmail is a python open source phishing email tool that automates the process of sending phishing emails as part of a social engineering test
Python
327
star
3

reposcanner

Python script to scan Git repos for interesting strings
Python
158
star
4

PANhunt

PANhunt searches for credit card numbers (PANs) in directories.
Python
133
star
5

StripHeaders

A Native-Code module for IIS 7.0 and above, designed to easily remove unnecessary response headers and prevent information leakage of software and version information, which can be useful to an attacker.
C++
122
star
6

pgexec

Script and resources to execute shell commands using access to a PostgreSQL service
Shell
62
star
7

PassHunt

Search drives for documents containing passwords
Python
61
star
8

pwdumpstats

Script to output stats around weak passwords and password re-use from an NtdsAudit (pwdump) file
Python
56
star
9

Splunk-Web-Shell

Splunk Web Shell
JavaScript
50
star
10

HeadersAnalyzer

Burp extension that checks for interesting and security headers
Python
42
star
11

ShareAudit

A tool for auditing network shares in an Active Directory environment
C#
39
star
12

CodeIgniterXor

CodeIgniter <=2.1.4 session cookie decryption vulnerability
Python
39
star
13

magicmapping

Script to find exploitable magic methods for PHP object injection
PHP
27
star
14

FlashSec

Repository aimed to compile scripts and tools that can be used during penetration tests to assess the security of different flash related scenarios.
ActionScript
10
star