Source: #_shellntel Cybersecurity Blog
Author: Dylan Reuter
URL: https://blog.shellntel.com/p/active-directory-dumper
https://blog.shellntel.com/p/active-directory-dumper
ONE SENTENCE SUMMARY:
ActiveDirectoryDumper consolidates Active Directory password and domain data collection into JSON and pwdump outputs for streamlined auditing and hash analysis.
MAIN POINTS:
- Auditors previously used multiple tools generating many files requiring Excel imports.
- Hash Master 1000 was created to address shortcomings in legacy password analysis workflows.
- Active Directory Dumper (ADD) serves as an all-in-one AD domain information gathering tool.
- Collected scope includes password policy, lockout policy, users, groups, trusts, and computers.
- C#/.NET implementation simplifies deployment and improves end-user experience.
- Integrated Windows authentication eliminates entering credentials on the command line.
- Automatic discovery removes the need to specify domain name or domain controller.
- Execution does not require running on a Domain Controller, only sufficient privileges.
- Output mirrors ldapdomaindump-style data but consolidated into a single JSON file.
- Extracts current and historical password hashes, exporting to a pwdump file for cracking.
TAKEAWAYS:
- Consolidating AD data into one JSON reduces tool sprawl and manual post-processing.
- Native authentication and auto-discovery lower operator errors and configuration overhead.
- Including NTLM hashes per account enables direct linkage between objects and hash results.
- Historical hash extraction expands audit visibility beyond current credential state.
- Pairing ADD with Hash Master 1000 significantly improves password assessment depth and efficiency.