Directory Services Internals
PowerShell Module and Framework

Introduction

The DSInternals project consists of these two parts:

• The DSInternals Framework exposes several internal features of Active Directory and can be used from any .NET application. The codebase has already been integrated into several 3^rd party commercial products that use it in scenarios like Active Directory disaster recovery, identity management, cross-forest migrations and password strength auditing.
• The DSInternals PowerShell Module provides easy-to-use cmdlets that are built on top of the Framework. These are the main features:
  • Azure Active Directory FIDO2 key auditing and retrieval of system information about all user-registered key credentials.
  • Active Directory password auditing that discovers accounts sharing the same passwords or having passwords in a public database like HaveIBeenPwned or in a custom dictionary.
  • Key credential auditing and generation, including support for NGC, FIDO2 and STK keys. Keys can also be tested against the ROCA vulnerability. New NGC keys can also be registered through the MS-DRSR protocol.
  • Bare-metal recovery of domain controllers from just IFM backups (ntds.dit + SYSVOL).
  • Offline ntds.dit file manipulation, including hash dumping, password resets, group membership changes, SID History injection and enabling/disabling accounts.
  • Online password hash dumping through the Directory Replication Service (DRS) Remote Protocol (MS-DRSR). This feature is commonly called DCSync.
  • Domain or local account password hash injection through the Security Account Manager (SAM) Remote Protocol (MS-SAMR) or directly into the database.
  • LSA Policy modification through the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD / LSARPC).
  • Extracting credential roaming data and DPAPI domain backup keys, either online through directory replication, LSARPC and offline from ntds.dit.
  • Password hash calculation, including NT hash, LM hash and kerberos keys.

DISCLAIMER: Features exposed through these tools are not supported by Microsoft. Improper use might cause irreversible damage to domain controllers or negatively impact domain security.

Author

Michael Grafnetter

I have created these tools in my spare time and I am using them while performing AD security audits and also in my lectures to demonstrate how Active Directory works internally.

I would like to thank all people who have contributed to the project by sending their feedback or by submitting their code. In case you would also like to help with this project, please see the CONTRIBUTING document.

Downloads

PowerShell Gallery (PowerShell 5+)

Since PowerShell 5, you can install the DSInternals module directly from the official PowerShell Gallery by running the following command:

Install-Module DSInternals -Force

Chocolatey Package

The DSInternals PowerShell Module can also be installed using the official Chocolatey package by executing the following Chocolatey command:

choco install dsinternals-psmodule --confirm

This package is self-contained and it will also install all dependencies. Note that package versions prior to 3.5 were not official.

Offline Module Distribution (PowerShell 3+)

1. Download the current release from GitHub.
2. Unblock the ZIP file, using either the Properties dialog or the Unblock-File cmdlet. If you fail to do so, all the extracted DLLs will inherit this attribute and PowerShell will refuse to load them.
3. Extract the DSInternals directory to your PowerShell modules directory, e.g. C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals or C:\Users\John\Documents\WindowsPowerShell\Modules\DSInternals.
4. (Optional) If you copied the module to a different directory than advised in the previous step, you have to manually import it using the Import-Module cmdlet.

Commando VM

The DSInternals PowerShell module is part of FireEye's Commando VM, the Windows-based alternative to Kali Linux.

NuGet Packages

The easiest way of integrating the DSInternals functionality into .NET applications is by using the DSInternals Framework NuGet packages:

• DSInternals.Common
• DSInternals.DataStore
• DSInternals.Replication
• DSInternals.SAM

Building from Source Code

You can of course download the source code, perform a review and compile the Module/Framework yourself. See the CONTRIBUTING guide for more info.

Documentation

Get-Help

The online version of PowerShell Get-Help documentation contains the list of all cmdlets and some usage examples.

Blog Posts

I have also published a series of articles about the DSInternals module on my blog. Here are a few of them:

• CQLabs – Extracting Roamed Private Keys from Active Directory
• CQLabs – Offline Attacks on Active Directory
• Auditing Active Directory Password Quality
• Dumping ntds.dit files
• Retrieving Active Directory Passwords Remotely
• Retrieving DPAPI Backup Keys from Active Directory
• Retrieving Cleartext GMSA Passwords from Active Directory
• Peeking into the Active Directory Database
• Dumping and modifying Active Directory database using a bootable flash drive
• Impersonating Office 365 Users With Mimikatz

Slide Decks

• Black Hat Europe 2019: DSInternals PowerShell Module
• Black Hat Europe 2019: Exploiting Windows Hello for Business
• HipConf New York 2018: Offline Attacks on Active Directory

Acknowledgements

This project utilizes the following 3^rd party copyrighted material:

• ManagedEsent - Provides managed access to esent.dll, the embeddable database engine native to Windows.
• AutoMapper - A convention-based object-object mapper in .NET.
• NDceRpc - Integration of WCF and .NET with MS-RPC and binary serialization.
• PBKDF2.NET - Provides PBKDF2 for .NET Framework.
• Bouncy Castle - A lightweight cryptography API for Java and C#.
• Json.NET - Popular high-performance JSON framework for .NET.
• Peter O. CBOR - A C# implementation of Concise Binary Object Representation (RFC 7049).

Related Projects

• Mimikatz - The No.1 tool for pass-the-hash attacks. Can use the credentials extracted by the DSInternals module to do some nasty stuff.
• NTDSXtract - A framework for ntds.dit parsing written in Python.
• Impacket - Various MSRPC-based protocols implemented in Python.
• DIT Snapshot Viewer - A graphical inspection tool for Active Directory databases.
• Esent Workbench - Great tool for displaying the structure of ntds.dit files.