Juil 092023
 

Decrypt NTDS (aka NT Directory Service) active directory hashes for servers up to windows 2012r2 (rc4) and windows 2016 and up (aes). NTDS uses the Extensible Storage Engine format (aka ESE).

You can obtain the systemkey offline using nthash and the system registry file.

Sourcecode and binary are here.

Jan 222023
 

You have a running ldap server but you want to be able to use ssl.

For this you need:

1-A root CA (certificate authority) installed on the domain controller/ldap server in the computer « root » store

2-A CSR (certificate service request) triggered by the domain controller/ldap server

3-A CSR signed by your root ca thus giving you a certificate to be installed on the domain controller/ldap server in the computer « my » store

4-The root CA installed in the client/user certificate store

Step 1

openssl genrsa -des3 -out ca.key 4096

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

launch mmc.exe, load the certificate snap-in, select « computer account », choose the « trusted root CA » and import your ca.crt.

Step 2

With notepad, create the below request.inf file (adapt the CN with your server CN).

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US"
;
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

Generate your csr with certreq -new request.inf server.csr.

Step 3

Sign your csr :

openssl x509 -req -days 3650 -in request.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

launch mmc.exe, load the certificate snap-in, select « computer account », choose the « MY » store and import your server.crt.

Reboot your DC : your ldap ssl server is now operational.

Edit :

1/

It appears it is better to put the cert in the NT Directory Services (NTDS) store (choose the NTSD service rather than « computer account » in the MMC snap-in).

Indeed, most probably your computer account will have more than one cert in its trust store and NTDS will then pick randomly one of them.

2/

Although I did have time to replicate the experiment, it may be that you have to select 2 roles (versus all) : serveur authentication and client authentication.

More here.

Step 4

On your user/client, launch mmc.exe, load the certificate snap-in, select « user account », choose the « trusted root CA » store and import your ca.crt to allow your user/client to validate the server cert.