DSInternals PowerShell Module and Framework
The DSInternals project consists of these two parts:
- The DSInternals Framework exposes several internal features of Active Directory and can be used from any .NET application. The codebase has already been integrated into several 3rd party commercial products that use it in scenarios like Active Directory disaster recovery, identity management, cross-forest migrations and password strength auditing.
- The DSInternals PowerShell Module provides easy-to-use cmdlets that are built on top of the Framework. These are the main features:
- Active Directory password auditing that discovers accounts sharing the same passwords or having passwords in a public database like HaveIBeenPwned or in a custom dictionary.
- Bare-metal recovery of domain controllers from just IFM backups (ntds.dit + SYSVOL).
- Offline ntds.dit file manipulation, including hash dumping, password resets, group membership changes, SID History injection and enabling/disabling accounts.
- Online password hash dumping through the Directory Replication Service (DRS) Remote Protocol (MS-DRSR). This feature is commonly called DCSync.
- Domain or local account password hash injection through the Security Account Manager (SAM) Remote Protocol (MS-SAMR) or directly into the database.
- LSA Policy modification through the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD / LSARPC).
- Extracting credential roaming data and DPAPI domain backup keys, either online through directory replication, LSARPC and offline from ntds.dit.
- Password hash calculation, including NT hash, LM hash and kerberos keys.
DISCLAIMER: Features exposed through these tools are not supported by Microsoft. Improper use might cause irreversible damage to domain controllers or negatively impact domain security.
I have created these tools in my spare time and I am using them while performing AD security audits and also in my lectures to demonstrate how Active Directory works internally.
I would like to thank all people who have contributed to the project by sending their feedback or by submitting their code. In case you would also like to help with this project, please see the CONTRIBUTING document.
Several people who use DSInternals during AD security audits have asked to donate. I have therefore set up a PayPal account:
PowerShell Gallery (PowerShell 5+)
Since PowerShell 5, you can install the DSInternals module directly from the official PowerShell Gallery by running the following command:
Install-Module DSInternals -Force
The DSInternals PowerShell Module can also be installed using the official Chocolatey package by executing the following Chocolatey command:
choco install dsinternals-psmodule --confirm
This package is self-contained and it will also install all dependencies. Note that package versions prior to 3.5 were not official.
Offline Module Distribution (PowerShell 3+)
- Download the current release from GitHub.
- Unblock the ZIP file, using either the Properties dialog or the
Unblock-Filecmdlet. If you fail to do so, all the extracted DLLs will inherit this attribute and PowerShell will refuse to load them.
- Extract the DSInternals directory to your PowerShell modules directory, e.g. C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals or C:\Users\John\Documents\WindowsPowerShell\Modules\DSInternals.
- (Optional) If you copied the module to a different directory than advised in the previous step, you have to manually import it using the
The DSInternals PowerShell module is part of FireEye's Commando VM, the Windows-based alternative to Kali Linux.
The easiest way of integrating the DSInternals functionality into .NET applications is by using the DSInternals Framework NuGet packages.
Building from Source Code
The online version of PowerShell Get-Help documentation contains the list of all cmdlets and some usage examples.
I have also published a series of articles about the DSInternals module on my blog. Here are a few of them:
- Auditing Active Directory Password Quality
- Dumping ntds.dit files
- Retrieving Active Directory Passwords Remotely
- Retrieving DPAPI Backup Keys from Active Directory
- Retrieving Cleartext GMSA Passwords from Active Directory
- Peeking into the Active Directory Database
- Dumping and modifying Active Directory database using a bootable flash drive
- Impersonating Office 365 Users With Mimikatz
This project utilizes the following 3rd party copyrighted material:
- ManagedEsent - Provides managed access to esent.dll, the embeddable database engine native to Windows.
- AutoMapper - A convention-based object-object mapper in .NET.
- NDceRpc - Integration of WCF and .NET with MS-RPC and binary serialization.
- PBKDF2.NET - Provides PBKDF2 for .NET Framework.
- Mimikatz - The No.1 tool for pass-the-hash attacks. Can use the credentials extracted by the DSInternals module to do some nasty stuff.
- NTDSXtract - A framework for ntds.dit parsing written in Python.
- Impacket - Various MSRPC-based protocols implemented in Python.
- DIT Snapshot Viewer - A graphical inspection tool for Active Directory databases.
- Esent Workbench - Great tool for displaying the structure of ntds.dit files.