Active Directory Dumper

Password analysis is an integral part of what we do. Not only on the pentesting side, but also for our auditors, who perform comprehensive, detailed password analysis and compliance assessments. The problem our auditors faced was having to use multiple tools, which produced multiple files that had to be imported into Excel. To address these shortcomings with legacy tools, my manager created Hash Master 1000 and enlisted me to create the data collector for it. You can read about Hash Master 1000 in greater detail here.

The goal of Active Directory Dumper (ADD) was to create an easy to use, all in one tool to gather Active Directory domain information, including:

• Password and lockout policy

• Users

• Groups

• Trusts

• Computers

I chose to write it in C# so I can leverage the .NET Framework to simplify the end-user experience. That means:

• No credentials need to be entered on the command line (Windows authentication is used).

• No need to specify the domain name or domain controller (it automatically locates them).

• Does not need to be run on a Domain Controller; the user just needs to have the appropriate privileges.

The data ADD gathers is essentially the same data you would obtain from a tool such as ldapdomaindump, but compiled into a single JSON file for consumption by Hash Master. Each user and computer entry also contains the account's NTLM hash.

Example JSON file output:

ADD also extracts all password hashes (including historical hashes) from the domain and writes them to a pwdump file for cracking.

This tool has greatly simplified our data collection for password hashes and domain information. When paired with Hash Master 1000, the depth and analysis of our password hash assessments have improved dramatically. You can try out ActiveDirectoryDumper here: