DSInternals
Directory Services Internals (DSInternals) PowerShell Module and Framework
Install / Use
/learn @MichaelGrafnetter/DSInternalsREADME
Directory Services Internals<br/>PowerShell Module and Framework
Introduction
The DSInternals project consists of these two parts:
- The DSInternals Framework exposes several internal features of Active Directory and can be used from any .NET application. The codebase has already been integrated into several 3<sup>rd</sup> party commercial products that use it in scenarios like Active Directory disaster recovery, identity management, cross-forest migrations and password strength auditing.
- The DSInternals PowerShell Module provides easy-to-use cmdlets that are built on top of the Framework. These are the main features:
- Active Directory password auditing that discovers accounts sharing the same passwords or having passwords in a public database like HaveIBeenPwned or in a custom dictionary.
- Key credential auditing and generation, including support for NGC, FIDO2 and STK keys. Keys can also be tested against the ROCA vulnerability. New NGC keys can also be registered through the MS-DRSR protocol.
- Bare-metal recovery of domain controllers from just IFM backups (ntds.dit + SYSVOL).
- Offline ntds.dit file manipulation, including hash dumping, password resets, group membership changes, trust password extraction, Golden gMSA and dMSA attacks, enabling/disabling accounts, LAPS password decryption, and DNS zone data export.
- Online password hash dumping through the Directory Replication Service (DRS) Remote Protocol (MS-DRSR). This feature is commonly called DCSync.
- Domain or local account password hash injection through the Security Account Manager (SAM) Remote Protocol (MS-SAMR) or directly into the database.
- LSA Policy modification through the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD / LSARPC).
- Extracting credential roaming data and DPAPI domain backup keys, either online through directory replication, LSARPC, and offline from ntds.dit.
- Password hash calculation, including NT hash, LM hash, and kerberos keys.
DISCLAIMER: Features exposed through these tools are not supported by Microsoft. Improper use might cause irreversible damage to domain controllers or negatively impact domain security.
Author
Michael Grafnetter
I have created these tools in my spare time and I am using them while performing AD security audits and also in my lectures to demonstrate how Active Directory works internally.
I would like to thank all people who have contributed to the project by sending their feedback or by submitting their code. In case you would also like to help with this project, please see the CONTRIBUTING document.
Downloads
PowerShell Gallery
You can install the DSInternals module directly from the official PowerShell Gallery by running the following command:
Install-Module DSInternals -Force
Additional steps might be required on some freshly installed computers before DSInternals can be downloaded:
# TLS 1.2 must be enabled on older versions of Windows.
[System.Net.ServicePointManager]::SecurityProtocol =
[System.Net.ServicePointManager]::SecurityProtocol -bor [System.Net.SecurityProtocolType]::Tls12
# Download the NuGet package manager binary.
Install-PackageProvider -Name NuGet -Force
# Register the PowerShell Gallery as package repository if it is missing for any reason.
if($null -eq (Get-PSRepository -Name PSGallery -ErrorAction SilentlyContinue)) {
Register-PSRepository -Default
}
# Download the DSInternals PowerShell module.
Install-Module -Name DSInternals -Force
Chocolatey Package
The DSInternals PowerShell Module can also be installed using the official Chocolatey package by executing the following Chocolatey command:
choco install dsinternals-psmodule --confirm
This package is self-contained and it will also install all dependencies. Note that package versions prior to 3.5 were not official.
WAPT Package
The DSInternals PowerShell Module can also be installed using the WAPT package.
The package can be installed by the WAPT console or by the WAPT Command-line interface like so:
wapt-get install dsinternals
This package is self-contained and it will also install all dependencies.
Offline Module Distribution
- Download the current release from GitHub.
- Unblock the ZIP file, using either the Properties dialog or the
Unblock-Filecmdlet. If you fail to do so, all the extracted DLLs will inherit this attribute and PowerShell will refuse to load them. - Extract the DSInternals directory to your PowerShell modules directory, e.g. C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals or C:\Users\John\Documents\WindowsPowerShell\Modules\DSInternals.
- (Optional) If you copied the module to a different directory than advised in the previous step, you have to manually import it using the
Import-Modulecmdlet.
Commando VM
The DSInternals PowerShell module is part of FireEye's Commando VM, the Windows-based alternative to Kali Linux.
NuGet Packages
The easiest way of integrating the DSInternals functionality into .NET applications is by using the DSInternals Framework NuGet packages:
- DSInternals.Common
- DSInternals.DataStore
- [DSInternals.Replication](https://www.nuget.org/packages/DSInternals.R
