Lance Grover

Lance Grover

Windows (windblows) password audit notes

Posted date:

Well, it’s that time of the year/quarter/month…. whatever policy you have on performing the password audit…  Some of my notes are from references that are a few years old, so not sure if they will be around much longer, I hope so, they have good info.  Keep in mind I am using kali 2017.1 for my fun today.

First Windows password audit, or as I call it, Windblows Password Audit.

  • Retrieve the ntds.dit and SYSTEM file: – notes from
    • C:\>ntdsutil
    • ntdsutil: Activate Instance ntds
    • ntdsutil: ifm
    • ifm: create full c:\cool-pass-pentest-audit
    • ifm: quit
    • ntdsutil: quit
  • copy the c:\cool-pass-pentest-audit folder to your kali box
  • install the libesedb-utils
    • apt install libesedb-utils
  • export the ntds tables – notes from
    • esedbexport -m tables ntds.dit
    • (this may take a while…a long while)
  • Now we need to extract the hashes….
    • currently I am using this:
      • git clone
    • python ntdsxtract/ ntds.dit.export/datatable.4 ntds.dit.export/link_table.6 hashdumpwork –syshive SYSTEM –passwordhashes –lmoutfile lm-out.txt –ntoutfile nt-out.txt –pwdformat ocl
  • Now we can do some cracking, using hashcat (since I like to use GPUs)
    • We will start with the rockyou.txt.gz wordlist that came with my kali install
      • cd /usr/share/wordlists; gunzip rockyou.txt.gz; cd –
      • hashcat -a 0 -m 1000 –username hashdumpwork/nt-out.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule
        • I like to use most of the rule sets that come with the hashcat install on kali, I tend to get a bit of success with the different ones, but I will just give the example using the rockyou-30000.rule
  • you want to see what passwords you got when it is over?  just do the same hashcat command but add the –show flag in there and presto!