Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Internal Audit Management, Cyber Security

Password Auditing: How to Extract and Analyse Domain User Passwords

Password Auditing: How to Extract and Analyse Domain User Passwords
Written by

Ellie Owen

Published on

27 Apr 2017

Password Auditing: How to Extract and Analyse Domain User Passwords


The Importance of Analysing Domain User Passwords

During penetration testing and red teaming engagements, SureCloud’s cybersecurity consultants regularly analyse the passwords used on live client networks. 


It is extremely common to find several password weaknesses, such as poorly constructed passwords or passwords shared between administrative and standard privileged user accounts. This information has been helpful to clients in addressing weaknesses and shaping their password policy to secure their systems further.


This kind of security examination can form part of our penetration testing and advisory services or our audit and risk management software offering, depending on the level of control you would like to outsource.


Analysis of Active Directory Domain User Accounts

For this investigation, we will talk specifically about analysing Active Directory domain user accounts.


When performing a password audit on a live domain, it is essential to ensure that you only do so with prior authorisation. The method described below assumes you have the correct user account permissions on the Domain to perform the creation of a shadow copy on a Domain Controller.

Although there are several methods to extract the password hashes from a Domain Controller (such as Oxid Cain and Able, pwdump6, and fgdump), most are flagged by anti-virus products and blocked or quarantined. 


One of the safest and most reliable methods for password extraction on a Windows Domain has been outlined below. 

Performing the Audit (Manually)

To initially obtain the password hashes, you will need to gain access to the NT Directory Service (NTDS) database file (NTDS.dit) and use the SYSTEM key to decrypt the data to obtain the user objects and associated attributes, including the password hashes. These files cannot be accessed whilst in use; however, Windows has a built-in feature to help with this.


Introducing the Volume Shadow Copy utility.

Shadow Copy is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service known as Volume Shadow Copy Service, Volume Snapshot Service, or VS. The Shadow Copy technology requires that the file system to be formatted as NTFS to create and store shadow copies. Shadow Copies can be created on local and external (removable or network) volumes by any Windows component that uses this technology, such as when creating a scheduled Windows Backup or automatic System Restore point.


Obtaining the NTDS database and SYSTEM files

Using an Administrative Command Line, run the following command on a Domain Controller:

vssadmin create shadow /for=c:

This will create a snapshot for the C drive In this snapshot normally inaccessible files, including the file we are after, can now be accessed via command line. This shadow copy will be placed in the following location:


[*] Refers to the shadow copy number; it is always best to create a new ShadowCopy to ensure you have the latest information. In the example below the version is 2.


Although not directly accessible from the operating system, the volume shadow copy that has been created provides us with the ability to extract the NTDS.DIT and SYSTEM files within the Shadow copy, as they are no longer directly in use.

Running the following commands will copy the NTDS.dit and SYSTEM files to a folder on the local C: drive to a folder named “SC”

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\SC
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM c:\SC

Obtaining hashes

To extract the User objects and associated attributes into a plain text file, we must first extract the different tables from the NTDS database file using SYSTEM file as the decryption key. Depending on the number of user accounts within your organization this may take some time to complete.

To demonstrate this task, we will perform the extraction using the adXtract tool, which is a command line tool aimed at streamlining the process of hash extraction from the NTDS.dit. For the purposes of this demonstration, we are using the Kali Linux distribution in a virtual machine. The adXtract script aids in the extraction process keeping user interaction to a minimum. An example of the command line arguments used for adXtract: [/path/to/ntds.dit] [/path/to/SYSTEM] [ProjectName]

Once this tool has completed processing the extraction and decryption of the data, the username and associated password hashes will be exported in a format that can be used with common password cracking tools such as Hashcat, JohnTheRipper, and OphCrack.

Password Cracking

As the purpose of this exercise is to check for weak passwords, it is recommended to use the list of hashed passwords, you have extracted against a list of known weak passwords such as the “Top 500 Passwords” or “Rockyou” wordlists; both are freely available online.

The use of a custom word list using information bespoke to the organization would also help to identify weak or guessable passwords. An example of this would be to use the name of the organization in various states, e.g. ‘SureCloud’, ‘scloud’, etc. Passing the output file from adXtract into a password cracking program, such as Hashcat, would allow the enumeration of known weak passwords from the input ‘wordlists’. An example of a simple Hashcat input argument, along with a demonstrated output can be seen below:

Hashcat64.exe -m [mode] [hash target file] [wordlist] [options]

Password Analyser

A tool that we have used internally at SureCloud, developed by one of our cybersecurity experts Adam Govier, is ‘Pwdlyser.’ The Pwdlyser tool is a Python command line script and Windows-based tool that was built to automate the process of manually reviewing cracked passwords during both password audits and penetration testing. It is freely available and offers a multitude of functionality, both for penetration testers and organizations performing internal password audits.

An example of a simple command line argument for the more common analysis aspects:

./ –-all -p crackedPasswordList.txt