DSInternals icon indicating copy to clipboard operation
DSInternals copied to clipboard

Published 20 hours ago verified publisher icon MichaelGrafnetter

A few cmdlets do not work against ADAM / AD LDS

Open MichaelGrafnetter opened this issue 9 years ago • 5 comments

MichaelGrafnetter avatar Jan 31 '16 19:01 MichaelGrafnetter

Hi @MichaelGrafnetter ,

Sorry to come back on this enhancement: does DSInternals is handling ADAM/AD LDS for either process (ADDBAccount) the NTDS file or use the ADReplAccount to retrieve password hashes ?

If not do you plan to include it ? Or do you know a tool to achieve this ?

Thanks a lot for your feedbacks.

Vivien

Sinokra avatar Nov 23 '20 20:11 Sinokra

Hi @Sinokra , I don't know of any other tool supporting this. DSInternals requires a major rewrite of shcema loading to support this and I have already started working on it. The thing is that accounts in LDS/ADAM are not just user or inetOrgPerson classes. If at least one of the following statements applies to an object class within an AD LDS schema, then each instance of that object class functions as an AD LDS user:

  1. The object class contains msDS-BindableObject as a static auxiliary class.
  2. The object class contains a static auxiliary class that is a subclass of msDS-BindableObject.
  3. The object class is a subclass of another object class that satisfies statement 1 or 2.

MichaelGrafnetter avatar Nov 23 '20 20:11 MichaelGrafnetter

Hi @MichaelGrafnetter, thanks a lot for these precisions, and really sorry for the delay in my answer I had to deal with something else, but now I'm back on the AD LDS topic. I'm still needing to export the password hashes from an AD LDS. I don't know when DS Internal will handle this "technology" but I have tried to do the job on my own by processing the NTDS.dit file. Nevertheless I'm struggling in the final step I guess and if I may, I would need your expertise:

  • Do you know in which algorithm the password attribute is encrypted (on top of the hash) ?
  • Do you know where to find the master key ? Is is the so-called Boot Key (aka SysKey) ?

Thanks a lot for your insights on this Michael, very appreciated.

Sinokra avatar Jan 26 '21 17:01 Sinokra

@Sinokra LDS data decryption has been present in DSInternals for a long time and is supported on WS 2003-2019 databases, see https://github.com/MichaelGrafnetter/DSInternals/blob/d9ea984be9a43b299c1724ac348d774b1c79f4fa/Src/DSInternals.DataStore.Test/DataStoreSecretDecryptorTester.cs#L185

Decryption key loader is implemented here: https://github.com/MichaelGrafnetter/DSInternals/blob/d9ea984be9a43b299c1724ac348d774b1c79f4fa/Src/DSInternals.DataStore/DirectoryAgent.PasswordManagement.cs#L240

I still have not finished rewriting schema loading code so that it can also read LDS accounts from the DB.

MichaelGrafnetter avatar Jan 26 '21 17:01 MichaelGrafnetter

@MichaelGrafnetter if there a plan to make this enhancement available? @Sinokra did you find a way to export the hashes?

aapanage avatar Dec 18 '23 17:12 aapanage