2

I am looking for either tools or method that will extract the hashes and store them securely so that they can be placed onto a dedicated cracking station.

Obviously, they need to be transmitted and stored securely. Let's assume that the internal network where the domain controller is located is not 100% secure.

Arlix
  • 1,459
  • 3
  • 13
  • 22
  • I'm voting to close this question as off-topic because I don't believe it is in the scope of InfoSec SE to develop methodologies. As well as not enough technical information about the system to do so, or what the OP has tried or implemented so far. – RoraΖ Feb 21 '17 at 16:33
  • 1
    Then don't vote to close it in case someone comes up with a tool. He asked for either, and I personally would find this useful as well. – J.A.K. Feb 21 '17 at 19:12

1 Answers1

1

For safely dumping the hashes, this Optiv reference outlines a number of methods. The most likely of which for your use case is probably to use ntdsgrab.rb to make a volume shadow copy, and then extract NTDS.dit from that shadow copy. Depending on the environment, this may or may not be more subtle than invoking the native vssadmin.exe utility.

For secure transport, as of September 2016, Metasploit's transport control lets you specify encrypted transport methods, including using -t reverse_https to use an encrypted HTTPS connection.

Royce Williams
  • 9,128
  • 1
  • 31
  • 55