Juil 092023
 

Decrypt NTDS (aka NT Directory Service) active directory hashes for servers up to windows 2012r2 (rc4) and windows 2016 and up (aes). NTDS uses the Extensible Storage Engine format (aka ESE).

Sourcecode and binary are here.

Note that a file named import.ldif will also be created (if you wish to import the exported hashes to a openldap).

Also note that a NT hash is the md4 hash of the unicode (utf16-le) password.

NTHASH-win64.exe --widestringtohexa --input=MyPassword | NTHASH-win64.exe --gethash --mode=MD4

Tips:

1/

You can dump all necessary files (registry hives and ntds database) with

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

2/

You need the OS (here a domain controller) syskey to decrypt a NTDS database.
You can obtain the systemkey offline using nthash and the system and security registry hives.

nthash-win64 --getsyskey --offline --binary=system

3/

Your sysem and security hives may be inconsistent in which case make sure to get not only the hives but also all logs along. Then open it in regedit and the hives and logs should be consolidated altogether, ready to be used by nthash.

4/

Your ntds.dit may be corrupted. check this out with esentutl /g ntds.dit and then repait it with esentutl /p ntds.dit.

esentutl /g ntds.dit

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.3
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initiating INTEGRITY mode...
        Database: ntds.dit
  Temp. Database: .\TEMPINTEG26304.EDB

Checking database integrity.

The database is not up-to-date. This operation may find that
this database is corrupt because data from the log files has
yet to be placed in the database.

To ensure the database is up-to-date please use the 'Recovery' operation.


                     Scanning Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................


Integrity check completed.
Database is CORRUPTED, the last full backup of this database was on 04/10/2024 10:30:19

Operation terminated with error -1206 (JET_errDatabaseCorrupted, Non database file or corrupted db) after 4.297 seconds.
esentutl /p ntds.dit

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.3
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initiating REPAIR mode...
        Database: ntds.dit
  Temp. Database: TEMPREPAIR19620.EDB

Checking database integrity.

The database is not up-to-date. This operation may find that
this database is corrupt because data from the log files has
yet to be placed in the database.

To ensure the database is up-to-date please use the 'Recovery' operation.


                     Scanning Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Initiating DEFRAGMENTATION mode...
            Database: ntds.dit

                  Defragmentation Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................


Moving 'TEMPREPAIR19620.EDB' to 'ntds.dit'... DONE!

Note:
  It is recommended that you immediately perform a full backup
  of this database. If you restore a backup made before the
  defragmentation, the database will be rolled back to the state
  it was in at the time of that backup.

Operation completed successfully in 14.515 seconds.
Jan 222023
 

You have a running ldap server but you want to be able to use ssl.

For this you need:

1-A root CA (certificate authority) installed on the domain controller/ldap server in the computer « root » store

2-A CSR (certificate service request) triggered by the domain controller/ldap server

3-A CSR signed by your root ca thus giving you a certificate to be installed on the domain controller/ldap server in the computer « my » store

4-The root CA installed in the client/user certificate store

Step 1

openssl genrsa -des3 -out ca.key 4096

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

launch mmc.exe, load the certificate snap-in, select « computer account », choose the « trusted root CA » and import your ca.crt.

Step 2

With notepad, create the below request.inf file (adapt the CN with your server CN).

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US"
;
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

Generate your csr with certreq -new request.inf server.csr.

Step 3

Sign your csr :

openssl x509 -req -days 3650 -in request.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

launch mmc.exe, load the certificate snap-in, select « computer account », choose the « MY » store and import your server.crt.

Reboot your DC : your ldap ssl server is now operational.

Edit :

1/

It appears it is better to put the cert in the NT Directory Services (NTDS) store (choose the NTSD service rather than « computer account » in the MMC snap-in).

Indeed, most probably your computer account will have more than one cert in its trust store and NTDS will then pick randomly one of them.

2/

Although I did have time to replicate the experiment, it may be that you have to select 2 roles (versus all) : serveur authentication and client authentication.

More here.

Step 4

On your user/client, launch mmc.exe, load the certificate snap-in, select « user account », choose the « trusted root CA » store and import your ca.crt to allow your user/client to validate the server cert.