Yesterday I posted a way to dump hashes using a Domain Controller account. But how do you know which account to use? And when was it’s password last set? net user unfortunately won’t do computer accounts.

So I decided to write a PowerShell script to find out. Unfortunately Windows 7 doesn’t come with the ActiveDirectory PowerShell module (I’m sure there is another way to do this but here is how I did it.

Installed the Remote Server Administration Tools - http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx (Not stealthy)

Then I was able to use the follow janky script I wrote to find all of the PasswordLastSet values for all of the Domain Controllers

Import-Module ActiveDirectory

$dclist = Get-ADDomainController -Filter { isGlobalCatalog -eq $true } | Select-Object Name

Foreach ($dc in $dclist)
    $lastset = Get-ADComputer $dc.Name -property PasswordLastSet
    Write-Host "$($dc.Name) - $($lastset.PasswordLastSet)" 

This would probably be an awesome recon / situational awareness module for Empire ( https://github.com/PowerShellEmpire/Empire ) but written better hopefully.

Output is pretty simple, it looks like this:

DC1 - 09/15/2015 07:05:40

Now I know that I have about 29 days left of valid use of that hash.