Tutorial: Domain Password Auditing

February 6, 2017 | Views: 7477

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Estimated reading time: 3 minutes


This tutorial is for password auditing of network credentials within your domain. We will use Kali Linux along with some open source software to validate your password policies. As always make sure you have permission to perform this audit at the least every everyone should check to verify that people using privileged accounts are not using the same password for their privileged account and normal user account.



1) Access to a domain controller for the domain that we will be auditing

2) Kali Linux

3) ntdsxtract-master.zip (https://github.com/csababarta/ntdsxtract)

4) libesedb-experimental-20160622.tar.gz (https://github.com/libyal/libesedb/releases)

5) Install ntdsextract and libesedb using instructions given within the archive.


Get your NTDS database off the server:

  1. Log into your Domain controller using and admin level account

  2. Open a command prompt

  3. Type ntdsutil

  4. Your prompt should change to ntdsutil:

  5. Type active instance ntds

  6. Type ifm

  7. Your prompt should change to ifm:

  8. Type create full <location of where you want your backup> (i.e. c:pentest)

  9. Once the backup is complete, type quit.

  10. Now copy the folder with your backup to your Kali Linux system

Extract the NTDS database:

  1. navigate to the ntds.dit file (i.e. /root/pentest/Active Directory)

  2. run esedbexport -m tables /ntds.dit

Extract the password hashes:

  • run dsusers.py ./ntds.dit.export/datatable.4 ./ntds.dit.export/link_table.7 ./hashdumpwork –syshive ../SYSTEM –passwordhashes –lmoutfile lm-out.txt –ntoutfile nt-out.txt –pwdformat john

Ok, let’s break this command down:

  • dsuser.py is the program we just installed for this to pull the hashes out of the database

  • ./ntds.dit.export/datatable.4 database table for the ntds database number may be different

  • ./ntds.dit.export/link_table.7 same as above number may also be different

  • these two tables are need to allow the program to match up usernames with their associated hashes

  • ./hashdumpwork just a nice way to keep your directory cleaned up will dump all supported files that will be generated here along with our output files

  • –lmoutfile lm-out.txt this is our file for any lm passwords normally will be blank for modern domains

  • –ntoutfile nt-out.txt this is our file for ntlm passwords this is where all the good stuff goes

  • –pwdformat john this tells our program how we wanted this formatted we will format for john the ripper

We have the user accounts and hashes, now what?

This is where we can now start to audit our passwords I prefer to open as a spreadsheet first. This allows me to sort the accounts by hashes. I can now easily see if my admins are using the same password for their normal account and their privileged accounts, same hash = same password. If you have multiple domains you are auditing you can also easily check if people are using the same password across multiple domains which also is a no-no.

Everything up to this point should be done as a regular password auditing however some organizations may want to go a step further. Make sure you clear this first, if you decide to check for ‘weak’ passwords, as this could become a ‘resume producing event’.

Remember we formatted our output files for john the ripper? Let’s open johnny and load in our password file, and your favorite word list. If you don’t have one yet a quick search will give you plenty to choose from. I always also edit it to contain known default passwords. Remember we are not going overboard to see if we can crack everyone’s passwords we just want to check for ‘weak’ passwords and you would be surprised at what will pop up even with a good domain password policy.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Oh.,,that was awesome.. thats exactly what i needed this time.. thanks so much.

  2. That was great and quite informative keep on doing the good job

  3. Thank you very much. Good job. I will test it.

  4. We have a pentest due soon and I will definitely be using this as part of our audit.

  5. Man, I needed this a week or two ago while on a pentest. Great information! I ended up doing this exact same method, but I like how you have it laid out.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?