PSNTDS

NTDS.dit (Microsoft Active Directory) forensics module for Powershell.

Find it on Github here.

Current bug: Unencrypted NT hashes are incorrect!

This Powershell module is intended to aid in the process of examining and extracting information from the Active Directory database known as NTDS.dit.

Special thanks to Csaba Barta (csaba.barta@gmail.com, www.ntdsxtract.com) without whom this module would not be possible.

Also thanks to @moyix, moyix.blogspot.com, brendan@cs.columbia.edu

Also thanks to Brendan Dolan-Gavitt, author of creddump

Q: So why did I reinvent the wheel?

A: Because:

  1. Python shouldn't have all the fun. I wanted to port the ideas into idiomatic Powershell.
  2. I wanted to gain in-depth knowledge of the subject for myself, not just run someone else's scripts.
  3. I have further plans with this data and it will be very handy to have it in Powershell format.

Currently exported Cmdlets:

Export-NTDSFromNTDSUtilSnapshot
Export-SystemRegistryHive
Get-BootKeyFromSystemRegistryHive
Get-DecryptedHash
Get-DecryptedPEK
Get-RC4EncryptedData
Import-NTDSDatabaseFromFile

A couple of screenshots:

alt tag

alt tag

alt tag



Comments are closed