So you have decided to do some password auditing on YOUR domain.
It goes without saying that no one but yourself is liable if you use any of this information for nefarious of ‘black hat’ purposes.
This information is for System Admins and the like who are interested in taking a peek into their users password habits, and for developing password policies.

Here’s what you need to know:

-Extract the NTDS File from your Domain controller, via whatever method you want, (VSS, or backups).
-Export the SYSTEM registry Key

reg save HKLM\SYSTEM C:\<YOUR DIRECTORY>\filename

Happy days, you have 2 files you need.

Start PowerShell as an Administrator, and change the Security policy to allow other scripts to run:

 Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Looking over at DSInternals go ahead and download their package. If its not there, click here.

Download and install the module.
This module will open up the NTDS file and export the Hash’s that we will use later.

Install-Module DSInternals

Then Setup the $KEY variable with the location of you SYSTEM archive (that contains the decryption key).

 $key = Get-BootKey -SystemHivePath 'C:\Password cracking\SYSTEM'

Now its time to dump the hash’s!

Get-ADDBAccount -All -DBPath 'C:\Password cracking\NTDS\ntds.dit' -BootKey $key |
 Format-Custom -View HashcatLM |
 Out-File cathashesLM.txt -Encoding ASCII

This command will spit out a file called cathashesLM.txt in your current working directory.
You can also spit the has’s out in the following ways: HashcatNT, JohnNT, JohnLM and Ophcrack
You should now have a file containing all the usernames and hash’d passwords that looks a little like this:


(Go on, decrypt those ones!)
Go out and have a search online for a good password list like the rockyou list (containing about 14mil. passwords).
The bigger the better, i’m sure you can find some better ones out there, but the rockyou list is pretty darn good!

Now you should have 2 files,
-Usename and Password hash file
-Wordlist containing probable passwords

Fire up Kali and open Terminal and use the following command:

hashcat -m 1000 -a 0 --username <PATH TO YOUR HASH FILE> <PATH TO PASSWORD LIST> -0 matched_passwords

There will now be a file called matched_passwords in the working directory of terminal.
The file contains the password hash’s of passwords it found using the supplied password list.
It went and converted the passwords’s to hash’s and spat out ones that matched your hash file.
Now the fun part begins, copy the matched_Passwords file over to your Windows (or whatever computer has a spreadsheet software) computer again, along with the hash file and fire up our friend Excel.

Using VLOOKUP, you can compare the 2 files and see where the hash’s match!


To do:
-Go and get these probable word list files: and run again!
-Find a GPO to add most common passwords to be disallowed.


Password Auditing
Tagged on:             

Leave a Reply

Your email address will not be published. Required fields are marked *