# DSInternals Overview

## Introduction

Today I will go through the install process and use of the Directory Services Internals PowerShell Module and Framework. This powershell tool can be quite useful for extracting password hashes from offline ntds.dit databases, as a good allternative to mimikatz, and for dumping credentials on a live system using DRS. DSInternals can also be used for legitmate puerposes such as, Password Auditing and Domain Controller Recovery. Firstly, we will go over the install process and then I will show you some of the many uses this framework has.

## Installation

The framework and powershell module can either be installed using PowerShell Gallery or from Source

To install using PowerShell Gallery simpley open a PowerShell Terminal as Admin and enter the following command

Output:

### Manual Install

To Manually install, first downloaded the latest release from the GitHub Page, Then open an admin powershell session in the same directory. Next run Unblock-File download.zip to unblock the file and it’s contents. Finally, extract the contects to either, C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals or C:\Users\username\Documents\WindowsPowerShell\Modules\DSInternals.

## Useful Commands for Managing and Attacking an AD Environement

Now that we have installed DSInternals we can connect to an AD domain and start running commands. These commands can be run either in a remote PowerShell Session or from a computer enroled in the domain and, logged in with a user who has Domain Admin rights.

### Commands for Online AD Environments

These are commands that a sysadmin would most likely use as they require you to be logged in with an account that has admin privelleges. These commands are most useful for auditing domain security, such as comparing password hashes, calculating Kerberos Keys and grabbing users from Azure AD.

Below will be a list of useful commands with a sample output and a short description of what they do:

Retrieves AD-related information from the Local Security Authority Policy of the local computer

### Commands for Offline AD Environments

These are commands a sysadmin or attacker could use on an offline domain controller (or on an offline copy of the ntds.dit and SYSTEM), as when a DC is online the dtds.dit database is offline. For most of these commands you will need a copy of the ntds.dit and SYSTEM files, here is a good article explaining how to do that.

Grabs the system boot key from a copy of the SYSTEM registry file

Reads account information from an offline ntds database

Sets the password for a user, computer, or service account stored in a ntds.dit file.

Reads the DPAPI backup keys from a ntds.dit file.

## Conclusions

I know this article was not to indepth, but I just wanted to give a basic overview of what it can do for pentesters. I really like DSInternals, especially because it allows the extraction of hashes from ad databases without having to use a tool like mimikatz, which usually triggers or is blocked by antivirus, I also like how the framework can be used in any .NET application. Though it is not as useful for AD enumeration as PowerUp.ps1 or PowerView.ps1 it is an absolute life saver when it comes to password and hash extraction.

Categories:

Updated: