locked
password hashes RRS feed

  • Question

  • Hello,

    In which format stored password hashes on Domain Controller's (2008R2 and 2012R2)?

    This is an old weak NTLMv2 hash, or some new format?

    Friday, July 18, 2014 12:53 PM

Answers

  • The below is from:
    http://www.ntdsxtract.com/downloads/ActiveDirectoryOfflineHashDumpAndForensics.pdf

    The solution introduced by Microsoft in order to provide this protection is complex and
    composed of 3 layers of encryption of which 2 layers use RC4 and the third layer uses DES.
    In order to decrypt a hash stored in NTDS.DIT the following steps are necessary:
    1. decrypt the PEK (Password Encryption Key) with bootkey (RC4 - layer 1)
    2. hash decryption first round (with PEK and RC4 - layer 2)
    3. hash decryption second round (DES - layer 3)


    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

    • Proposed as answer by Meinolf Weber Friday, July 18, 2014 4:00 PM
    • Marked as answer by Amy Wang_ Wednesday, July 23, 2014 3:22 AM
    Friday, July 18, 2014 1:21 PM

All replies

  • The below is from:
    http://www.ntdsxtract.com/downloads/ActiveDirectoryOfflineHashDumpAndForensics.pdf

    The solution introduced by Microsoft in order to provide this protection is complex and
    composed of 3 layers of encryption of which 2 layers use RC4 and the third layer uses DES.
    In order to decrypt a hash stored in NTDS.DIT the following steps are necessary:
    1. decrypt the PEK (Password Encryption Key) with bootkey (RC4 - layer 1)
    2. hash decryption first round (with PEK and RC4 - layer 2)
    3. hash decryption second round (DES - layer 3)


    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

    • Proposed as answer by Meinolf Weber Friday, July 18, 2014 4:00 PM
    • Marked as answer by Amy Wang_ Wednesday, July 23, 2014 3:22 AM
    Friday, July 18, 2014 1:21 PM
  • NTLM, Kerb (different key sets) and Digest they are additionally protected by DBLayer encryption that kind of works as Paul has described below.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Friday, July 18, 2014 2:08 PM