New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

R&D: Active Directory Password Extraction Tool

September 7, 2010

R&D: Active Directory Password Extraction Tool

During a penetration test or technical audit, it may be necessary to extract the databaseSAT (containing the accounts and passwords) of a domain controller Active Directory.

Several issues then need to be taken into account:

  • This step may be partially hindered by the’antivirus, This software will be able to detect common tools (pwdump, fgdump, etc.) and suspicious behavior. Disabling antivirus software is strongly discouraged on this type of sensitive equipment.
  • The processor architecture This can also slow down the process, and some tools do not support 64-bit architectures.
  • Finally, the last problem, and not the least, The stability of the system may be impacted. during this stage; while the loss of availability on a workstation may be acceptable, this is absolutely not the case on a domain controller.

Often, when faced with these problems, the consultant will abandon the idea of obtaining this information, unless they obtain explicit authorization from the people concerned, accepting the risks mentioned above.

During SSTIC2010, at the rumps, Aurélien Bordes presented an alternative solution based on Active Directory replication mechanisms.
This solution, studied and implemented by Intrinsec, still requires a domain administrator account and works as follows:

  1. Inserting a fake device into the domain, making it appear to be a backup domain controller (BDC)
  2. Request for SAM database replication by this fake BDC
  3. Removal of the fake BDC from the infrastructure

These steps are carried out with incredible ease, using the tools of the SAMBA suite, and require no more time than a regular SAM extract.

In this way, each step is a legitimate step in the Active Directory protocol, requiring no intrusive third-party tools (and therefore not triggering protection mechanisms), and is independent of the underlying architecture (since it is solely based on AD). For these reasons, stability is not affected.

In conclusion, it is legitimate and official mechanisms internal to Active Directory that come to the aid of auditing a domain controller instead of specific tools often considered "malicious" and carrying significant risks to availability.

Contact